Interestingly enough, I once made a copy of a drive over the network using DISK2VHD, and it captured enough data that I could undelete files. That was quite a surprise...
*ASB **http://XeeMe.com/AndrewBaker* <http://xeeme.com/AndrewBaker> *Providing Virtual CIO Services (IT Operations & Information Security) for the SMB market...* On Wed, Apr 30, 2014 at 2:45 PM, Micheal Espinola Jr < [email protected]> wrote: > Gotcha. Proper cloning software will do a bit-by-bit copy, which will > retain all artifacts on the drive - including any data that is > hidden/deleted/recoverable, etc. When looking for copy/backup software for > forensics, 'bit copy' is a key-phrase to be mindful for. > > -- > Espi > > > > On Wed, Apr 30, 2014 at 10:44 AM, Mike Tobias < > [email protected]> wrote: > >> I didn't mean to imply that making any changes to the original drive >> was acceptable. All such software I've used in the past (for recovering >> deleted files) forced me to specify a separate drive for storing the >> recovered data, as it should. I just didn't know one would be able to >> recover deleted files from a copy of the drive, never tried it. I used to >> use Partition Magic or Ghost for this, more recently Partition Wizard or >> CloneZilla. >> >> >> >> *From:* [email protected] [mailto: >> [email protected]] *On Behalf Of *Micheal Espinola Jr >> *Sent:* Wednesday, April 30, 2014 12:59 PM >> *To:* ntsysadm >> >> *Subject:* Re: [NTSysADM] Forensic Software Undelete / Recovery >> >> >> >> That would be the desired intent, yes. The last thing you want to do is >> perform active forensics and recovery on the volume under suspicion. When >> it comes time for legal action, you mucking around with the live data can >> have a very undesirable effect on your litigation. Plus, if you ever have >> to hand-off to the Fed's, etc, you can retain copies for your own continued >> research while they separately mount their case. >> >> >> -- >> Espi >> >> >> >> >> >> On Wed, Apr 30, 2014 at 9:48 AM, Mike Tobias < >> [email protected]> wrote: >> >> I'm noting these recommendations too, even though I didn't start the >> thread. Interesting that you would run this on the copy and not the >> original. Are you making sector by sector copies that also somehow copy >> deleted files to the target? >> >> >> >> *From:* [email protected] [mailto: >> [email protected]] *On Behalf Of *Matthew W. Ross >> *Sent:* Wednesday, April 30, 2014 12:19 PM >> *To:* [email protected] >> *Subject:* Re: [NTSysADM] Forensic Software Undelete / Recovery >> >> >> >> Pro-active? No idea. >> >> >> >> When we have to collect evidence, we do the following: >> >> >> >> 1. Confiscate the hardware. >> >> 2. Make copies. >> >> 3. Run discovery software. If you can, do this on the copy you made, not >> the original. >> >> >> >> The software we use is OSForensics, the free edition. I'm sure there are >> some much beefier programs out there. >> >> >> >> Also useful (for us in particular) is the BrowsingHistoryView from >> NirSoft. It allows you to quickly create a view of all browsing history on >> a computer broken down by user, which is often what we need to investigate. >> >> >> >> >> >> --Matt Ross >> Ephrata School District >> >> John Bonner <[email protected]> , 4/29/2014 8:44 PM: >> >> Hello, >> >> I am looking for some recommendations on forensics recovery software. I >> (the company really) am willing to throw some $$$ at it as well. We often >> (not always) have proprietary / patentable information exposed to us by our >> clients and looking for a way to handle a situation should it arise with an >> employee. >> >> I am interested in two things. >> >> >> 1. Postumous recovery. Deleted files / browser cache / history to see >> what sites were visited / recover deleted files and such. >> 2. Pro-active monitoring that we could incorporate into our base >> install. Something that runs unbeknownst and perhaps when files are >> "deleted" really are moved to a secret partition or along those lines. >> >> >> I personally have used r-tools and have been pleased with the results but >> I think the execs are looking for a more enterprise grade product. >> >> Thank You for your thoughts / recommendations >> >> JB >> >> >> > >
