RE: Digital Evidence Question - What is an effective Windows hard -disk search tool?

[Bob Walker <bobwalker8 () comcast net>]

Greetings All,

I really have to jump in in the middle of this one(threads included, for
contextual reference).  OnTrack's Data Recovery utility (cost: $200) is
an excellent tool for recovering data from lost partitions, formatted
drives, deleted files, etc.  I work in a small computer shop, and this
has saved my backside several times already.

Regards
Bob

-----Original Message-----
From: Troy Larson [mailto:ntevidence () attbi com] 
Sent: Thursday, June 26, 2003 2:32 PM
To: 'Robinson, Sonja'; 'NC Agent'; security-basics () securityfocus com
Subject: RE: Digital Evidence Question - What is an effective Windows
hard -disk search tool?


Sonja,

I respectfully take issue with only one statement: "A wipe to DoD specs
(7 or more passes - 31 recommended now) would make data unrecoverable."


I would say that, unless you are using special hardware tools to access
the hard drive disk platters directly, ONE pass is sufficient to make
the data unrecoverable.  That is, one pass should make data
unrecoverable to any software recovery tool (or any method that relies
solely on the hard drive's own hardware).

Please let me know if I am mistaken.

Troy

-----Original Message-----
From: Robinson, Sonja [mailto:SRobinson () HIPUSA com] 
Sent: Thursday, June 26, 2003 9:01 AM
To: 'NC Agent'; security-basics () securityfocus com
Subject: RE: Digital Evidence Question - What is an effective Windows
hard -disk search tool?


> > O/S could be Fat32.  We didn't have that info.  True.  Normal formats
still retain data in parts of the clusters so data is recoverable.  My
previous posts stated that.  A wipe to DoD specs (7 or more passes - 31
recommended now) would make data unrecoverable.  I'm sorry if people
missed earlier posts where I discussed un/allocated, free, swap space,
non/sequential  clusters, etc. and are only responding to this one or if
I wasn't as specific as I should have been in .  I had previously stated
in other posts that, potentially, data is recoverable if it was not
overwritten (and the user potentially overwrote a number of clusters
when he reinstalled the O/S and the apps, depending on where the new
install files were written to on the hd of course). And that if the full
cluster was overwritten they would not be able to recover anything in
unallocated space sinec it would then be allocated. If only part of the
cluster is overwritten/allocated the data residing in the unallocated
space is recoverable.  The user had asked if he could recover files in a
format readable by the original apps.  If only parts of the files are
recoverable, i.e. using hex editor or similar tool then most likely not.
(And I will not profess to know every potential tool that could
potentially recover some in a readable format.) MS tends to write
non-contiguously and thus it is likely that a part of a file was
overwritten by one of the newly installed programs.  This of course is
effected by the age of the drive, the amount of data, where the files
were written to-the beginning of the hard vs the end, the amount of
files that were "deleted" throughout the years, etc.  

Also, in another post I suggested he try a hex editor to view the data
in the clusters to see what was available for recovery.  Based on that
review you could determine what it was worth to buy a program to help
recover any data or what would be necessary to rebuild the files
manually.  It appeared that this was beyond the user's technical
capabilities at the moment and that such rebuilding would require a
third party and an additional cost which he did not seem inclined to
pay. I think he specifically mentioned a PST file and his e-mail
messages which is what I was mainly focusing on.  In all likelihood, PST
would be extremely difficult to put back together so it was readable by
Outlook since all of the messages would be scattered and some most
likely lost. My main point was that in all likelihood it was going to
require him to put files back together manually and that they would most
likely not be readable by the original program.  Other files may be
easier to get in their entirety. I should have clarified this, sorry.  

In any event it is nice to share all of the potential ways to recover
lost data for varying technical capabilities.  The more avenues you have
the more chances you might have to recover something even if it is only
bits and pieces.



 
-----Original Message-----
From: Robinson, Sonja [mailto:SRobinson () HIPUSA com]
Sent: Friday, June 20, 2003 10:50
To: 'Wilcox, Stephen'; 'security-basics () securityfocus com'
Subject: RE: Digital Evidence Question - What is an effective Windows
hard -disk search tool?

If you reformatted, don't waste your money on any product, your stuff is
gone and the $75 tool isn't going to help you.  Forensics tolls aren't
going to help you.

I would take exception to the above comment, assuming a FAT32 system and
using the high level format the only part of the drive that will be lost
is the system area of the drive.  The data area, cluster 2 and beyond
will remain untouched.  So even if you format the data is still there,
just the system area is zeroed. Which means you may have to look for it
manually, but does not mean that it is gone and your search would be a
waste of time.



You're only hope is something like Ontrack and that will cost you.  Even
if you could recover some of the information from free space or slack
space, no your files wouldn't have been readable.  IF you has not
reformatted and IF you had not reinstalled the O/S yes they woul;d have
been readble by the original program.  You're pretty much toast dude.
Sorry.  It is possible to reassemble files IF they are still there
(99.5% chance they're hosed) but reassembly will cost you serious $$
because it takes a lot of time to do manually.

Actually all that you have to do is rebuild the root files and remap the
FAT, if the files were contained in contiguous clusters before the
formatting it is not that tough to do although a little time consuming.
If however the files were in non-contiguous clusters then you are in for
time consuming recovery.

Clayton Hoskinson, CFCE
IS Auditor
State Auditor and Inspector




------------------------------------------------------------------------
---
Evaluating SSL VPNs' Consider NEOTERIS, chosen as leader by top
analysts! The Gartner Group just put Neoteris in the top of its Magic
Quadrant, while InStat has confirmed Neoteris as the leader in
marketshare.
     
Find out why, and see how you can get plug-n-play secure remote access
in about an hour, with no client, server changes, or ongoing
maintenance.
          
Visit us at: http://www.neoteris.com/promos/sf-6-9.htm
------------------------------------------------------------------------
----


**********************************************************************
CONFIDENTIALITY NOTICE: This e-mail transmission, including any
attachments to it,  may contain confidential information or protected
health information subject to privacy regulations such as the Health
Insurance Portability and Accountability Act of 1996 (HIPAA). This
transmission is intended only for the use of the recipient(s) named
above.  If you are not the intended recipient, or a person responsible
for delivering it to the intended recipient, you are hereby notified
that any disclosure, copying, distribution or use of any of the
information contained in this transmission is STRICTLY PROHIBITED.  If
you have received this transmission in error, please immediately notify
me by reply e-mail and destroy the original transmission in its entirety
without saving it in any manner. 






**********************************************************************


------------------------------------------------------------------------
---
Evaluating SSL VPNs' Consider NEOTERIS, chosen as leader by top
analysts! The Gartner Group just put Neoteris in the top of its Magic
Quadrant, while InStat has confirmed Neoteris as the leader in
marketshare.
     
Find out why, and see how you can get plug-n-play secure remote access
in about an hour, with no client, server changes, or ongoing
maintenance.
          
Visit us at: http://www.neoteris.com/promos/sf-6-9.htm
------------------------------------------------------------------------
----


------------------------------------------------------------------------
---
Evaluating SSL VPNs' Consider NEOTERIS, chosen as leader by top
analysts! The Gartner Group just put Neoteris in the top of its Magic
Quadrant, while InStat has confirmed Neoteris as the leader in
marketshare.
     
Find out why, and see how you can get plug-n-play secure remote access
in about an hour, with no client, server changes, or ongoing
maintenance.
          
Visit us at: http://www.neoteris.com/promos/sf-6-9.htm
------------------------------------------------------------------------
----



---------------------------------------------------------------------------
Evaluating SSL VPNs' Consider NEOTERIS, chosen as leader by top analysts!
The Gartner Group just put Neoteris in the top of its Magic Quadrant,
while InStat has confirmed Neoteris as the leader in marketshare.
     
Find out why, and see how you can get plug-n-play secure remote access in
about an hour, with no client, server changes, or ongoing maintenance.
          
Visit us at: http://www.neoteris.com/promos/sf-6-9.htm
----------------------------------------------------------------------------