You should never run any forensics on the original drive – it makes changes that compromise the chain of custody.
John W. Cook Director of Network Operations Partnership For Strong Families 5950 NW 1st Place Gainesville, Fl 32607 Office (352) 244-1610 Cell (352) 215-6944 MCSE, MCP+I, MCTS, CompTIA A+, N+, Security + VSP4, VTSP4 From: [email protected] [mailto:[email protected]] On Behalf Of Mike Tobias Sent: Wednesday, April 30, 2014 12:49 PM To: [email protected] Subject: RE: [NTSysADM] Forensic Software Undelete / Recovery I’m noting these recommendations too, even though I didn’t start the thread. Interesting that you would run this on the copy and not the original. Are you making sector by sector copies that also somehow copy deleted files to the target? From: [email protected]<mailto:[email protected]> [mailto:[email protected]] On Behalf Of Matthew W. Ross Sent: Wednesday, April 30, 2014 12:19 PM To: [email protected]<mailto:[email protected]> Subject: Re: [NTSysADM] Forensic Software Undelete / Recovery Pro-active? No idea. When we have to collect evidence, we do the following: 1. Confiscate the hardware. 2. Make copies. 3. Run discovery software. If you can, do this on the copy you made, not the original. The software we use is OSForensics, the free edition. I'm sure there are some much beefier programs out there. Also useful (for us in particular) is the BrowsingHistoryView from NirSoft. It allows you to quickly create a view of all browsing history on a computer broken down by user, which is often what we need to investigate. --Matt Ross Ephrata School District John Bonner <[email protected]<mailto:[email protected]>> , 4/29/2014 8:44 PM: Hello, I am looking for some recommendations on forensics recovery software. I (the company really) am willing to throw some $$$ at it as well. We often (not always) have proprietary / patentable information exposed to us by our clients and looking for a way to handle a situation should it arise with an employee. I am interested in two things. 1. Postumous recovery. Deleted files / browser cache / history to see what sites were visited / recover deleted files and such. 2. Pro-active monitoring that we could incorporate into our base install. Something that runs unbeknownst and perhaps when files are "deleted" really are moved to a secret partition or along those lines. I personally have used r-tools and have been pleased with the results but I think the execs are looking for a more enterprise grade product. Thank You for your thoughts / recommendations JB ________________________________ CONFIDENTIALITY STATEMENT: The information transmitted, or contained or attached to or with this Notice is intended only for the person or entity to which it is addressed and may contain Protected Health Information (PHI), confidential and/or privileged material. Any review, transmission, dissemination, or other use of, and taking any action in reliance upon this information by persons or entities other than the intended recipient without the express written consent of the sender are prohibited. This information may be protected by the Health Insurance Portability and Accountability Act of 1996 (HIPAA), and other Federal and Florida laws. Improper or unauthorized use or disclosure of this information could result in civil and/or criminal penalties. Consider the environment. Please don't print this e-mail unless you really need to.
