RE: Digital Evidence Question - What is an effective Windows hard -disk search tool?

["Robinson, Sonja" <SRobinson () HIPUSA com>]

Thanks for the info.  If I am incorrect, my apologies, I would be more than
happy to download and test the product, no tthat I don't trust your testing
but you lways should test for yourself.  Unfortunately my experiences in the
past have proved otherwise but things always change and new products are
always put out.  

Sonja Robinson, CISA
Network Security Analyst
HIP Health Plans
Office:  212-806-4125
Pager: 8884238615



-----Original Message-----
From: dave klimen [mailto:dave () netmedic net] 
Sent: Saturday, June 21, 2003 6:43 PM
To: Robinson, Sonja; 'Wilcox, Stephen'; security-basics () securityfocus com;
'Gene LeDuc'
Subject: RE: Digital Evidence Question - What is an effective Windows hard
-disk search tool?


Sonja,

That is so far from correct.  With R-Studio $79
(http://www.r-tt.com/RStudio.shtml ), you can repartition, reformat (using
diff file systems) and still recover.  We tested a system that came fresh
from the factory with W2K single FAT partition.  We repartitioned it into 4
W2K NTFS partitions. Then one more time into 2 W2K NTFS. 

Not only did it find and recover the originals we did it found a WIN98
operating install that must have been done at the disk or computer
manufactures.

I also use EnCase as well as many other forensic tools. 

If you do not trust my opinion you can simply download the eval-copy which
will find and show you the lost info, but just will not recover them.


 
_____________________
Dave Kleiman
dave () netmedic net
www.netmedic.net

"High achievement always takes place in the framework of high expectation."
Jack Kinder

 

-----Original Message-----
From: Robinson, Sonja [mailto:SRobinson () HIPUSA com] 
Sent: Friday, June 20, 2003 10:50
To: 'Wilcox, Stephen'; 'security-basics () securityfocus com'
Subject: RE: Digital Evidence Question - What is an effective Windows hard
-disk search tool?



If you reformatted, don't waste your money on any product, your stuff is
gone and the $75 tool isn't going to help you.  Forensics tolls aren't going
to help you.  You're only hope is something like Ontrack and that will cost
you.  Even if you could recover some of the information from free space or
slack space, no your files wouldn't have been readable.  IF you has not
reformatted and IF you had not reinstalled the O/S yes they woul;d have been
readble by the original program.  You're pretty much toast dude.  Sorry.  It
is possible to reassemble files IF they are still there (99.5% chance
they're hosed) but reassembly will cost you serious $$ because it takes a
lot of time to do manually.  

Sonja Robinson, CISA
Network Security Analyst
HIP Health Plans
Office:  212-806-4125
Pager: 8884238615



-----Original Message-----
From: Wilcox, Stephen [mailto:StephenWilcox () universalcomputersys com] 
Sent: Thursday, June 19, 2003 12:02 PM
To: Ansgar Wiechers; security-basics () securityfocus com
Subject: RE: Digital Evidence Question - What is an effective Windows hard
-disk search tool?


Do to the lack of knowledge and impatience I formatted the drive.  I now
have looked at a couple recovery tools out there but they run around $75..
ouch.  I will bite the bullet and get one I guess.  Here is the question,
once that the information is recover will the application be able to read
the file again or does the file have to be reassembled by a third party?  I
friend said that recovery is not a probable, reassembling the information in
a order so the application can read it is another thing.  I have no idea on
this, what is your thoughts?

Stephen





**********************************************************************
CONFIDENTIALITY NOTICE: This e-mail transmission, including any attachments to it,  may contain confidential 
information or protected health information subject to privacy regulations such as the Health Insurance Portability and 
Accountability Act of 1996 (HIPAA). This transmission is intended only for the use of the recipient(s) named above.  If 
you are not the intended recipient, or a person responsible for delivering it to the intended recipient, you are hereby 
notified that any disclosure, copying, distribution or use of any of the information contained in this transmission is 
STRICTLY PROHIBITED.  If you have received this transmission in error, please immediately notify me by reply e-mail and 
destroy the original transmission in its entirety without saving it in any manner. 






**********************************************************************


---------------------------------------------------------------------------
Evaluating SSL VPNs' Consider NEOTERIS, chosen as leader by top analysts!
The Gartner Group just put Neoteris in the top of its Magic Quadrant,
while InStat has confirmed Neoteris as the leader in marketshare.
     
Find out why, and see how you can get plug-n-play secure remote access in
about an hour, with no client, server changes, or ongoing maintenance.
          
Visit us at: http://www.neoteris.com/promos/sf-6-9.htm
----------------------------------------------------------------------------