Académique Documents
Professionnel Documents
Culture Documents
Chapter 6 Acquiring Data, Duplicating Data and Recovering Deleted Files SAK4801 Introduction to Computer Forensics
2
Chapter 6 Outline
Chapter 6 Acquiring Data, Duplicating Data and Recovering Deleted Files SAK4801 Introduction to Computer Forensics
3
6.1 Introduction
6.1 Introduction
Before data can be analyzed, it needs to be acquired.
This means that the data needs to be duplicated so that the person
performing the analysis can work from it without modifying the data.
This means using any number of tools to duplicate the data so that an exact
sector-by-sector mirror image of the disk is generated.
This enables the forensic analyst to view any data that is hidden, fragmented, or
deleted.
Whether data is being duplicated as part of a computer forensic investigation or
to acquire a backup of the data for other purposes,
it is important that the original data is not modified or corrupted during the
duplication process.
Chapter 6 Acquiring Data, Duplicating Data and Recovering Deleted Files SAK4801 Introduction to Computer Forensics
5
6.1 Introduction (Cont.)
Deleted data can be an issue in any situation dealing with
computers.
A file may be deleted
on purpose or by accident,
Chapter 6 Acquiring Data, Duplicating Data and Recovering Deleted Files SAK4801 Introduction to Computer Forensics
8
6.2.1 Deleting Files
Every OS provides a way of removing data from a hard disk to prevent it fill up quickly
from all temporary files, backup files, and other data written to a disk by the OS or
other software installed on a computer.
A deleted file is any file that has been logically erased from the file system but may
still remain physically on storage media.
Command line Delete
the FAT file system uses a file allocation table to keep track of files, whereas NTFS uses
an MFT.
In using this command, the file that is deleted will have the pointer to that file removed
from the table, but the data will remain on the hard disk.
This gives you the opportunity to acquire the data using file recovery or forensic
tools
Chapter 6 Acquiring Data, Duplicating Data and Recovering Deleted Files SAK4801 Introduction to Computer Forensics
9
6.2.1.1 Command Line Delete
Deletes file from command prompt
Two command:
Del/Delete
Erase
Chapter 6 Acquiring Data, Duplicating Data and Recovering Deleted Files SAK4801 Introduction to Computer Forensics
10
6.2.1.1 Command Line Delete (Cont.)
DEL/ERASE Switches:
/p - prompts you for confirmation as to whether you want to delete the file
/f - Forces the deletion of read-only files
/s - Deletes the specified files from the current directory and any subdirectories
/q - Specifies not to prompt for confirmation before deleting files. This is called
quiet mode.
/a: - Deletes files based on the following attributes:
■ r read-only
■ a archive
■ s system
■ h hidden
■ - prefix used with any of the above attributes, indicating “not”
/? - Displays help
Chapter 6 Acquiring Data, Duplicating Data and Recovering Deleted Files SAK4801 Introduction to Computer Forensics
11
6.2.1.2 Moving Files
Another method of deleting a file
If the file is moved from one directory to another on the same partition,
the table used to keep track of where files are stored is updated.
the file still resides on the same partition, only a pointer to the file’s
location is updated.
The record showing the file’s location is modified to reflect that it is
now in another directory, but nothing else about the file changes.Any
attributes on the file (such as whether the file is compressed)
remain the same.
Chapter 6 Acquiring Data, Duplicating Data and Recovering Deleted Files SAK4801 Introduction to Computer Forensics
12
6.2.1.2 Moving Files (Cont.)
When a file is moved from one hard disk or partition to another,
it is actually a multistep process of copying and deleting the file.
First, a new copy of the file is created on the target partition.
After the file has been copied, the original file is then deleted.
This process also requires some housekeeping in the FAT or MFT
tables.
A new entry is created in the table on the partition where it has
been copied, whereas the record for the deleted file is removed
from the table on its partition.
Chapter 6 Acquiring Data, Duplicating Data and Recovering Deleted Files SAK4801 Introduction to Computer Forensics
13
6.2.1.2 Moving Files (Cont.)
When a file is moved from one partition to another,
it can offer greater possibilities for recovering a file that has been deleted.
If a file is moved to another partition and then deleted later,
the file has essentially been deleted twice.
As such, you may be able to recover it from the partition on which it was
deleted, and you may also be able to recover it from the partition from which
it was moved.
Chapter 6 Acquiring Data, Duplicating Data and Recovering Deleted Files SAK4801 Introduction to Computer Forensics
14
6.2.1.3 Disk Cleanup
Another way in which files are deleted
This is done by software after itself deleting
old setup,
temporary, and
backup files when they are no longer needed
However, sometimes files are not properly removed, and a considerable number of
files may continue to reside on a hard disk
Command:
Click Windows Start menu
All Program
Accessories
System Tools
Disk Cleanup
Chapter 6 Acquiring Data, Duplicating Data and Recovering Deleted Files SAK4801 Introduction to Computer Forensics
15
6.2.1.4 Permanently Destroying Data
Disk erasing software wipes the disk clean by erasing all the files and overwriting the
disk space with a series of ones and zeros
In doing so, every sector of the disk is overwritten, making the data unrecoverable.
If anyone attempted to recover data on the disk, they would not be able to retrieve
anything because the data is completely destroyed.
A degausser or bulk demagnetizer is hardware that can be used to destroy data stored
on magnetic media such as floppy disks and backup tapes.
a powerful magnet that erases all data from magnetic media so that no one can
retrieve information from it.
Hard disks can also have data erased with a degausser, performing a low-level format
that erases all data from the disk.
Chapter 6 Acquiring Data, Duplicating Data and Recovering Deleted Files SAK4801 Introduction to Computer Forensics
16
6.2.2 Recycle Bin/Trash
a repository where files are temporarily stored after they are deleted
give users a second chance to restore a file before permanently deleting it
allows items to be dragged and dropped into the Recycle Bin icon on the desktop
When a file is deleted it is sent to the Recycle Bin where it remains until the
Recycle Bin is emptied
The Restore All button of the recycle bin restores the data to its original
location.
Once data is deleted from removable media such as floppy disks these files are
not stored in the Recycle Bin
Chapter 6 Acquiring Data, Duplicating Data and Recovering Deleted Files SAK4801 Introduction to Computer Forensics
17
6.2.2 Recycle Bin/Trash (Cont.)
Storage Location of the Recycle Bin.
The name of this folder depends on the file system and operating system being
used:
On FAT file systems, the folder is named Recycled. For example, on your C: the
storage location of the Recycle Bin would be C:\RECYCLED.
On NTFS file systems used by Windows NT, 2000, and XP, this folder is named
Recycler. For example, on your C: the storage location of the Recycle Bin would
be C:\RECYCLER.
On NTFS file systems used by Windows Vista, this folder is named $Recycle.Bin.
For example, on your C: the storage location of the Recycle Bin would be
C:\RECYCLE.BIN
Chapter 6 Acquiring Data, Duplicating Data and Recovering Deleted Files SAK4801 Introduction to Computer Forensics
18
6.2.2 Recycle Bin/Trash (Cont.)
Chapter 6 Acquiring Data, Duplicating Data and Recovering Deleted Files SAK4801 Introduction to Computer Forensics
19
6.2.2 Recycle Bin/Trash (Cont.)
To view these directories, you would need to configure the View settings in Windows
Explorer
In Windows Explorer, click on the Tools menu, and then click on the Folder Options
menu item. When the Folder Options dialog box appears, click on the View tab,
and uncheck the Hide protected operating system files (Recommended)
checkbox.
If directory for Recycle Bin is not appeared, type
Attrib –s –h recycled - for FAT
Attrib –s –h recycler – for NTFS
Deleting or emptying files from the Recycle Bin permanently deletes them from system
They can be recovered only with data recovery or forensic software.
Chapter 6 Acquiring Data, Duplicating Data and Recovering Deleted Files SAK4801 Introduction to Computer Forensics
20
6.2.3 Data Recovery in Linux
Linux or UNIX files can also be deleted from a hard disk in the same way as in Windows
and Macintosh OS
To delete a file in Linux or UNIX, you would use rm command.
This command won’t prompt you for any confirmation by default
Once it is deleted, you will have to rely on data recovery software to restore the
file.
rm switches
Chapter 6 Acquiring Data, Duplicating Data and Recovering Deleted Files SAK4801 Introduction to Computer Forensics
21
6.2.3 Data Recovery in Linux (Cont.)
The second extended file system (ext2) file system is commonly used in most of Linux
systems
The design of the ext2 filesystem is such that data can be hidden shows several places
where data can be hidden
Run a process that keeps the file open and then remove the file
The file contents are still on disk and the space will not be reclaimed by other
programs
It is worthwhile to note that if an executable erases itself, its contents can be retrieved
from /proc memory image: command "cp /proc/$PID/exe /tmp/file" creates a copy
of a file in /tmp
Chapter 6 Acquiring Data, Duplicating Data and Recovering Deleted Files SAK4801 Introduction to Computer Forensics
22
6.2.3 Data Recovery in Linux (Cont.)
shred command
Provides a more secure way for deleting files in Linux and UNIX
The file is deleted and overwritten to ensure that it can’t be recovered
shred switches
Chapter 6 Acquiring Data, Duplicating Data and Recovering Deleted Files SAK4801 Introduction to Computer Forensics
23
6.2.3 Data Recovery in Linux (Cont.)
Tools
E2undel
e2Undel is an interactive
console tool that recovers
the data of deleted files in
Linux.
This tool does not manipulate
internal ext2 structure and
require only read access to
the file system.
e2Undel contains a library
that allows the investigator
to recover deleted files by
their names.
Chapter 6 Acquiring Data, Duplicating Data and Recovering Deleted Files SAK4801 Introduction to Computer Forensics
24
6.2.3 Data Recovery in Linux (Cont.)
Tools
R-linux
R-Linux recovers files from
existing logical disks even
when file records are lost
R-Linux is a file recovery
utility for the Ext2FS file
system used in Linux OS and
several Unix versions
R-Linux uses unique
IntelligentScan technology
and a flexible parameter
setting that makes recovery
faster
Chapter 6 Acquiring Data, Duplicating Data and Recovering Deleted Files SAK4801 Introduction to Computer Forensics
25
6.2.4 Recovery Deleted Files
Data written on a hard disk generally stays there unless or until
it is either overwritten by more data or
physically erased by a magnet
Simply deleting the data using operating system file management utilities does not get
rid of the data.
It only removes the pointer used by the file system to locate that data physically on
the disk.
The data itself (in the form of the physical changes to the disk’s magnetic surface)
is still there and can be recovered using special recovery software.
Formatting defines the structure of the disk. Low-level formatting (LLF), which
physically defines where the tracks and sectors are on the disk, does erase data.
However, modern disks are formatted at the low level at the factory; users do not
perform LLF on today’s IDE and SCSI disks.
Chapter 6 Acquiring Data, Duplicating Data and Recovering Deleted Files SAK4801 Introduction to Computer Forensics
26
6.2.4 Recovery Deleted Files (Cont.)
We do only high-level formatting – a disk is formatted in FAT or formatted in NTFS.
If a file has not been overwritten or damaged in some way, there is always the
chance that tools can be used to restore the data.
We need to decide whether to perform data recovery or computer forensics.
Data recovery is a process of salvaging data that was lost or deleted.
Seeks to restore data
Computer forensics is a process of gathering and examining evidence to
establish facts so that accurate testimony and evidence can later be presented
in court or other hearings.
Seeks to obtain data to be used as evidence in court
Chapter 6 Acquiring Data, Duplicating Data and Recovering Deleted Files SAK4801 Introduction to Computer Forensics
27
6.2.4 Recovery Deleted Files (Cont.)
To preserve data, computer forensics software is necessary
When using tools, remember that the integrity of the data you are seeking to recover
is paramount, and take whatever actions necessary to keep it from being damaged or
destroyed.
Chapter 6 Acquiring Data, Duplicating Data and Recovering Deleted Files SAK4801 Introduction to Computer Forensics
28
6.2.5 Deleted File Recovery Tools
Data recovery tools are designed to restore data that has been deleted or corrupted
from any number of sources, including hard disks, CDs, DVDs, Blu-ray, HD-DVD, floppy
disks, memory cards used in digital cameras, and other storage media.
it will scan the media and search for any damaged, corrupted, or deleted files and
display which ones are available for recovery, allowing you to choose which ones will
be restored.
In some cases, the tools will even repair damaged files so that data can be accessible
again.
Chapter 6 Acquiring Data, Duplicating Data and Recovering Deleted Files SAK4801 Introduction to Computer Forensics
29
6.2.5 Deleted File Recovery Tools (Cont.)
Undelete Tools:
Undelete
Used in MS-DOS 5.00 to 6.22
Example
Undelete c:\mytextfile.txt
Undelete switches
volumes, and large hard disks that are more than 500 GB in size.
It also supports recovery from removable storage media such as USB flash drives, ZIP
drives, and memory sticks and cards.
Chapter 6 Acquiring Data, Duplicating Data and Recovering Deleted Files SAK4801 Introduction to Computer Forensics
31
6.2.5 Deleted File Recovery Tools (Cont.)
Undelete Tools:
Active@UNERASER
Active@ UNERASER is another data recovery product available from www.uneraser.com, and it will run
on Windows or DOS. Using this tool, you can access deleted files before Windows even starts, and it
supports local files, compressed files,
MBR backups and can access sectors of the disk drive with a disk viewer feature. can run from either a
R-Undelete
Designed by By R-Undelete from r-Tools Technology (www.r-undelete.com)
Is a tool that restores deleted files, but it also provides an easy-to-use wizard that takes you through
Chapter 6 Acquiring Data, Duplicating Data and Recovering Deleted Files SAK4801 Introduction to Computer Forensics
32
6.2.5 Deleted File Recovery Tools (Cont.)
Undelete Tools:
Easy-Undelete
Easy-Undelete (www.easy-undelete.com) is a tool that will not only restore files
from hard disks using FAT12, FAT16, FAT32, and NTFS file systems but also restore
files from non-Microsoft partitions such as Linux and Macintosh OS X.
WinUndelete
Available from www.winundelete.com.
It allows you to recover files from Microsoft file systems with the original create
and modified storage dates.
It provides a search feature to scan for specific files, and it allows you to filter
results by extensions and file types. It also allows you to preview certain types of
data before restoring them, such as Microsoft Office documents, images, and plain
text.
Chapter 6 Acquiring Data, Duplicating Data and Recovering Deleted Files SAK4801 Introduction to Computer Forensics
33
6.2.5 Deleted File Recovery Tools (Cont.)
Undelete Tools:
Restoration
A free tool that was written by Brian Kato and is available for download from
software distribution sites such as www.snapfiles.com
Fast and easy to use.
Chapter 6 Acquiring Data, Duplicating Data and Recovering Deleted Files SAK4801 Introduction to Computer Forensics
34
6.2.5 Deleted File Recovery Tools (Cont.)
Restoration
Chapter 6 Acquiring Data, Duplicating Data and Recovering Deleted Files SAK4801 Introduction to Computer Forensics
35
6.2.5 Deleted File Recovery Tools (Cont.)
Undelete Tools:
Mycroft V3
Developed by Dibs USA
Available at www.dibsusa.com
Runs from a bootable floppy disk
Provides a search engine that is used to scan a computer for data on disk
Chapter 6 Acquiring Data, Duplicating Data and Recovering Deleted Files SAK4801 Introduction to Computer Forensics
36
6.2.5 Deleted File Recovery Tools (Cont.)
Undelete Tools:
Recover My Files
Created by GetData Software Development (www.getdata.com)
Available at www.recoverymyfiles.com
Easy to use interface
Allow you to recover data from hard disks and removable storage media such as
Chapter 6 Acquiring Data, Duplicating Data and Recovering Deleted Files SAK4801 Introduction to Computer Forensics
37
6.2.5 Deleted File Recovery Tools (Cont.)
Undelete Tools:
eData Unerase
A free tool developed by Octanesoft
Available at www.octanesoft.com
Easy to use interface with a wizard that takes you through the steps of recovering
your data
it allows you to specify whether you want to search for all deleted files or just
specific types of files (for example, pictures, multimedia, documents, and Web
pages)
It also allows you to restore any files that have been deleted from the Recycle
Bin or using
Chapter 6 Acquiring Data, Duplicating Data and Recovering Deleted Files SAK4801 Introduction to Computer Forensics
38
6.2.5 Deleted File Recovery Tools (Cont.)
eData Unerase
Chapter 6 Acquiring Data, Duplicating Data and Recovering Deleted Files SAK4801 Introduction to Computer Forensics
39
6.2.5 Deleted File Recovery Tools (Cont.)
Undelete Tools:
Recover4all Professional
A tool for recovering data from FAT12, FAT16, FAT32, NTFS, and RAID volumes
available at www.recover4all.com.
allows recovery from encrypted drives that have not been encrypted with EFS,
compressed drives, and Windows ME/XP protected files
Its interface is easy to use, appearing similar to Windows Explorer
Chapter 6 Acquiring Data, Duplicating Data and Recovering Deleted Files SAK4801 Introduction to Computer Forensics
40
6.2.5 Deleted File Recovery Tools (Cont.)
Undelete Tools:
File Scavenger
A tool developed by QueTek Consulting Corporation
available at www.quetek.com.
It allows data to be recovered from hard disks formatted as FAT12, FAT16, FAT32,
NTFS, floppy disks, ZIP disks, memory sticks, flash cards, RAID volumes,
compressed drives, and other media.
It provides an interface similar to Windows explorer
It allows you to search for specific files using search strings and wildcards.
Chapter 6 Acquiring Data, Duplicating Data and Recovering Deleted Files SAK4801 Introduction to Computer Forensics
41
6.2.5 Deleted File Recovery Tools (Cont.)
Undelete Tools:
VirtualLab
designed for use on Windows 9x or later, as well as Apple Macintosh computers
running OS 9 or later.
available at www.binarybiz.com,
it allows you to recover files from drives using FAT12, FAT16, FAT32, NTFS, HFS, or
partition
The retrieved files can be saved to another location such as network drive or
another local disk.
Chapter 6 Acquiring Data, Duplicating Data and Recovering Deleted Files SAK4801 Introduction to Computer Forensics
42
6.2.5 Deleted File Recovery Tools (Cont.)
Undelete Tools:
File Recover
developed by PC Tools Software that is available at www.pctools.com/file-recover/.
It supports FAT16, FAT32, and NTFS file systems and also IDE/ATA/SCSI hard drives,
including drives larger than 8 GB.
It provides an easy-to-use interface that allows you to quickly scan for files and
also advanced features that allow you to search by all or part of the filename,
specific extensions, or file size and scan either the logical drive or the physical
hard disk.
Chapter 6 Acquiring Data, Duplicating Data and Recovering Deleted Files SAK4801 Introduction to Computer Forensics
43
6.2.5 Deleted File Recovery Tools (Cont.)
File Recover
Chapter 6 Acquiring Data, Duplicating Data and Recovering Deleted Files SAK4801 Introduction to Computer Forensics
44
6.2.5 Deleted File Recovery Tools (Cont.)
Undelete Tools:
Search and Recover
Developed by iolo Technologies (www.iolo.com)
It allows the investigator to quickly recover deleted or destroyed files, folders,
songs, pictures, videos, programs, critical system components, web pages, and
email messages in Microsoft Outlook and Outlook Express, Netscape, and Eudora
It works with any hard drive or floppy drive, any drive format, and can even recover
deleted items from digital cameras, MP3 players, USB flash drives, and other
portable devices
Chapter 6 Acquiring Data, Duplicating Data and Recovering Deleted Files SAK4801 Introduction to Computer Forensics
45
6.2.5 Deleted File Recovery Tools (Cont.)
Undelete Tools:
Search and Recover
Chapter 6 Acquiring Data, Duplicating Data and Recovering Deleted Files SAK4801 Introduction to Computer Forensics
46
6.2.5 Deleted File Recovery Tools (Cont.)
Undelete Tools:
Zero Assumption Digital Image Recovery
Zero Assumption Recovery at www.z-a-recovery.com
It is a free data recovery tool that works with digital images
Digital photographs that are deleted from a digital camera can be retrieved using this
tool
It supports media such as CompactFlash, MemoryStick, SmartMedia etc that can be
www.pcinspector.de/file_recovery/uk/welcome.htm.
O&O Unerase at www.oosoftware.com/en/products/oounerase/
Filesaver at www.file-saver.com
Stellar Phoenix at www.stellarinfo.com
Chapter 6 Acquiring Data, Duplicating Data and Recovering Deleted Files SAK4801 Introduction to Computer Forensics
48
6.2.5 Deleted File Recovery Tools (Cont.)
Undelete Tools:
Other data recovery tools:
R-linux is a free data recovery tool developed by r-Tools Technology and is available
at www.data-recovery-software.net/Linux_Recovery.shtml
PC ParaChute is a backup tool developed by UniTrends and is available at
www.unitrends.com.
Recycle Bin Replacements
Chapter 6 Acquiring Data, Duplicating Data and Recovering Deleted Files SAK4801 Introduction to Computer Forensics
49
6.2.5 Deleted File Recovery Tools (Cont.)
Undelete Tools:
CD/DVD Data Recovery
CDRoller at www.cdroller.com
IsoBuster at www.isobuster.com
CD Data Rescue developed by Naltech Software (www.naltech.com)
InDisk Recovery at www.octanesoft.com
Compressed Files
Zip Repair at www.getdata.com
Chapter 6 Acquiring Data, Duplicating Data and Recovering Deleted Files SAK4801 Introduction to Computer Forensics
50
6.2.5 Deleted File Recovery Tools (Cont.)
Undelete Tools:
Deleted Images
eIMAGE Recovery is another tool developed by Octanesoft and is available at
www.octanesoft.com.
Canon RAW File Recovery Software (CRW Repair) at (www.getdata.com)
ImageRecall Software (www.imagerecall.com)
Zero Assumption Digital Image Recovery was a free stand-alone digital image
recovery tool developed by Zero Assumption Recovery (www.z-a-recovery.com).
DiskInternals Flash Recovery at www.diskinternals.com
Chapter 6 Acquiring Data, Duplicating Data and Recovering Deleted Files SAK4801 Introduction to Computer Forensics
51
6.2.6 Recovery Deleted Partitions
Partitioning a hard disk involves dividing the disk into volumes, which generally
appear to the operating system as logical drives
identified by different drive letters.
The disk is divided into logical drives for the purposes of performance and
organization of the data.
Each logical drive can be formatted separately so that each one uses a different file
system
partitioning utilities do not erase the data on a disk; they only delete and manipulate
the partition tables
Generally, partition utilities will delete the entry for that partition in the partition table
so that any space associated with the partition becomes unallocated. Even if the tool
overwrites the first sector (sector 0) of the partition before removing it, a backup
Chapter 6 Acquiring Data, Duplicating Data and Recovering Deleted Files SAK4801 Introduction to Computer Forensics
52
6.2.6 Recovery Deleted Partitions (Cont.)
Delete Partition Using Windows
Partition can be created and deleted in Windows using the Computer Management
(Local) console.
To open the console:
1. Right click My Computer
Click Manage
Expand Storage
Chapter 6 Acquiring Data, Duplicating Data and Recovering Deleted Files SAK4801 Introduction to Computer Forensics
53
6.2.6 Recovery Deleted Partitions (Cont.)
Or
2. Click Start
Click Control Panel
Click Administrative Tools
Double Click Computer Management
Expand Storage
Click Disk Management
Chapter 6 Acquiring Data, Duplicating Data and Recovering Deleted Files SAK4801 Introduction to Computer Forensics
54
6.2.6 Recovery Deleted Partitions (Cont.)
Disk Management in the Computer Management Console
Chapter 6 Acquiring Data, Duplicating Data and Recovering Deleted Files SAK4801 Introduction to Computer Forensics
55
6.2.6 Recovery Deleted Partitions (Cont.)
Delete Partition from the Command Line
Needs to type commands from a prompt
Two commands
FDISK
DISKPART
Chapter 6 Acquiring Data, Duplicating Data and Recovering Deleted Files SAK4801 Introduction to Computer Forensics
56
6.2.6 Recovery Deleted Partitions (Cont.)
FDISK
used to create and delete partitions on computers running MS-DOS,Windows
9x,Windows NT, or Windows ME
Switches:
/MBR Rewrites the MBR
/CMBR <disk> Re-creates the MBR on a specific disk
/PRI: <size> Creates a primary partition
/EXT: <size> Creates an extended partition
/LOG: <size> Creates a logical drive
/Q Prevents rebooting the computer automatically after exiting FDISK
/STATUS Shows current status of hard drives
/ACTOK Forces FDISK not to check disk integrity
/FPRMT Disables prompt for FAT32 support
Chapter 6 Acquiring Data, Duplicating Data and Recovering Deleted Files SAK4801 Introduction to Computer Forensics
57
6.2.6 Recovery Deleted Partitions (Cont.)
FDISK
To create partition, a screen will appear with a number of options
Chapter 6 Acquiring Data, Duplicating Data and Recovering Deleted Files SAK4801 Introduction to Computer Forensics
58
6.2.6 Recovery Deleted Partitions (Cont.)
FDISK
To delete partition, a screen will appear with a number of options
Chapter 6 Acquiring Data, Duplicating Data and Recovering Deleted Files SAK4801 Introduction to Computer Forensics
59
6.2.6 Recovery Deleted Partitions (Cont.)
DISKPART
used to create and delete partitions on computers running Windows
2000,Windows XP, or Windows Vista. Unlike FDISK,
it doesn’t provide a series of menus that can be navigated to delete partitions
Command:
ADD Adds a mirror to a simple volume
ACTIVE Marks the current partition as being the active boot partition
ASSIGN Assigns a drive letter or mount point to the selected volume
BREAK Breaks a mirror set
CLEAN Clears the configuration information or all information off the Disk
CONVERT Converts the disk from one format to another. This will allow
you to convert the disk from dynamic to basic, basic to dynamic, MBR
to GPT, or GPT to MBR.
Chapter 6 Acquiring Data, Duplicating Data and Recovering Deleted Files SAK4801 Introduction to Computer Forensics
60
6.2.6 Recovery Deleted Partitions (Cont.)
Command:
CREATE Creates a volume or partition
DELETE Deletes a missing disk, selected volume, or a selected partition
DETAIL Provides details about a disk, partition, or volume
EXIT Exits the program
EXTEND Extends a volume
HELP Prints a listing of Help commands
IMPORT Imports a disk group
LIST Prints a list of disks, partitions, or volumes
INACTIVE Marks the current partition as an inactive partition
ONLINE Online a disk that is currently marked as offline
Chapter 6 Acquiring Data, Duplicating Data and Recovering Deleted Files SAK4801 Introduction to Computer Forensics
61
6.2.6 Recovery Deleted Partitions (Cont.)
Command:
REM Used to comment scripts
REMOVE Removes a drive letter or mount point
REPAIR Repair a RAID-5 volume
RESCAN Forces DISKPART to rescan the computer for disks and volumes
RETAIN Places a retainer partition under a simple volume
SELECT Moves the focus on an object
Chapter 6 Acquiring Data, Duplicating Data and Recovering Deleted Files SAK4801 Introduction to Computer Forensics
62
6.2.7 Deleted Partition Recovery Tools
When a partition is deleted, its entry in the partition table is removed.
deleting the partition is similar to removing the table of contents from a book; none of
the information outside of the table is missing, it just requires other methods to find it.
Tools:
Active@ Partition Recovery available at www.partition-recovery.com for DOS and
Windows
Commercial software
Active@Disk Image at www.disk-image.net
DiskInternal Partition Recovery at www.diskinternals.com
GetDataBack at www.runtime.org
For NTFS and FAT
Chapter 6 Acquiring Data, Duplicating Data and Recovering Deleted Files SAK4801 Introduction to Computer Forensics
63
6.2.7 Deleted Partition Recovery Tools (Cont.)
Tools:
NTFS Deleted Partition Recovery available at www.techddi.com
Handy Recovery available at www.handyrecovery.com
Acronis Recovery Expert available at www.acronis.com
TestDisk supports Windows and Linux available at www.cgsecurity.org.
Scaven available at http://pjwalczak.com/scaven/index.php.
Recover It All! available at www.dtidata.com/recover_it_all.htm
Partition Table Doctor available at www.ptdd.com
Chapter 6 Acquiring Data, Duplicating Data and Recovering Deleted Files SAK4801 Introduction to Computer Forensics
64
6.3 Data Acquisition and Duplicating Data
Electronic evidence is fragile by nature and can easily be modified, damaged, or
destroyed.
Even booting a computer can erase temporary files, modify timestamps, or alter other
data in addition to writing data and creating new files to the drive using the boot
process.
In addition, a computer could be booby trapped so that if a set of keys weren’t pressed
at bootup or an incorrect password was entered, a program or script could run to
reformat the hard disk or overwrite certain data making retrieval of evidence more
difficult or impossible.
It is because of this that data must be acquired or duplicated from a hard disk before
any analysis takes place.
Chapter 6 Acquiring Data, Duplicating Data and Recovering Deleted Files SAK4801 Introduction to Computer Forensics
66
Data Recovery Contigencies
Investigators must make contingency plans when data acquisition failure occurs
To preserve digital evidence investigators need to create a duplicate copy of the
evidence files
In case the original data recovered is corrupted investigators can make use of
the second copy
Use of at least two data acquisition tools are preferred to create copy of
evidence in case the investigator’s preferred tool does not properly recover
data
Chapter 6 Acquiring Data, Duplicating Data and Recovering Deleted Files SAK4801 Introduction to Computer Forensics
67
6.3.1 Data Acquisition Tools
Data acquisition is the act or process of gathering information and evidence.
In computer forensics, this means using established methods to acquire data from a
suspect computer or storage media to gain insight into a crime or other incident and
potentially use it as evidence to convict a suspect.
The goal of data acquisition is to preserve evidence, so any tools that are used should not
alter the data in any way and should provide an exact duplicate.
To prevent contamination, any data that is duplicated should be stored on forensically
sterile media, meaning that the disk has no other data on it and has no viruses or defects.
Forensic investigators acquire digital evidence using the following methods
Creating a bit-stream disk-to-image file
Making a bit-stream disk-to-disk copy
Creating a sparse data copy of a folder or file
Chapter 6 Acquiring Data, Duplicating Data and Recovering Deleted Files SAK4801 Introduction to Computer Forensics
68
6.3.1 Data Acquisition Tools (Cont.)
To ensure that all data is acquired, a bit-stream image needs to be made of the suspect
hard drive or other media. This will acquire any
Deleted files,
file fragments,
slack space, and
other data on the disk.
If a standard image is created that does not acquire this data, then potential evidence
may be unavailable to you.
Standard images or clones of a machine can, however, be useful for backing up data or
creating a duplicate of the operating system, applications, and data on the machine in
case a disaster occurs.
Chapter 6 Acquiring Data, Duplicating Data and Recovering Deleted Files SAK4801 Introduction to Computer Forensics
69
6.3.1 MS-DOS Data Acquisition Tools
In the past software tools developed for forensics investigation were created for MS-
DOS
Investigators still make use of these tools as they are commercially available and easy
to use
Advantages of MS-DOS acquisition tools
Fit in a forensic boot disk
User friendly
Windows data acquisition tools allow the investigator to easily acquire evidence from a
disk with the help of removable media such as USB storage devices
These tools also can use Firewire to connect hard disks to the forensic lab systems
Data acquisition tools in Windows cannot acquire data from the host protected area of
the disk
Chapter 6 Acquiring Data, Duplicating Data and Recovering Deleted Files SAK4801 Introduction to Computer Forensics
70
6.3.1.1 DriveSpy
DriveSpy enables the investigator to direct data from one particular sector range to
another sector
DriveSpy provides two methods in accessing disk sector ranges:
Defining the absolute starting sector after a comma and the total number of sectors to
be read on the drive
Listing the absolute starting and ending sectors
There are two commands in DriveSpy that is used for Data Manipulation:
The “SaveSect” command
It copies the sectors as a bit-stream image so that the file is a duplicate of the
original sectors
The “WriteSect” command
Used to recreate the saved partition image file that is created with the “SavePart”
command
Chapter 6 Acquiring Data, Duplicating Data and Recovering Deleted Files SAK4801 Introduction to Computer Forensics
72
6.3.1.2 AccessData FTK Explorer
FTK Explorer acquires data that can
help the investigator understand how
other forensic tools in Windows work
This tool was first designed to examine
disks and bit-stream disk-to-image
files created by using other forensic
software
FTK Explorer can make bit-stream
disk-to-image copies of evidence disks
This tool allows the investigator to
acquire the evidence disk from a
logical partition level or a physical
drive level
Chapter 6 Acquiring Data, Duplicating Data and Recovering Deleted Files SAK4801 Introduction to Computer Forensics
73
6.3.1.2 AccessData FTK Explorer
Chapter 6 Acquiring Data, Duplicating Data and Recovering Deleted Files SAK4801 Introduction to Computer Forensics
74
6.3.1.3 Encase
The Encase tool delivers advanced features for computer forensics and
investigations
It is the primary data acquisition tool that is used by forensic
investigators
Provides tools to conduct investigations with accuracy and efficiency
Disk to disk
Chapter 6 Acquiring Data, Duplicating Data and Recovering Deleted Files SAK4801 Introduction to Computer Forensics
76
6.3.2 Acquiring Data on Linux
Forensic Investigators use the built- in Linux command “dd” to copy data from a disk
drive
This command can make a bit-stream disk-to-disk file, disk-to-image file, block-to-
block copy/ block-to-file copy
The “dd” command can copy data from any disk that Linux can mount and access
Other forensic tools such as AccessData FTK and Ilook can read dd image files
Chapter 6 Acquiring Data, Duplicating Data and Recovering Deleted Files SAK4801 Introduction to Computer Forensics
77
6.3.2.1 Dd.exe (Windows XP Version)
Works on Windows platform
Detects unauthorized dialers
User friendly program
Command Syntax
dd.exe if=\\.\PhysicalDrive0
of=d:\images\PhysicalDrive0. img --
md5sum --verifymd5 --
md5out=d:\images\PhysicalDri
ve0.img.md5
Chapter 6 Acquiring Data, Duplicating Data and Recovering Deleted Files SAK4801 Introduction to Computer Forensics
78
6.3.2.2 Snapback Exact
Server based backup program for
Windows server
Copies byte by byte images of the
server hard drives to the tape
Keep tracks of records o Important
features are:
Full open file management
Remote administration
Backup scheduling
Chapter 6 Acquiring Data, Duplicating Data and Recovering Deleted Files SAK4801 Introduction to Computer Forensics
79
6.3.2.2 Snapback Exact (Cont.)
Chapter 6 Acquiring Data, Duplicating Data and Recovering Deleted Files SAK4801 Introduction to Computer Forensics
80
6.3.2.3 DatArrest
Supports the tools for Forensic Data Seizure
Chapter 6 Acquiring Data, Duplicating Data and Recovering Deleted Files SAK4801 Introduction to Computer Forensics
81
6.3.2.4 SafeBack
SafeBack is also a MS-DOS data acquisition tool and can perform
a CRC-32 calculation for each sector copied to ensure data
integrity
SafeBack creates a log file of all transactions it performs
Functions:
Chapter 6 Acquiring Data, Duplicating Data and Recovering Deleted Files SAK4801 Introduction to Computer Forensics
83
6.3.2.1 ImageMASSter Solo-3 Forensic
A hardware tool developed by Intelligent Computer Solutions (www.icsforensic.com)
designed for computer forensic purposes.
It is a portable, hand-held device that can acquire data from suspect machines at
speeds exceeding 4 GB per minute.
it can acquire data from IDE, SATA, and SCSI hard drives.
Connects the hard disks directly to the machine using
a drive-to-drive interface or
external firewire/USB interface,
can create an exact replica of data from one or two drives simultaneously without any
reduction in speed.
Chapter 6 Acquiring Data, Duplicating Data and Recovering Deleted Files SAK4801 Introduction to Computer Forensics
84
6.3.2.2 ImageMASSter Solo-2 Forensic
Also a hardware tool developed by Intelligent Computer Solutions
(www.icsforensic.com) designed for computer forensic purposes.
Can create an image of any data on the machine by attaching it to a suspect computer
through a firewire or USB port.
Uses software to boot the machine
Data on the origiinal machine is protected during acquisition to write-bocking features
in the device.
Chapter 6 Acquiring Data, Duplicating Data and Recovering Deleted Files SAK4801 Introduction to Computer Forensics
85
6.3.2.3 ImageMASSter 60007SAS
A powerful hardware tool developed by Intelligent Computer Solutions (www.icsforensic.com)
designed for computer forensic purposes.
Used for creating images of data from suspect machines
It is a useful part of any forensic lab.
Can be used to
duplicate IDE, SAS, SATA, and IDE hard drives,
migrate server data from SCSI to SAS/SATA.
1GB network connection that can be used to transfer files to and from a network drive.
To acquire and analyze data, the system provides a Windows XP-based interface that allows you
to copy data from Windows, Macintosh, and UNIX file systems.
Chapter 6 Acquiring Data, Duplicating Data and Recovering Deleted Files SAK4801 Introduction to Computer Forensics
86
6.3.2.4 RoadMASSter-3
A data acquisition and analysis toll designed for use inside of a forensic lab.
Also designed by Intelligent Computer Solutions (www.icsforensic.com)
Designed to create an image and analyze data acquired from suspect hard drives.
It can connect
to an unopened computer using Firewire and USB ports, and I
directly to IDE, SATA, SAS, and SCSI hard drives.
It can also acquire data from multiple drives to a single target drive, making
acquisition faster.
Allows you to analyze data immediately. I
t has a 15-inch color display in its case that allows you to view the data stored in the
image file so that you can determine whether any evidence exists on the machine
while you’re still in the field.
Chapter 6 Acquiring Data, Duplicating Data and Recovering Deleted Files SAK4801 Introduction to Computer Forensics
87
6.3.2.5 Disk Jockey IT
A portable, hand-held hardware tool developed by Diskology and is available at
www.diskology.com.
It is the smallest write-blocking and disk copy device available for computer
forensics.
It can be used as a write-blocking device for data acquired using
Firewire and USB connections to a suspect computer.
The device can then be connected to a Macintosh or Windows computer in write
protect mode to analyze the data without fear of altering the data.
Chapter 6 Acquiring Data, Duplicating Data and Recovering Deleted Files SAK4801 Introduction to Computer Forensics
88
6.3.3 Backing Up and Duplicating Data
Investigators need to worry about destructive devices that can
be planted in the system by the owner. Evidence can be
destroyed if the investigator is not careful
Data fragments can be overwritten and data stored in the
digital evidence
Chapter 6 Acquiring Data, Duplicating Data and Recovering Deleted Files SAK4801 Introduction to Computer Forensics
89
6.3.3.1 R-drive Image
R-Drive Image is an important tool that provides disk image files creation for
backup or duplication purposes
Disk image file contains exact, byte-by-byte copy of a hard drive, partition or
logical disk
R-Drive can create partitions with various compression levels freely without
stopping Windows OS
These drive image files can then be stored in a variety of places, including
various removable media such as CD-R(W) or DVD-R(W) , Iomega Zip or Jazz
disks
Chapter 6 Acquiring Data, Duplicating Data and Recovering Deleted Files SAK4801 Introduction to Computer Forensics
90
6.3.3.1 R-drive Image (Cont.)
Chapter 6 Acquiring Data, Duplicating Data and Recovering Deleted Files SAK4801 Introduction to Computer Forensics
91
6.3.3.2 DriveLook
The DriveLook Tool has the following features:
Indexes the hard drive for the text that was written to it
Chapter 6 Acquiring Data, Duplicating Data and Recovering Deleted Files SAK4801 Introduction to Computer Forensics
92
6.3.3.2 DriveLook (Cont.)
Chapter 6 Acquiring Data, Duplicating Data and Recovering Deleted Files SAK4801 Introduction to Computer Forensics
93
6.3.3.3 DiskExplorer
DiskExplorer aides examiners to investigate any drive and recover data
Two versions of DiskExplorer exist:
DiskExplorer for FAT
Disk Explorer for NTFS
The tool also has provisions to navigate through the drive by jumping to:
Partition table
Boot record
Master file table
Root directory
Chapter 6 Acquiring Data, Duplicating Data and Recovering Deleted Files SAK4801 Introduction to Computer Forensics
94
6.3.3.3 DiskExplorer (Cont.)
Chapter 6 Acquiring Data, Duplicating Data and Recovering Deleted Files SAK4801 Introduction to Computer Forensics
95
Summary
Investigators can acquire data in three ways: creating a bit-stream, disk-to-image
file, making a bit-stream disk-to-disk copy, or creating a sparse data copy of a
specific folder path or file
The “SavePart” command retrieves information about the partition space in the
hard disk
The “dd” command in Linux can make bit-stream disk-to-disk copy and disk-to-
image file copy
Chapter 6 Acquiring Data, Duplicating Data and Recovering Deleted Files SAK4801 Introduction to Computer Forensics
96
Summary
From forensic investigator’s perspective:
Copy is a process to make a replica of including only file information, not slack
space or unallocated space
Backup is files copies for future rstoration
Image is a file copy of complete disk used for duplication or restoration
Bit-stream image is an exact replica of all sectors including every 1 and 0. This
includes slack space, unallocated space, and the swap file.
Lossless compression is an acceptable method for computer forensics because it
does not change the data
Lossy compression alters the data, leading to loss of data
Chapter 6 Acquiring Data, Duplicating Data and Recovering Deleted Files SAK4801 Introduction to Computer Forensics
97
End of Chapter 6