I’m noting these recommendations too, even though I didn’t start the thread. Interesting that you would run this on the copy and not the original. Are you making sector by sector copies that also somehow copy deleted files to the target?
From: [email protected] [mailto:[email protected]] On Behalf Of Matthew W. Ross Sent: Wednesday, April 30, 2014 12:19 PM To: [email protected] Subject: Re: [NTSysADM] Forensic Software Undelete / Recovery Pro-active? No idea. When we have to collect evidence, we do the following: 1. Confiscate the hardware. 2. Make copies. 3. Run discovery software. If you can, do this on the copy you made, not the original. The software we use is OSForensics, the free edition. I'm sure there are some much beefier programs out there. Also useful (for us in particular) is the BrowsingHistoryView from NirSoft. It allows you to quickly create a view of all browsing history on a computer broken down by user, which is often what we need to investigate. --Matt Ross Ephrata School District John Bonner <[email protected]<mailto:[email protected]>> , 4/29/2014 8:44 PM: Hello, I am looking for some recommendations on forensics recovery software. I (the company really) am willing to throw some $$$ at it as well. We often (not always) have proprietary / patentable information exposed to us by our clients and looking for a way to handle a situation should it arise with an employee. I am interested in two things. 1. Postumous recovery. Deleted files / browser cache / history to see what sites were visited / recover deleted files and such. 2. Pro-active monitoring that we could incorporate into our base install. Something that runs unbeknownst and perhaps when files are "deleted" really are moved to a secret partition or along those lines. I personally have used r-tools and have been pleased with the results but I think the execs are looking for a more enterprise grade product. Thank You for your thoughts / recommendations JB
