Interesting! I would not have assumed that, but I guess it makes sense. Good to know!
-- Espi On Wed, Apr 30, 2014 at 5:09 PM, Andrew S. Baker <[email protected]> wrote: > Interestingly enough, I once made a copy of a drive over the network using > DISK2VHD, and it captured enough data that I could undelete files. That was > quite a surprise... > > > > > > > *ASB **http://XeeMe.com/AndrewBaker* <http://xeeme.com/AndrewBaker> > *Providing Virtual CIO Services (IT Operations & Information Security) for > the SMB market...* > > > > > On Wed, Apr 30, 2014 at 2:45 PM, Micheal Espinola Jr < > [email protected]> wrote: > >> Gotcha. Proper cloning software will do a bit-by-bit copy, which will >> retain all artifacts on the drive - including any data that is >> hidden/deleted/recoverable, etc. When looking for copy/backup software for >> forensics, 'bit copy' is a key-phrase to be mindful for. >> >> -- >> Espi >> >> >> >> On Wed, Apr 30, 2014 at 10:44 AM, Mike Tobias < >> [email protected]> wrote: >> >>> I didn't mean to imply that making any changes to the original drive >>> was acceptable. All such software I've used in the past (for recovering >>> deleted files) forced me to specify a separate drive for storing the >>> recovered data, as it should. I just didn't know one would be able to >>> recover deleted files from a copy of the drive, never tried it. I used to >>> use Partition Magic or Ghost for this, more recently Partition Wizard or >>> CloneZilla. >>> >>> >>> >>> *From:* [email protected] [mailto: >>> [email protected]] *On Behalf Of *Micheal Espinola Jr >>> *Sent:* Wednesday, April 30, 2014 12:59 PM >>> *To:* ntsysadm >>> >>> *Subject:* Re: [NTSysADM] Forensic Software Undelete / Recovery >>> >>> >>> >>> That would be the desired intent, yes. The last thing you want to do is >>> perform active forensics and recovery on the volume under suspicion. When >>> it comes time for legal action, you mucking around with the live data can >>> have a very undesirable effect on your litigation. Plus, if you ever have >>> to hand-off to the Fed's, etc, you can retain copies for your own continued >>> research while they separately mount their case. >>> >>> >>> -- >>> Espi >>> >>> >>> >>> >>> >>> On Wed, Apr 30, 2014 at 9:48 AM, Mike Tobias < >>> [email protected]> wrote: >>> >>> I'm noting these recommendations too, even though I didn't start the >>> thread. Interesting that you would run this on the copy and not the >>> original. Are you making sector by sector copies that also somehow copy >>> deleted files to the target? >>> >>> >>> >>> *From:* [email protected] [mailto: >>> [email protected]] *On Behalf Of *Matthew W. Ross >>> *Sent:* Wednesday, April 30, 2014 12:19 PM >>> *To:* [email protected] >>> *Subject:* Re: [NTSysADM] Forensic Software Undelete / Recovery >>> >>> >>> >>> Pro-active? No idea. >>> >>> >>> >>> When we have to collect evidence, we do the following: >>> >>> >>> >>> 1. Confiscate the hardware. >>> >>> 2. Make copies. >>> >>> 3. Run discovery software. If you can, do this on the copy you made, not >>> the original. >>> >>> >>> >>> The software we use is OSForensics, the free edition. I'm sure there are >>> some much beefier programs out there. >>> >>> >>> >>> Also useful (for us in particular) is the BrowsingHistoryView from >>> NirSoft. It allows you to quickly create a view of all browsing history on >>> a computer broken down by user, which is often what we need to investigate. >>> >>> >>> >>> >>> >>> --Matt Ross >>> Ephrata School District >>> >>> John Bonner <[email protected]> , 4/29/2014 8:44 PM: >>> >>> Hello, >>> >>> I am looking for some recommendations on forensics recovery software. I >>> (the company really) am willing to throw some $$$ at it as well. We often >>> (not always) have proprietary / patentable information exposed to us by our >>> clients and looking for a way to handle a situation should it arise with an >>> employee. >>> >>> I am interested in two things. >>> >>> >>> 1. Postumous recovery. Deleted files / browser cache / history to >>> see what sites were visited / recover deleted files and such. >>> 2. Pro-active monitoring that we could incorporate into our base >>> install. Something that runs unbeknownst and perhaps when files are >>> "deleted" really are moved to a secret partition or along those lines. >>> >>> >>> I personally have used r-tools and have been pleased with the results >>> but I think the execs are looking for a more enterprise grade product. >>> >>> Thank You for your thoughts / recommendations >>> >>> JB >>> >>> >>> >> >> >
