±Forensic Focus Partners
New Today: 0
New Yesterday: 6
±Follow Forensic Focus
· Acquiring Windows PCs
· Evidence Acquisition and Analysis from iCloud
· TSFIC 2015 – Myrtle Beach 31st May – 3rd June
· Forensics Europe Expo 2015 – Recap
· Capturing RAM Dumps and Imaging eMMC Storage on Windows Tablets
· TDFCon 2015 – Middlesbrough 15th May
· Electronic Voiceprints: The Crime Solving Power of Biometric Forensics
· DFRWS Europe 2015 Annual Conference – Recap
· DFRWS EU 2015 – Dublin 23rd – 26th March
Comodo timemachine forensics
So the usage of the disk is not visible to forensic tools, it lives in the snapshots(stored in some program specific format in unallocated space) that is not accessible to forensic tool.
The original PC from where the disk images comes from is not available so theres no possibility to boot images and commit snapshots to disk.
anyone that have experience with this problem/solution ?
I have just recently come across this exact thing and it has caused much head scratching in our department! We acquired an image of a machine onsite which has Comodo Time Machine installed. On returning to the lab and putting the image into Encase/FTK it looks almost like a clean install with usage stopping around 2 years previous to seizure. Various software programs which we know to have been used on the machine the day we acquired it are not present, no program file entries, no registry keys relating to their installation etc (I have another system to compare with).
We know this to be false as the machine was in use and switched on using a particular software when we arrived! Not only this I have since been in touch with the user of the machine who describes booting it as normal and using the software without any problem.
The E01 image was acquired using a TD-2 with no known issues and the image verified correctly. I am at a loss as to how imaging the drive in this way has not resulted us being able to replicate what the user clearly has and is still using on the system. We also did the acquisition twice with the same result on both images.
If we run some keyword searches for files related to the software we are interested in we get hits back including some kind of printer/fax log which has timestamps from the day before we arrived.
I don't suppose you ever found a solution/explanation for this? Or has anyone else come across something similar?
This machine contained 1 160GB SATA drive, the drive and partition sizes all match up in Encase for that size of disk. It was not set to boot to anything external and was not part of a LAN but did have internet connectivity via a router.
Thanks in advance for any assistance.
Will investigate more on Tuesday!
I have managed to get round the issue caused by Comodo Time Machine (and some similiar system restore products) as described in the blog article above by doing the following:
Restore the image back to a new hard drive and then boot into the Comodo Time Machine setup by pressing the Home key on startup.
Uninstall CTM, selecting the option to revert back to the current snapshot (this should hold the user data from when the machine was last in use). This will remove CTM and also the baseline and any other older snapshots created by CTM.
When the uninstall finishes power down, remove the hard drive, stick it on a fastbloc and using FTK/FTK Image/Encase etc should allow you to see the drive contents as it was last used and not just a baseline image.
I spent a while trying the unistall method using VFC to virtualise the disk but CTM refused to uninstall for some reason, kept hanging around 3 %. Suspect there is a way round this with some more testing. I also could not boot into the current snapshot with VFC due to a BSOD and fixing the MBR without taking out CTM just resulted in seeing the baseline contents (ie an almost clean install of windows) again.
I have never seen this before so it has been an interesting learning curve!