Excellent to know. Thanks. From: [email protected] [mailto:[email protected]] On Behalf Of Micheal Espinola Jr Sent: Wednesday, April 30, 2014 2:45 PM To: ntsysadm Subject: Re: [NTSysADM] Forensic Software Undelete / Recovery
Gotcha. Proper cloning software will do a bit-by-bit copy, which will retain all artifacts on the drive - including any data that is hidden/deleted/recoverable, etc. When looking for copy/backup software for forensics, 'bit copy' is a key-phrase to be mindful for. -- Espi On Wed, Apr 30, 2014 at 10:44 AM, Mike Tobias <[email protected]<mailto:[email protected]>> wrote: I didn't mean to imply that making any changes to the original drive was acceptable. All such software I've used in the past (for recovering deleted files) forced me to specify a separate drive for storing the recovered data, as it should. I just didn't know one would be able to recover deleted files from a copy of the drive, never tried it. I used to use Partition Magic or Ghost for this, more recently Partition Wizard or CloneZilla. From: [email protected]<mailto:[email protected]> [mailto:[email protected]<mailto:[email protected]>] On Behalf Of Micheal Espinola Jr Sent: Wednesday, April 30, 2014 12:59 PM To: ntsysadm Subject: Re: [NTSysADM] Forensic Software Undelete / Recovery That would be the desired intent, yes. The last thing you want to do is perform active forensics and recovery on the volume under suspicion. When it comes time for legal action, you mucking around with the live data can have a very undesirable effect on your litigation. Plus, if you ever have to hand-off to the Fed's, etc, you can retain copies for your own continued research while they separately mount their case. -- Espi On Wed, Apr 30, 2014 at 9:48 AM, Mike Tobias <[email protected]<mailto:[email protected]>> wrote: I'm noting these recommendations too, even though I didn't start the thread. Interesting that you would run this on the copy and not the original. Are you making sector by sector copies that also somehow copy deleted files to the target? From: [email protected]<mailto:[email protected]> [mailto:[email protected]<mailto:[email protected]>] On Behalf Of Matthew W. Ross Sent: Wednesday, April 30, 2014 12:19 PM To: [email protected]<mailto:[email protected]> Subject: Re: [NTSysADM] Forensic Software Undelete / Recovery Pro-active? No idea. When we have to collect evidence, we do the following: 1. Confiscate the hardware. 2. Make copies. 3. Run discovery software. If you can, do this on the copy you made, not the original. The software we use is OSForensics, the free edition. I'm sure there are some much beefier programs out there. Also useful (for us in particular) is the BrowsingHistoryView from NirSoft. It allows you to quickly create a view of all browsing history on a computer broken down by user, which is often what we need to investigate. --Matt Ross Ephrata School District John Bonner <[email protected]<mailto:[email protected]>> , 4/29/2014 8:44 PM: Hello, I am looking for some recommendations on forensics recovery software. I (the company really) am willing to throw some $$$ at it as well. We often (not always) have proprietary / patentable information exposed to us by our clients and looking for a way to handle a situation should it arise with an employee. I am interested in two things. 1. Postumous recovery. Deleted files / browser cache / history to see what sites were visited / recover deleted files and such. 2. Pro-active monitoring that we could incorporate into our base install. Something that runs unbeknownst and perhaps when files are "deleted" really are moved to a secret partition or along those lines. I personally have used r-tools and have been pleased with the results but I think the execs are looking for a more enterprise grade product. Thank You for your thoughts / recommendations JB
