Is it the same to use a File Recovery tool (any of the hundreds available) on a hard drive than to a mounted EnCase Forensic image of the same hard drive ?
Is it the same to use a File Recovery tool (any of the hundreds available) on a hard drive than to a mounted EnCase Forensic image of the same hard drive ?
As long as your recovery tool has support for logical files and the format they've been captured in (ewf,raw,split etc) then the answer is yes.
Using a working image tends to be safer, but working on a clone (I assume it's not the original!) may be a little faster.
Another question, the way EnCase Forensics recovers data is it reeeeeaaaalllly that different from other tools (like Active@, etc, etc, etc).
I mean is it better than all other tools ? Or just different ?
For obtainig evidence it's probably one of the best, but to recover ?
Another question, the way EnCase Forensics recovers data is it reeeeeaaaalllly that different from other tools (like Active@, etc, etc, etc).
I mean is it better than all other tools ? Or just different ?
For obtainig evidence it's probably one of the best, but to recover ?
Not entirely sure what you mean? If you mean as a data carver, then yes there are more comprehensive tools than EnCase out there.
No, not for analysis but for data recovery. By that I mean, deleted files, formated HD, rewritten data.
Although not really an answer to the question.
The best way to tell would be to test a few packages.
Get encase and a few other Data Recovery tools and use those apps to recover data from the same source. Then compare the output.
At the end of the day, i imagine they all use the same metholodoloy of carving data anyway (ie. searching for known file headers and extracting based upon known variables, searching MFT's etc.). Therefore i'm not sure how different they will be.
Hope everyone is having a good day.
Tom
No, not for analysis but for data recovery. By that I mean, deleted files, formated HD, rewritten data.
You've lost me now… I already gave an answer to that.
Scenario
Peter has compromising (illegal, whatever) documents in his PC. So he formats the HD and reinstalls an OS. After imaging the HD, "Forensic2U" (fictional company) wants to recover the documents but doesn't know anything about them (neither extension nor content).
Q1) So what would be the correct course of action to take, in your opinion ?
Q2) Whats the best data recovery app, in your opinion ?
Scenario
Peter has compromising (illegal, whatever) documents in his PC. So he formats the HD and reinstalls an OS. After imaging the HD, "Forensic2U" (fictional company) wants to recover the documents but doesn't know anything about them (neither extension nor content).
Q1) So what would be the correct course of action to take, in your opinion ?
Q2) Whats the best data recovery app, in your opinion ?
Based on your last question, "scenario", you would want to try and recover the old partition on the HD and see what files you can recover from that. Also, you would want to find a good carving utility to carve the data out of unallocated space. Hope this helps…
Scenario
Peter has compromising (illegal, whatever) documents in his PC. So he formats the HD and reinstalls an OS. After imaging the HD, "Forensic2U" (fictional company) wants to recover the documents but doesn't know anything about them (neither extension nor content).
Q1) So what would be the correct course of action to take, in your opinion ?
Q2) Whats the best data recovery app, in your opinion ?
Ok… using commercial software you could run something like Recover My Files (which is pretty good in my experience, though your mileage may vary) over an image of the drive to pull off as many files as possible.
Or go the non-commerical route and use something like Helix and Scalpel.