I’ve been working as a digital forensics expert for 18 years. For such a long time my coworkers and I have done lots of cases. What have I seen? Working on almost any forensic investigation we are using data recovery software. Some analysts are using just forensic suites, such as X-Ways, Encase or Belkasoft, while the others are using special data recovery utilities, such as R-Studio or GetData Recover My Files.
Let me remind, we are digital forensics experts. Any missed file could contain data relevant to the case. So, how to choose the best data recovery tool?
I've given my tips
As I see it, essentially that blog post concludes that
1) no single tool exists (to the best of your knowledge) that can recover *everything*
2) that multiple tools should always be run against a same data source in order to maximize the probabilities to recover (if not *everything*) at least *as much as possible*.
I am probably missing the point 😯 as the above is (or should be) "common knowledge" among digital forensic experts.
Maybe if you could name the three tools that you used readers would have a nice practical reference, knowing that once combined they provide good results, at least when it comes to .jpg images.
jaclaz
I think one important issue here is how many tools find the complete, sequential files. I would hope there were not too many differences here.
How many tools find partial fragments of files. Here I would expect large differences. If one can only see part of a file then it's use maybe less than a full file. However, if it can be proved to be part of a known file, then this information might be useful.
You indicated that most problems were related to phones/tablets. Can you give an idea why more images were missed on these devices? Are they typically fragmented.
Are you also talking about deleted images, or standard viewable images?
I know from my work with video recovery, camera memory chips very often store data physically out of sequence, but this becomes sequential when copied to a new storage device. Very few recovery programs (except mine) process this problem, and so just produce unviewable videos.
jaclaz, mscotgrove, Thanks for your answers.
Maybe if you could name the three tools that you used readers would have a nice practical reference, knowing that once combined they provide good results, at least when it comes to .jpg images.
X-Ways Forensic
R-Studio
Private Software for investigating, recovery and reconstruction digital images.
Igor,
Thanks for the article.
I learned about something new from your article JPG Quantization Tables.
A quick Google search turned up the following PowerPoint on the subject of JPG Quantization Tables and forensics http//
It appears from the slides that JPG Quantization Tables can be analyzed to determine, amongst other data, which type of device created a JPG file in question.
I have relied upon EXIF metadata to determine the type of device that created a JPG file.
QUESTION
* Do you analyze JPG Quantization tables in your practice as a method to validate EXIF metadata or in some other fashion? If so, how and with what tool(s)?
Many thanks for the insight on something new! As my father used to say, (and he may have been quoting someone else) "The more one learns, the less one knows".
Regards,
Larry
i would submit you do not need to find everything, you need to find enough to prove what you have been asked to prove or tell the story of what happened with a given computer.
For me, X-ways is of course what I start with.
i have access to crazy advanced, in house tools as well when things are damaged beyond what X-Ways can do (rare)
Echoing Eric, I would even take his post one step further and state that you'll never find everything and your examination with modern forensics (due to size of data sets) could potentially never be over if you are trying to examine everything available to you. Modern forensics requires us as examiners to (usually) focus on portions of a timeline to retrieve the data sought that is relevant to the original questions (or) are reduced in ease with image/video review cases or eDiscovery cases where we are just looking for categories of files and ignoring most other data.