RE: Digital Evidence Question - What is an effective Windows hard -disk search tool?

["dave klimen" <dave () netmedic net>]

Sonja,

That is so far from correct.  With R-Studio $79
(http://www.r-tt.com/RStudio.shtml ), you can repartition, reformat (using
diff file systems) and still recover.  We tested a system that came fresh
from the factory with W2K single FAT partition.  We repartitioned it into 4
W2K NTFS partitions. Then one more time into 2 W2K NTFS. 

Not only did it find and recover the originals we did it found a WIN98
operating install that must have been done at the disk or computer
manufactures.

I also use EnCase as well as many other forensic tools. 

If you do not trust my opinion you can simply download the eval-copy which
will find and show you the lost info, but just will not recover them.


 
_____________________
Dave Kleiman
dave () netmedic net
www.netmedic.net

"High achievement always takes place in the framework of high expectation."
Jack Kinder

 

-----Original Message-----
From: Robinson, Sonja [mailto:SRobinson () HIPUSA com] 
Sent: Friday, June 20, 2003 10:50
To: 'Wilcox, Stephen'; 'security-basics () securityfocus com'
Subject: RE: Digital Evidence Question - What is an effective Windows hard
-disk search tool?



If you reformatted, don't waste your money on any product, your stuff is
gone and the $75 tool isn't going to help you.  Forensics tolls aren't going
to help you.  You're only hope is something like Ontrack and that will cost
you.  Even if you could recover some of the information from free space or
slack space, no your files wouldn't have been readable.  IF you has not
reformatted and IF you had not reinstalled the O/S yes they woul;d have been
readble by the original program.  You're pretty much toast dude.  Sorry.  It
is possible to reassemble files IF they are still there (99.5% chance
they're hosed) but reassembly will cost you serious $$ because it takes a
lot of time to do manually.  

Sonja Robinson, CISA
Network Security Analyst
HIP Health Plans
Office:  212-806-4125
Pager: 8884238615



-----Original Message-----
From: Wilcox, Stephen [mailto:StephenWilcox () universalcomputersys com] 
Sent: Thursday, June 19, 2003 12:02 PM
To: Ansgar Wiechers; security-basics () securityfocus com
Subject: RE: Digital Evidence Question - What is an effective Windows hard
-disk search tool?


Do to the lack of knowledge and impatience I formatted the drive.  I now
have looked at a couple recovery tools out there but they run around $75..
ouch.  I will bite the bullet and get one I guess.  Here is the question,
once that the information is recover will the application be able to read
the file again or does the file have to be reassembled by a third party?  I
friend said that recovery is not a probable, reassembling the information in
a order so the application can read it is another thing.  I have no idea on
this, what is your thoughts?

Stephen





---------------------------------------------------------------------------
Evaluating SSL VPNs' Consider NEOTERIS, chosen as leader by top analysts!
The Gartner Group just put Neoteris in the top of its Magic Quadrant,
while InStat has confirmed Neoteris as the leader in marketshare.

Find out why, and see how you can get plug-n-play secure remote access in
about an hour, with no client, server changes, or ongoing maintenance.

Visit us at: http://www.neoteris.com/promos/sf-6-9.htm
----------------------------------------------------------------------------