Notifications
Clear all

Intro and Questions

r3v0lt
(@r3v0lt)
New Member

First to introduce myself…

I have a love for computers in general. I went to possibly the worst school ever (ITT - Tech) but i gained my associates in Computer Network Systems there. As of right now i work desktop support for a company, im going through the MCSE and CCNA tracks to gain my certifications in those. My main passion how ever is in information security. Any aspect of InfoSec just keeps me curious and wanting to learn more. Computer Forensics has always been a intrest to me how ever i know little about it atm. Thus why im here… to learn! =)

onto the questions shall we?

This may or may not be able to be answered but we'll see. So i've always wondered how you can get a dead, or broken hd and still get data off of it? I can understand if its been formatted, or erased. But how do data recovery firms do it? How can they take a hard drive thats been physically damaged and still pull data off of it? This is what i would like to dive head first into.

I see alot of you use vmware as to not disturb your desktop, is there a reason vmware and not any other virtual machine such as say microsofts virtual pc?

Thanks in advance for any responses.

Quote
Topic starter Posted : 06/02/2008 5:55 pm
azrael
(@azrael)
Senior Member

Personally, I find that VMWare is just a lot more responsive and easier/nicer to use than Microsoft's offering - that and I run Mac, Windows and Linux hosts - so transitioning a VM is much easier if you can use all the same -)

I've used MS, VMWare and Parallels quite a lot, and I honestly think that the VMWare solution is the best …

There are people here who are better qualified than me to answer the first part, but I think that you'll find that some go the the lengths of disassembling the damaged drive, and rebuilding it with functional components in a clean room environment.

Well done on your studies - keep at it -)

ReplyQuote
Posted : 06/02/2008 6:23 pm
r3v0lt
(@r3v0lt)
New Member

Wow thanks for such a quick response!!! And thank you. As i always tell people if it wasnt for computers i'd be about as dumb and useless as a rock hehe =p

ReplyQuote
Topic starter Posted : 06/02/2008 6:44 pm
ddow
 ddow
(@ddow)
Active Member

As to the dead HD question, it depends on why it died. In some cases, the PCB is bad and can be replaced. The hardest cases is when the platters have to be moved to a new drive/head assembly. Requires a clean room and $$$. Many cases, the drive spins up OK and software is able to recover data with minimal trouble.

ReplyQuote
Posted : 06/02/2008 6:55 pm
r3v0lt
(@r3v0lt)
New Member

What if the platters themselfs are damaged? Would the hard drive then just be considered FUBAR or are there still ways to salvage something from damaged platters?

By damaged platters i mean cracked, chipped, slightly burnt, pretty much anything other than a shattered platter.

Again i appriciate such fast responses!!

ReplyQuote
Topic starter Posted : 06/02/2008 7:15 pm
azrael
(@azrael)
Senior Member

I think, that so long as they can be made to spin, then data will be recoverable from the areas that are readable.

In a highly scientific lab, you could go as far a looking under an electron microscope, even at a shattered platter - however the more complex the recovery the more expensive it will be, and you had better _really_ need the data if you are willing to spend _that_ much 😉

It isn't the world's most reliable source of information, but this http//en.wikipedia.org/wiki/Data_recovery should give you a reasonable background on the subject - there are some good links at the bottom of the page …

ReplyQuote
Posted : 06/02/2008 7:23 pm
r3v0lt
(@r3v0lt)
New Member

Alright it seems at this point i have enough information to start playing with some new stuff =)

I have so many old hard drives, wiped hard drives, bad hard drives. Im sure i can get plenty of practice.

Now as far as software goes. From what i've gathered it seems its mostly preference and skill level? For somebody just beginning and learning. What would be the most user friendly of the software sets? Encase seemed a bit intimidating after reading up on it. Norton Ghost im familar with but im sure thats really low end. What would you guys suggest for something moderatly good but some what user friend?

ReplyQuote
Topic starter Posted : 06/02/2008 7:46 pm
azrael
(@azrael)
Senior Member

Ah … You are running into a few issues here …

EnCase and FTK are flipping expensive - these aren't really good "starter" tools - although if you hang around long enough - you'll get there …

Ghost is useless, throw it away now. It only looks at files that it can see, it won't bother with unallocated things at all.

For analysis WinHex is pretty good, and also has a freely downloadable version.

You can get the FTK Imager from the FTK website to make disk images with, or you can have a go with dd.

Google should help you find them all -)

ReplyQuote
Posted : 06/02/2008 7:50 pm
azrael
(@azrael)
Senior Member

Have a look at the SleuthKit and Autopsy as well …

😉

ReplyQuote
Posted : 06/02/2008 7:51 pm
 Anonymous

… And take a look at the TestDisk - PhotoRec combo of apps.

ReplyQuote
Posted : 06/02/2008 8:42 pm
r3v0lt
(@r3v0lt)
New Member

Have a look at the SleuthKit and Autopsy as well …

😉

I've heard of but never played with those.

And take a look at the TestDisk - PhotoRec combo of apps.

Sounds like some fun as well! Thanks guys!!!! =) If only every board was this helpful the world would sure be a better place.

Any books to recommend? =p

ReplyQuote
Topic starter Posted : 06/02/2008 9:24 pm
Walkabout_fr
(@walkabout_fr)
Member

As far as data recovery on damaged disks is concerned, have a look at Scott Moulton's presentation. It's available on his site www.myharddrivedied.com. I think it will help you get started …

ReplyQuote
Posted : 06/02/2008 9:34 pm
azrael
(@azrael)
Senior Member

Any books to recommend? =p

Yep …

Look at

"File System Forensic Analysis" Brian Carrier
"Windows Forensic Analysis" Harlan Carvey
"Forensic Computing" Tony Sammes and Brian Jenkinson
"Forensic Discovery" Dan Farmer and Wietse Venema

Those should keep you going for a bit 😉

ReplyQuote
Posted : 06/02/2008 11:47 pm
r3v0lt
(@r3v0lt)
New Member

Now i know im new. However this thread has turned into a heap load of information for somebody starting out. Could this thread possibly stay as a sticky. Or incorporate a sticky thread with this information? So the next newbie that wants to start learning can get started with out having to ask redundant questions?

Just a thought

ReplyQuote
Topic starter Posted : 07/02/2008 1:24 am
Share:
Share to...