If at all possible, I leave the suspect drive untouched. I have read that you can compromise your evidence if you try to do your work on the drive itself. This makes sense: any deleted items still exist on the drive until the free'd up sectors are overwritten by the drives use. I will usually make a backup using Redo Backup, which is a nice livecd (Or PXE boot... Hrm, I need to work on that...) for making a sector-for-sector copy. It allows me to keep a copy of the drive on a server, then create my forensics target on a spare drive. I put the spare drive into a different computer as a slave to run my tests. Using this method, I can recover deleted files from the forensics copy of the drive.
--Matt Ross Ephrata School District Mike Tobias <[email protected]> , 4/30/2014 9:49 AM: I’m noting these recommendations too, even though I didn’t start the thread. Interesting that you would run this on the copy and not the original. Are you making sector by sector copies that also somehow copy deleted files to the target? From: [email protected] [mailto:[email protected]] On Behalf Of Matthew W. Ross Sent: Wednesday, April 30, 2014 12:19 PM To: [email protected] Subject: Re: [NTSysADM] Forensic Software Undelete / Recovery Pro-active? No idea. When we have to collect evidence, we do the following: 1. Confiscate the hardware. 2. Make copies. 3. Run discovery software. If you can, do this on the copy you made, not the original. The software we use is OSForensics, the free edition. I'm sure there are some much beefier programs out there. Also useful (for us in particular) is the BrowsingHistoryView from NirSoft. It allows you to quickly create a view of all browsing history on a computer broken down by user, which is often what we need to investigate. --Matt Ross Ephrata School District John Bonner <[email protected]> , 4/29/2014 8:44 PM: Hello, I am looking for some recommendations on forensics recovery software. I (the company really) am willing to throw some $$$ at it as well. We often (not always) have proprietary / patentable information exposed to us by our clients and looking for a way to handle a situation should it arise with an employee. I am interested in two things. Postumous recovery. Deleted files / browser cache / history to see what sites were visited / recover deleted files and such. Pro-active monitoring that we could incorporate into our base install. Something that runs unbeknownst and perhaps when files are "deleted" really are moved to a secret partition or along those lines. I personally have used r-tools and have been pleased with the results but I think the execs are looking for a more enterprise grade product. Thank You for your thoughts / recommendations JB
