RE: Digital Evidence Question - What is an effective Windows hard -disk search tool?

["Troy Larson" <ntevidence () attbi com>]

Bob,

You have no issue from me.  I use Ontrack's data recovery software too.
What it can't do--what no data recovery software can do--is recover
overwritten data.  That was my only point.  The consequence of this fact
mean that one pass of a data wiping utility is no less effective than 100
passes, if your only concern is software-based data recovery or reusing your
media for data forensics.

Troy

> -----Original Message-----
> From: Bob Walker [mailto:bobwalker8 () comcast net] 
> Sent: Friday, June 27, 2003 8:10 PM
> To: 'Troy Larson'; 'Robinson, Sonja'; 'NC Agent'; 
> security-basics () securityfocus com
> Subject: RE: Digital Evidence Question - What is an effective 
> Windows hard -disk search tool?
>
>
> Greetings All,
>
> I really have to jump in in the middle of this one(threads 
> included, for contextual reference).  OnTrack's Data Recovery 
> utility (cost: $200) is an excellent tool for recovering data 
> from lost partitions, formatted drives, deleted files, etc.  
> I work in a small computer shop, and this has saved my 
> backside several times already.
>
> Regards
> Bob
>
> -----Original Message-----
> From: Troy Larson [mailto:ntevidence () attbi com] 
> Sent: Thursday, June 26, 2003 2:32 PM
> To: 'Robinson, Sonja'; 'NC Agent'; security-basics () securityfocus com
> Subject: RE: Digital Evidence Question - What is an effective 
> Windows hard -disk search tool?
>
>
> Sonja,
>
> I respectfully take issue with only one statement: "A wipe to 
> DoD specs (7 or more passes - 31 recommended now) would make 
> data unrecoverable."
>
>
> I would say that, unless you are using special hardware tools 
> to access the hard drive disk platters directly, ONE pass is 
> sufficient to make the data unrecoverable.  That is, one pass 
> should make data unrecoverable to any software recovery tool 
> (or any method that relies solely on the hard drive's own hardware).
>
> Please let me know if I am mistaken.
>
> Troy
>
> -----Original Message-----
> From: Robinson, Sonja [mailto:SRobinson () HIPUSA com] 
> Sent: Thursday, June 26, 2003 9:01 AM
> To: 'NC Agent'; security-basics () securityfocus com
> Subject: RE: Digital Evidence Question - What is an effective 
> Windows hard -disk search tool?
>
>
> > > O/S could be Fat32.  We didn't have that info.  True.  
> Normal formats
> still retain data in parts of the clusters so data is 
> recoverable.  My previous posts stated that.  A wipe to DoD 
> specs (7 or more passes - 31 recommended now) would make data 
> unrecoverable.  I'm sorry if people missed earlier posts 
> where I discussed un/allocated, free, swap space, 
> non/sequential  clusters, etc. and are only responding to 
> this one or if I wasn't as specific as I should have been in 
> .  I had previously stated in other posts that, potentially, 
> data is recoverable if it was not overwritten (and the user 
> potentially overwrote a number of clusters when he 
> reinstalled the O/S and the apps, depending on where the new 
> install files were written to on the hd of course). And that 
> if the full cluster was overwritten they would not be able to 
> recover anything in unallocated space sinec it would then be 
> allocated. If only part of the cluster is 
> overwritten/allocated the data residing in the unallocated 
> space is recoverable.  The user had asked if he could recover 
> files in a format readable by the original apps.  If only 
> parts of the files are recoverable, i.e. using hex editor or 
> similar tool then most likely not. (And I will not profess to 
> know every potential tool that could potentially recover some 
> in a readable format.) MS tends to write non-contiguously and 
> thus it is likely that a part of a file was overwritten by 
> one of the newly installed programs.  This of course is 
> effected by the age of the drive, the amount of data, where 
> the files were written to-the beginning of the hard vs the 
> end, the amount of files that were "deleted" throughout the 
> years, etc.  
>
> Also, in another post I suggested he try a hex editor to view 
> the data in the clusters to see what was available for 
> recovery.  Based on that review you could determine what it 
> was worth to buy a program to help recover any data or what 
> would be necessary to rebuild the files manually.  It 
> appeared that this was beyond the user's technical 
> capabilities at the moment and that such rebuilding would 
> require a third party and an additional cost which he did not 
> seem inclined to pay. I think he specifically mentioned a PST 
> file and his e-mail messages which is what I was mainly 
> focusing on.  In all likelihood, PST would be extremely 
> difficult to put back together so it was readable by Outlook 
> since all of the messages would be scattered and some most 
> likely lost. My main point was that in all likelihood it was 
> going to require him to put files back together manually and 
> that they would most likely not be readable by the original 
> program.  Other files may be easier to get in their entirety. 
> I should have clarified this, sorry.  
>
> In any event it is nice to share all of the potential ways to 
> recover lost data for varying technical capabilities.  The 
> more avenues you have the more chances you might have to 
> recover something even if it is only bits and pieces.
>
>
>
>  
> -----Original Message-----
> From: Robinson, Sonja [mailto:SRobinson () HIPUSA com]
> Sent: Friday, June 20, 2003 10:50
> To: 'Wilcox, Stephen'; 'security-basics () securityfocus com'
> Subject: RE: Digital Evidence Question - What is an effective 
> Windows hard -disk search tool?
>
> If you reformatted, don't waste your money on any product, 
> your stuff is gone and the $75 tool isn't going to help you.  
> Forensics tolls aren't going to help you.
>
> I would take exception to the above comment, assuming a FAT32 
> system and using the high level format the only part of the 
> drive that will be lost is the system area of the drive.  The 
> data area, cluster 2 and beyond will remain untouched.  So 
> even if you format the data is still there, just the system 
> area is zeroed. Which means you may have to look for it 
> manually, but does not mean that it is gone and your search 
> would be a waste of time.
>
>
>
> You're only hope is something like Ontrack and that will cost 
> you.  Even if you could recover some of the information from 
> free space or slack space, no your files wouldn't have been 
> readable.  IF you has not reformatted and IF you had not 
> reinstalled the O/S yes they woul;d have been readble by the 
> original program.  You're pretty much toast dude. Sorry.  It 
> is possible to reassemble files IF they are still there 
> (99.5% chance they're hosed) but reassembly will cost you 
> serious $$ because it takes a lot of time to do manually.
>
> Actually all that you have to do is rebuild the root files 
> and remap the FAT, if the files were contained in contiguous 
> clusters before the formatting it is not that tough to do 
> although a little time consuming. If however the files were 
> in non-contiguous clusters then you are in for time consuming 
> recovery.
>
> Clayton Hoskinson, CFCE
> IS Auditor
> State Auditor and Inspector
>
>
>
>
> --------------------------------------------------------------
> ----------
> ---
> Evaluating SSL VPNs' Consider NEOTERIS, chosen as leader by 
> top analysts! The Gartner Group just put Neoteris in the top 
> of its Magic Quadrant, while InStat has confirmed Neoteris as 
> the leader in marketshare.
>      
> Find out why, and see how you can get plug-n-play secure 
> remote access in about an hour, with no client, server 
> changes, or ongoing maintenance.
>           
> Visit us at: http://www.neoteris.com/promos/sf-6-9.htm
> --------------------------------------------------------------
> ----------
> ----
>
>
> **********************************************************************
> CONFIDENTIALITY NOTICE: This e-mail transmission, including 
> any attachments to it,  may contain confidential information 
> or protected health information subject to privacy 
> regulations such as the Health Insurance Portability and 
> Accountability Act of 1996 (HIPAA). This transmission is 
> intended only for the use of the recipient(s) named above.  
> If you are not the intended recipient, or a person 
> responsible for delivering it to the intended recipient, you 
> are hereby notified that any disclosure, copying, 
> distribution or use of any of the information contained in 
> this transmission is STRICTLY PROHIBITED.  If you have 
> received this transmission in error, please immediately 
> notify me by reply e-mail and destroy the original 
> transmission in its entirety without saving it in any manner. 
>
>
>
>
>
>
> **********************************************************************
>
>
> --------------------------------------------------------------
> ----------
> ---
> Evaluating SSL VPNs' Consider NEOTERIS, chosen as leader by 
> top analysts! The Gartner Group just put Neoteris in the top 
> of its Magic Quadrant, while InStat has confirmed Neoteris as 
> the leader in marketshare.
>      
> Find out why, and see how you can get plug-n-play secure 
> remote access in about an hour, with no client, server 
> changes, or ongoing maintenance.
>           
> Visit us at: http://www.neoteris.com/promos/sf-6-9.htm
> --------------------------------------------------------------
> ----------
> ----
>
>
> --------------------------------------------------------------
> ----------
> ---
> Evaluating SSL VPNs' Consider NEOTERIS, chosen as leader by 
> top analysts! The Gartner Group just put Neoteris in the top 
> of its Magic Quadrant, while InStat has confirmed Neoteris as 
> the leader in marketshare.
>      
> Find out why, and see how you can get plug-n-play secure 
> remote access in about an hour, with no client, server 
> changes, or ongoing maintenance.
>           
> Visit us at: http://www.neoteris.com/promos/sf-6-9.htm
> --------------------------------------------------------------
> ----------
> ----


---------------------------------------------------------------------------
Evaluating SSL VPNs' Consider NEOTERIS, chosen as leader by top analysts!
The Gartner Group just put Neoteris in the top of its Magic Quadrant,
while InStat has confirmed Neoteris as the leader in marketshare.

Find out why, and see how you can get plug-n-play secure remote access in
about an hour, with no client, server changes, or ongoing maintenance.

Visit us at: http://www.neoteris.com/promos/sf-6-9.htm
----------------------------------------------------------------------------