±Forensic Focus Partners

Become an advertising partner

±Your Account


Forgotten password/username?

Site Members:

New Today: 0 Overall: 34081
New Yesterday: 0 Visitors: 139

±Follow Forensic Focus

Forensic Focus Facebook PageForensic Focus on TwitterForensic Focus LinkedIn GroupForensic Focus YouTube Channel

RSS feeds: News Forums Articles

±Latest Articles

RSS Feed Widget

±Latest Webinars

Comodo timemachine forensics

Computer forensics discussion. Please ensure that your post is not better suited to one of the forums below (if it is, please post it there instead!)
Reply to topicReply to topic Printer Friendly Page
Forum FAQSearchView unanswered posts

Comodo timemachine forensics

Post Posted: Wed Dec 19, 2012 9:05 am

I have forensic images of two HDD where there has been used comodo timemachine and all the disk usage after certain date is not commited to the disk.
So the usage of the disk is not visible to forensic tools, it lives in the snapshots(stored in some program specific format in unallocated space) that is not accessible to forensic tool.

The original PC from where the disk images comes from is not available so theres no possibility to boot images and commit snapshots to disk.

anyone that have experience with this problem/solution ?  


Re: Comodo timemachine forensics

Post Posted: Fri May 03, 2013 1:36 pm


I have just recently come across this exact thing and it has caused much head scratching in our department! We acquired an image of a machine onsite which has Comodo Time Machine installed. On returning to the lab and putting the image into Encase/FTK it looks almost like a clean install with usage stopping around 2 years previous to seizure. Various software programs which we know to have been used on the machine the day we acquired it are not present, no program file entries, no registry keys relating to their installation etc (I have another system to compare with).

We know this to be false as the machine was in use and switched on using a particular software when we arrived! Not only this I have since been in touch with the user of the machine who describes booting it as normal and using the software without any problem.

The E01 image was acquired using a TD-2 with no known issues and the image verified correctly. I am at a loss as to how imaging the drive in this way has not resulted us being able to replicate what the user clearly has and is still using on the system. We also did the acquisition twice with the same result on both images.

If we run some keyword searches for files related to the software we are interested in we get hits back including some kind of printer/fax log which has timestamps from the day before we arrived.

I don't suppose you ever found a solution/explanation for this? Or has anyone else come across something similar?

This machine contained 1 160GB SATA drive, the drive and partition sizes all match up in Encase for that size of disk. It was not set to boot to anything external and was not part of a LAN but did have internet connectivity via a router.

Thanks in advance for any assistance.  


Re: Comodo timemachine forensics

Post Posted: Fri May 03, 2013 1:44 pm

Just found this which could be useful


Will investigate more on Tuesday!  


Re: Comodo timemachine forensics

Post Posted: Wed May 08, 2013 10:06 am

Quick update in case anyone else comes across this.

I have managed to get round the issue caused by Comodo Time Machine (and some similiar system restore products) as described in the blog article above by doing the following:

Restore the image back to a new hard drive and then boot into the Comodo Time Machine setup by pressing the Home key on startup.

Uninstall CTM, selecting the option to revert back to the current snapshot (this should hold the user data from when the machine was last in use). This will remove CTM and also the baseline and any other older snapshots created by CTM.

When the uninstall finishes power down, remove the hard drive, stick it on a fastbloc and using FTK/FTK Image/Encase etc should allow you to see the drive contents as it was last used and not just a baseline image.

I spent a while trying the unistall method using VFC to virtualise the disk but CTM refused to uninstall for some reason, kept hanging around 3 %. Suspect there is a way round this with some more testing. I also could not boot into the current snapshot with VFC due to a BSOD and fixing the MBR without taking out CTM just resulted in seeing the baseline contents (ie an almost clean install of windows) again.

I have never seen this before so it has been an interesting learning curve!  


Page 1 of 1