±Forensic Focus Partners

±Your Account


Nickname
Password


Forgotten password/username?


Membership:
New Today: 0
New Yesterday: 0
Overall: 27350
Visitors: 55

±Follow Forensic Focus

Join our LinkedIn group

Subscribe to news

Subscribe to forums

Subscribe to blog

Subscribe to tweets

Opinion

Computer forensics discussion. Please ensure that your post is not better suited to one of the forums below (if it is, please post it there instead!)
Reply to topicReply to topic Printer Friendly Page
Forum FAQSearchView unanswered posts
Go to page 1, 2  Next 
  

Opinion

Post Posted: Tue Jun 24, 2014 1:38 am

In a firm, they want to find and old file. It was created seven years ago.
Actually they don't know in which computer it was created. All of the pc were erased and reinstalled in 2011.
The disk are quite empty. Is it possible to find something?
thanks  

giamma
Member
 
 
  

Re: Opinion

Post Posted: Tue Jun 24, 2014 4:41 am

It might be possible - but possibly with data carving.

What type of file is being looked for? Some files are easier to find than others!
_________________
Michael Cotgrove
www.cnwrecovery.com
cnwrecovery.blogspot.com/ 

mscotgrove
Senior Member
 
 
  

Re: Opinion

Post Posted: Tue Jun 24, 2014 6:55 am

- mscotgrove
It might be possible - but possibly with data carving.

What type of file is being looked for? Some files are easier to find than others!


Thanks, that what I am thinking. The file is excel xls or xlsx not sure which version
thanks  

giamma
Member
 
 
  

Re: Opinion

Post Posted: Tue Jun 24, 2014 7:16 am

Two ways

1) Assuming that the disks were NTFS - likely but not certain - try and scan all possible MFT entries and search for XLS? files.

2) Do data carving and search for xls or xlsx files. This is slightly more complex.

All .xls files start with the same signature as .doc files (0xd0 0xcf etc)

Search for .XLSX files. These are basically ZIP files (start 'PK') and then can be determined by examining the structure of the file


If the file is XLS and not XLSX then it may be possible to do a complete disk search for an unusual text string that the file may contain.

Your success rate will depend to a very large extent on how the computer has been used since, and luck as to where the original file was stored on the disk.

Always treat the possible disks as read only - never turn the PC on, or load ANY software to the drives.


For a 2007 computer do consider that the disk may of had NTFS compression enabled. It was nt used much, and is even less common now, but when data carving, each cluster can be tested for compression.
_________________
Michael Cotgrove
www.cnwrecovery.com
cnwrecovery.blogspot.com/ 

mscotgrove
Senior Member
 
 
  

Re: Opinion

Post Posted: Tue Jun 24, 2014 7:30 am

OK thanks really clear! Thinking about, they are only xls, not xlsx.
Thanks again  

giamma
Member
 
 
  

Re: Opinion

Post Posted: Tue Jun 24, 2014 9:03 am

To clear the range of possibilities, it greatly depends on the specific OS that was reinstalled in 2011 AND on the EXACT method that was used to "erase" the disk.
Namely, good ol' XP did NOT wipe *anything* through the FORMAT command (both "quick" and "full") whilst in Vista (and later) the "normal" Format command (i.e. without the "quick" or /q option) will 00 write the whole disk.

So if in 2011 either Vista or 7 were installed and the disk volumes were re-formatted WITHOUT the /q switch you have 0 (zero) chances of finding anything.
If it was a reinstall of XP (or a Vista or 7 and format was used WITH the /q switch) you have some (very little) probabilities, some more if it was XP, see below.

The point is that (from experience) "business" PC's (actually their hard disk volumes, and talking of "workstations") never had an issue with having been filled up to the brim, typically the occupied space is/was:
  • the OS files
  • the "typical" MS Office install
  • one or two (at the most) "vertical" softwares, usually taking little amount of space
  • user files, that typically are a bunch of Word and Excel files, maybe a few .ppt's, a number of .pdf's and the "big chunk" that is usually the Outlook or Outlook Express database

Independently from the way the volume has been formatted (if it was formatted) if an upgrade took place, a new OS (let's say 7 over XP) and a new version of Office (let's say 2010 over 2003) are so bigger in themselves when compared to the previously existing versions that it is likely that by themselves they will take more space than the whole space occupied before by the OS+Programs+Data, so that it is very likely that the original file has been overwritten.

In any case (IF a "wiping format" has not taken place) you have not any different choice than carving those volumes, and I don't want to put you down in any way Smile , but the chances to find that needle in the haystack are extremely low, you should know about this and tell the firm about it.

jaclaz
_________________
- In theory there is no difference between theory and practice, but in practice there is. - 

jaclaz
Senior Member
 
 
  

Re: Opinion

Post Posted: Tue Jun 24, 2014 12:05 pm

- jaclaz

In any case (IF a "wiping format" has not taken place) you have not any different choice than carving those volumes, and I don't want to put you down in any way Smile , but the chances to find that needle in the haystack are extremely low, you should know about this and tell the firm about it.

jaclaz


There is an option, better than carving where you scan the drive for any MFT entries, not part if the present file system. This might also show you where the files were stored, and hence one can find out if they have been overwritten. (I had a vaguely similar job recently and found 2 required .docx files - though many references to files that had been overwritten by new Windows 7).

I agree though, that needle and haystack describe the situation fairly well.
_________________
Michael Cotgrove
www.cnwrecovery.com
cnwrecovery.blogspot.com/ 

mscotgrove
Senior Member
 
 
Reply to topicReply to topic

Share this forum topic to encourage more replies



Page 1 of 2
Go to page 1, 2  Next