on a disk, found a bkf file it's a windows backup. Which is the best tool to open it? May I use the normal backup of windos, ore other (free) tool? How long I will need to open a 115 gigbyte file?
Thanks
The best tool to use would be the tool that made it, Windows NTBackup. You can get it on a Windows XP computer. I normally mount my evidence drive and then attach that mounted drive to a Windows XP VM (various ways - shared folder probably easiest) and then just point NTBackup to the file, from there you can extract the files.
The best tool to use would be the tool that made it, Windows NTBackup.
Not sure I agree with that - you wouldn't look at a clone of an XP disk with XP… For some tape formats using the tool that wrote the tape will not extract the data unless you are extracting to (essentially) the same machine the tape was written on (exchange backups etc).
If it's a forensic examination then a forensic tool would be best.
Respectfully disagree, I have done several reviews of BKF files in the hundred GB+ range using this process. Though I admit, I have never done one where the BKF file itself was written to tape. It was always written out to hard drive space.
It's quite simple to load the BKF into NTBackup and look at the catalog and see what was backed up. At that point, I just extract the files I want from the backup onto forensically wiped media.
Then I would immediately create a forensic image of those files using FTK Imager (or other insert tool of choice here). I wish there was a way to go straight from the output of NTBackup to an image, but I haven't found it.
Neither am I aware of any forensic tool that understands BKF files natively.
Mark
Hello,
with mtftar (http//gpl.internetconnection.net/) you can convert BKF backup files to the TAR archives for better handling with other (forensic) tools.
I wish there was a way to go straight from the output of NTBackup to an image, but I haven't found it.
Mark
NT backup backs up files on a file by file basis, so I do not see why you wish to go straight to an image. ie NT backup has no details of the sectors etc a file came from.
Directories are stored as separate entities within the file
Your right, no good reason other than I like to store evidence in image files.
Respectfully disagree, I have done several reviews of BKF files in the hundred GB+ range using this process. Though I admit, I have never done one where the BKF file itself was written to tape. It was always written out to hard drive space.
It's quite simple to load the BKF into NTBackup and look at the catalog and see what was backed up. At that point, I just extract the files I want from the backup onto forensically wiped media.
Then I would immediately create a forensic image of those files using FTK Imager (or other insert tool of choice here). I wish there was a way to go straight from the output of NTBackup to an image, but I haven't found it.
Neither am I aware of any forensic tool that understands BKF files natively.
Mark
Of course you are entitled to your opinion
The format of a BKF file is Microsoft Tape Format and there is more information in it than you will get from a straight forward extract with MsBackup etc.
I have my own forensic tools that understand MTF and BKF - used to sell them but now for internal use. MMPC (also I believe no longer sold - but a few agencies still have licences).
Just because you can do it, it doesn't mean it's the best way.
But my response was to your comment "The best tool to use would be the tool that made it" sometimes this might be the only way, but forensically it is rarely the best way.
A good tool would also be SysTools BKF Repair.
I use it on my Win7 to extract any .bkf file made under Win XP.
If I may, issues (if any) are with the definition of "forensic sound" AND on the actual "scope" of the application.
Most tools (set aside MS original NTbackup) are more or less "smart" tools aimed (mainly) at recovery.
From a purely forensic standpoint, nothing is telling you that the *whatever* they extract has not been "tampered with" in the extraction process or that *any* meaningful from a forensics standpoint but irrelevant in "data recovery" is lost forever in the extraction process.
Besides the mentioned Systool thingies
http//
http//
there are many opther similar ones, including cnwrecovery, that can deal with these files
http//
So, depending on the actual "needs" you have I would try all the mentioned tools (and even more) but also first study the format
http//
http//
(checking if it has changed, i.e. if the above info applies to the specific NTbackup file you have in your hands)
The latter also provides a Linux tool
http//
AND have a look at this
http//
Also some of the Nuix thingies
http//
http//
http//
supports the .bkf format.
There is/was a tool in the Win2K Reskit called MTFCHECK.EXE that, if compatible, may be of use
http//
http//
jaclaz