Partition recovery is an important stage as part of forensic analysis, and it is apparent that so-called forensic software Encase and FTK sucks in that and neither of them provides easy-and-clear buttons or menus or results for this stage.
So, we have to use 3rd party programs like R-studio, Active partition recovery, easeus etc, as they perform much better Encase and FTK.
However, the partition recovery results in many partitions recovered, some are in good conditions some are partly and some are badly overwritten. And many of those partitions seem to be overlapping. And some partitions seems to be the exactly the same size, where forensic examiners may be confused.
So, lets say partition recovery software has found 30 partitions and 5 of them are seem to be in good conditions, the remaining are overwritten and seem to be partially recoverable. And each of those may be recovered to some extent with thousands of various files and folders, some with same files and folders.
So, how far should you go as a forensic examiner in terms of inclusion of those partitions into your forensic examination? Should you go for recovering each of those 30 partitions one by one and check each files contained, which means the same files over and over again; or should you examine the partitions seeming to be in good conditions and left the others unchecked?
What do you think?
I don't think there is a good enough one-size-fits-all answer to your questions, my guess is that it is within the examiner's evaluation of the specific case.
As a side note, have a try with DMDE
http//dmde.com/
it has a rather good way to evaluate the "expected validity" of the found volumes, a number of recovery tools are a tad bit too optimistic, i.e. they list as "good enough" areas that are actually crap or overlapping.
I highlighted volumes because that is what you will be able to find, not "partitions".
As an example, when scanning a disk contained some RAW disk images you will have all volumes in the disk image listed (and in "perfect" conditions).
jaclaz
As a side note, have a try with DMDE
http//dmde.com/
it has a rather good way to evaluate the "expected validity" of the found volumes, a number of recovery tools are a tad bit too optimistic, i.e. they list as "good enough" areas that are actually crap or overlapping…
Thanks jaclaz - didn't know this one.
A different approach maybe to just run data carving on the whole disk. At the end of this you will get an idea of the type of files on the disk, and where they have been saved.
If you are after photos, or maybe spread sheets you can see if they look relevant to your investigation. At this point you can work backwards to see which possible partition they were saved on. This might reduce your 30 possible partitions to just a few.
The correct carving program may produce dates for your files, again helping reduce the number of files to examine.