Gotcha. Proper cloning software will do a bit-by-bit copy, which will retain all artifacts on the drive - including any data that is hidden/deleted/recoverable, etc. When looking for copy/backup software for forensics, 'bit copy' is a key-phrase to be mindful for.
-- Espi On Wed, Apr 30, 2014 at 10:44 AM, Mike Tobias < [email protected]> wrote: > I didn't mean to imply that making any changes to the original drive was > acceptable. All such software I've used in the past (for recovering deleted > files) forced me to specify a separate drive for storing the recovered > data, as it should. I just didn't know one would be able to recover deleted > files from a copy of the drive, never tried it. I used to use Partition > Magic or Ghost for this, more recently Partition Wizard or CloneZilla. > > > > *From:* [email protected] [mailto: > [email protected]] *On Behalf Of *Micheal Espinola Jr > *Sent:* Wednesday, April 30, 2014 12:59 PM > *To:* ntsysadm > > *Subject:* Re: [NTSysADM] Forensic Software Undelete / Recovery > > > > That would be the desired intent, yes. The last thing you want to do is > perform active forensics and recovery on the volume under suspicion. When > it comes time for legal action, you mucking around with the live data can > have a very undesirable effect on your litigation. Plus, if you ever have > to hand-off to the Fed's, etc, you can retain copies for your own continued > research while they separately mount their case. > > > -- > Espi > > > > > > On Wed, Apr 30, 2014 at 9:48 AM, Mike Tobias < > [email protected]> wrote: > > I'm noting these recommendations too, even though I didn't start the > thread. Interesting that you would run this on the copy and not the > original. Are you making sector by sector copies that also somehow copy > deleted files to the target? > > > > *From:* [email protected] [mailto: > [email protected]] *On Behalf Of *Matthew W. Ross > *Sent:* Wednesday, April 30, 2014 12:19 PM > *To:* [email protected] > *Subject:* Re: [NTSysADM] Forensic Software Undelete / Recovery > > > > Pro-active? No idea. > > > > When we have to collect evidence, we do the following: > > > > 1. Confiscate the hardware. > > 2. Make copies. > > 3. Run discovery software. If you can, do this on the copy you made, not > the original. > > > > The software we use is OSForensics, the free edition. I'm sure there are > some much beefier programs out there. > > > > Also useful (for us in particular) is the BrowsingHistoryView from > NirSoft. It allows you to quickly create a view of all browsing history on > a computer broken down by user, which is often what we need to investigate. > > > > > > --Matt Ross > Ephrata School District > > John Bonner <[email protected]> , 4/29/2014 8:44 PM: > > Hello, > > I am looking for some recommendations on forensics recovery software. I > (the company really) am willing to throw some $$$ at it as well. We often > (not always) have proprietary / patentable information exposed to us by our > clients and looking for a way to handle a situation should it arise with an > employee. > > I am interested in two things. > > > 1. Postumous recovery. Deleted files / browser cache / history to see > what sites were visited / recover deleted files and such. > 2. Pro-active monitoring that we could incorporate into our base > install. Something that runs unbeknownst and perhaps when files are > "deleted" really are moved to a secret partition or along those lines. > > > I personally have used r-tools and have been pleased with the results but > I think the execs are looking for a more enterprise grade product. > > Thank You for your thoughts / recommendations > > JB > > >
