John, There's a software suite called EnCase Forensic that is pretty much the industry standard for forensically examining digital media. It's what we used at the A.G's Office. Sybex published a study guide for the certification exam just last month. As far as I know, it's the first EnCase study guide ever published. It's a good book about forensics even if you're not planning on becoming EnCase certified. There's another book called "Real Digital Forensics" that is very good, also.
So to try to answer your questions... 1) The Windows format command won't "wipe out" the partition table because when you use that command, you're actually formatting the partition and not the entire physical drive. The fdisk command in DOS "removes" the partition info from the partition table. But all the data in the partition remains intact, unless it is subsequently overwritten. If a drive is simply "fdisked", the data can still be recovered. Fdisking is similar to deleting a file... 2)...the file isn't actually deleted; only the pointer to the file is changed. So the information is still there which means that files and partitions can be recovered as long as they haven't been completely overwritten. 3) EnCase has a built-in command for rebuilding partitions. All you do is find the volume boot record, right-click, and click Add Partition. There are probably open source apps that do that, but I'll have to check. Can't think of one off the top of my head. But just about everything that can be done with commercial forensic software can be done with open source apps. 4) An entire file can be retrieved as long as it has not been completely overwritten. Even if someone fdisks a drive, reformats it, and reinstalls an OS, data can still be recovered. A high-level format will not necessarily wipe a file. EnCase has a built-in wiping feature. There are third party utilities like IWipe and BC Wipe that write to the drive repeatedly to wipe data. Those utilities usually have different degrees of wiping to select from. There's one type of wiping called "DoD" which is what the Dept. of Defense uses. I think it makes 7 passes. Or maybe 3. Can't remember for sure. But why not 8 or 9? I don't know. But I do know that most of those utilities allow you to write indefinitely. You can start it wiping and let it run over night if you prefer. I think the government breaks down their wiping needs based on the sensitivity of the data. In other words, "classified" hard drives might be written to fewer times than "top secret" drives. The speed of the drive may have something to do with it. Naturally the process will take a while on slower drives. There are also third party utilities for retrieving deleted files. I think some of the Knoppix distros come with those apps. But at the A.G.'s office, if we wanted to insure that sensitive information couldnt be stolen from a hard drive, we did it the old fashioned way - with a Black & Decker cordless drill. Hope this helps. Regards, David -----Original Message----- From: General-bounces at brlug.net [mailto:[EMAIL PROTECTED] On Behalf Of John Hebert Sent: Sunday, May 21, 2006 2:17 AM To: general at brlug.net Subject: [brlug-general] forensics question: retrieving deleted data Howdy, I'd like to learn more about computer forensics. I've read a little bit on it via Google, etc, but I'd like to learn more. I know from personal experience that the best way to learn something (for me, at least. YMMV) is to create a project with an achievable short-term goal. So, I'd like to learn how to retrieve deleted data from a hard drive that's had its partition table wiped. Questions: 1) Does the Microsoft Windows 'format' command simply wipe out the partition table? Or does it do more than that? What exactly? 2) I believe that the Microsoft Windows 'delete' command simply removes a file's listing in the FAT. Is this correct? If not, what does happen? 3) How would one go about rebuilding a FAT32 partition? Are there open source apps that will do that? 4) Is the FAT required in order to retrieve an entire file? I think so, but I'm not sure. Sorry if my questions don't make sense. Sleepy. :) Thanks, John __________________________________________________ Do You Yahoo!? Tired of spam? Yahoo! Mail has the best spam protection around http://mail.yahoo.com _______________________________________________ General mailing list General at brlug.net http://brlug.net/mailman/listinfo/general_brlug.net -- No virus found in this incoming message. Checked by AVG Free Edition. Version: 7.1.392 / Virus Database: 268.6.1/344 - Release Date: 5/19/2006 -- No virus found in this outgoing message. Checked by AVG Free Edition. Version: 7.1.392 / Virus Database: 268.6.1/344 - Release Date: 5/19/2006
