±Partners and Sponsors

±Your Account


Nickname
Password


Forgotten password/username?


Membership:
New Today: 0
New Yesterday: 1
Overall: 26927
Visitors: 71

±Follow Forensic Focus

Join our LinkedIn group

Subscribe to news

Subscribe to forums

Subscribe to blog

Subscribe to tweets

Can every file be recovered by forensic tools?

Computer forensics discussion. Please ensure that your post is not better suited to one of the forums below (if it is, please post it there instead!)
Reply to topicReply to topic Printer Friendly Page
Forum FAQSearchView unanswered posts
Go to page Previous  1, 2 
  

Re: Can every file be recovered by forensic tools?

Post Posted: Thu Jan 24, 2013 4:26 am

[quote="jaclaz"]I would have thought that Photorec does more than "a few" types:
www.cgsecurity.org/wik...le_formats
Known file formats

Live and learn, live and learn... Smile

That said, Photorec still ignores the file system, which is bad for recovering fragmented files. So at least two different tools then must be used in order to recover existing files and files from unallocated space. In my experience, tools using combined approach (analyzing the file system, if any, and taking information obtained from the file system into account when reading unallocated space) usually work best.
_________________
Digital Evidence Extraction Software
belkasoft.com 

Belkasoft
Senior Member
 
 
  

Re: Can every file be recovered by forensic tools?

Post Posted: Thu Jan 24, 2013 5:44 am

- Belkasoft

That said, Photorec still ignores the file system, which is bad for recovering fragmented files. So at least two different tools then must be used in order to recover existing files and files from unallocated space. In my experience, tools using combined approach (analyzing the file system, if any, and taking information obtained from the file system into account when reading unallocated space) usually work best.

Yes, but we were talking of "carving" or "file based recovery" (or at least I was Wink ).

If the file is just plainly "deleted" filesystem analysis is needed BUT knowledge of the file format is then irrelevant. (you either find an entry marked as deleted in the filesystem indexing or you don't find it).

So, yes, two passes (with two different tools) are needed, but I would guess that the "added trouble" might be compensated by the "right price" of such tools.

A quick list of "undelete" tools is here:
pcsupport.about.com/od...ograms.htm

jaclaz
_________________
- In theory there is no difference between theory and practice, but in practice there is. - 

jaclaz
Senior Member
 
 
  

Re: Can every file be recovered by forensic tools?

Post Posted: Thu Jan 24, 2013 6:23 am

I'm not going to jump on the bandwagon with answers to all of these questions, as I think that they've been addressed very well so far.

- TheOJM
Is it possible for that file not to be corrupted and is still accsessible over months the time it was created?


One of the things I discuss in my courses and presentations is how active Windows systems are, even when the user doesn't do anything - there is a great deal that goes even when no user is interacting with the system at the keyboard. Software updates, defrags, etc. As such, it's not likely that you'd be able to retrieve/carve deleted files, even a week or so after the date/time that the file was deleted.

I have seen instances where a file was deleted, and the system was shut down, and then not touched for several months. I've also seen cases where the system was in heavy use by the user after a specific date, and the system wasn't acquired for more than a year - in those cases, most of the information we were able to 'carve' was stuff that remained resident in logical files on the system, so it hadn't actually been deleted.  

keydet89
Senior Member
 
 
  

Re: Can every file be recovered by forensic tools?

Post Posted: Thu Jan 24, 2013 10:55 am

- jaclaz

So, yes, two passes (with two different tools) are needed, but I would guess that the "added trouble" might be compensated by the "right price" of such tools.

Ah, but that depends on who pays for it, and why. Using any commercial tool is certainly easier than Photorec. It's also usually much faster to use a single tool than two separate ones; not just because you save time on not doing a duplicate job, but also because a smarter tool can actually exclude allocated areas from the search, reducing the time for scanning the disk quite dramatically. So I guess the choice of using a free vs. commercial approach depends pretty much on whether or not you're paid by the hour Smile
_________________
Digital Evidence Extraction Software
belkasoft.com 

Belkasoft
Senior Member
 
 
  

Re: Can every file be recovered by forensic tools?

Post Posted: Thu Jan 24, 2013 11:51 am

- keydet89
One of the things I discuss in my courses and presentations is how active Windows systems are, even when the user doesn't do anything - there is a great deal that goes even when no user is interacting with the system at the keyboard. Software updates, defrags, etc. As such, it's not likely that you'd be able to retrieve/carve deleted files, even a week or so after the date/time that the file was deleted.


I would disagree with the week part of that post. It becomes a sliding probability based on various factors, the activeness of the computer being one and location of the data being the other.

I have in carving files from my own computers (knowing the rough dates they were created) found deleted files that have gone back many years. Obviously when doing examinations of suspect computers such a statement is harder to make.  

twjolson
Senior Member
 
 
  

Re: Can every file be recovered by forensic tools?

Post Posted: Fri Jan 25, 2013 8:06 am

- Belkasoft

Ah, but that depends on who pays for it, and why. Using any commercial tool is certainly easier than Photorec. It's also usually much faster to use a single tool than two separate ones; not just because you save time on not doing a duplicate job, but also because a smarter tool can actually exclude allocated areas from the search, reducing the time for scanning the disk quite dramatically. So I guess the choice of using a free vs. commercial approach depends pretty much on whether or not you're paid by the hour Smile


Yes and no.
I personaly see nothing "difficult" in using a command line tool, and as a matter of fact the way the OP posed the question:
- TheOJM
And also can this data be recoverd by free forensic software such as FTK Imager or does paid software enable me to do this?

sounds to me like he is somehow hoping to find Freeware tools to do the job.

But of course it depends, compare how I tend to disagree with the use of Commercial tools:
www.forensicfocus.com/...ic/t=9729/
for study.

The free thingies tend to be (generally speaking and with no offence whatever intended for the good Authors that provide them) more rudimental, simple and direct to the (more limited) point, while Commercial tools (and again no offence intended to their Authors) besides a more polished and simplified UI (and hopefully more powerful engine) tend to do things "automagically".

For the experienced investigator/data recovery specialist they do offer a nice way to do more in less time, the risk (now it is becoming philosophy Shocked ) being that the tool is treated (by the less experienced user) as a magical spell that will do the miracle, i.e. (and I have actually seen them used this way) that the tool allows for being used by a "trained monkey", and IF (and WHEN) it fails there is a neat "Nothing else can be found" or "Nothing else can be recovered" kind of "verdict" while all is needed is some ingenuity, dedication and tests with other means/methods.

If you prefer, I often have the impression that due to a number of factors (which do include time, money, etc.) in not so few cases the actual program (Commercial and actually and objectively very good) becomes to be regarded more as an oracle than as what it is (a tool).

jaclaz
_________________
- In theory there is no difference between theory and practice, but in practice there is. - 

jaclaz
Senior Member
 
 
  

Re: Can every file be recovered by forensic tools?

Post Posted: Sat Jan 26, 2013 12:37 pm

- Belkasoft
Using any commercial tool is certainly easier than Photorec. It's also usually much faster to use a single tool than two separate ones; not just because you save time on not doing a duplicate job, but also because a smarter tool can actually exclude allocated areas from the search, reducing the time for scanning the disk quite dramatically. So I guess the choice of using a free vs. commercial approach depends pretty much on whether or not you're paid by the hour Smile


- Belkasoft
Using any commercial tool is certainly easier than Photorec.

Wow. Did your mother never tell you the dangers of absolute statements? I have used your program Belkasoft, and I can promise you that "foremost -i <infile>" will be easier than what you produce any day.

- Belkasoft
but also because a smarter tool can actually exclude allocated areas from the search

It doesn't matter how 'smart' the tool is if the examiner is stupid. A smart tool could exclude allocated areas, sure, or the examiner could just run the tool against unallocated space (Unallocated Clusters in EnCase).

"Smart" (sorry, I misspelled proprietary) tools have one huge flaw (besides costing money to do the same job as free/open source tools). Companies spend large sums of money in R&D to make their products better, but they rarely, if ever, share that research. So for instance, your product and IEF can both parse IE 10 artifacts. But, and I freely admit my studies on Win 8 and IE 10 are behind the curve, did you/they release their research? Assuming you make a new discovery do you have any incentive at all to do so?

My point, as you can see, is that smart tools make our jobs easier every day, but ultimately stifle research. Open source and independent research contribute a lot to our small society, but can they truly match the R&D budget of companies like Guidance, AccessData, Belkasoft, Magnet Forensics, and the like?

On top of that, proprietary tools, being black boxes, will forever require the trust of the examiner in the tool and the producer. Sure, we can validate, but that will never catch every bug and idiosyncracy. Open source, however, allows anyone that can read code (not even requiring a mind that can write code) to testify to the inner workings in a way no one but the engineers (and even then, they'd have to testify as a group to give the whole picture) can do for proprietary tools.

Don't get me wrong, I love proprietary tools. I could not perform an exam in a reasonable amount of time using strictly open source tools. But your emphasis, and implication, that any commercial tool is better than an open source tool just flipped my trigger.

That is to say, absolute statements are always wrong. Heh.  

twjolson
Senior Member
 
 
Reply to topicReply to topic

Share this forum topic to encourage more replies



Page 2 of 2
Go to page Previous  1, 2