Hello everyone, I'm as new to the forum as to computer forensics.
Although I come from a business oriented background (just acquired my MIS and Finance degrees) I have a decent understanding of computers and always found computer forensics to be very appealing.
I was not able to find much solid information on the net in order to initialize my CF studies, so I decided to just grab some tools and play around with them.
I came across the Helix and F.I.R.E tools which seemed sufficient enough (I'm not so sure about FIRE) and set a very simple assignment for myself to solve.
My set task was to delete a file from PC1, obtain an image of PC1, take the image over to PC2, mount the image on PC2, and recover the deleted files. D
The tools that I'm using (provided by Helix) are FTK Imager for imaging my HD and PC Inspector File recovery for recovering deleted files.
These tools are pretty straight forward and easy to use, yet I'm not quite sure on how I should mount the forensic ".dd" image on PC2.
Are there any tools you guys recommend on using for mounting forensic images, or is there a tool (that I'm missing) within helix that can assess images or recover data from images? Is this specific process simple or cumbersome?…
…any explanation on how it works would be helpful
From my limited understanding, forensic images are very different than say Ghost images (especially size-wise). I was initially thinking that I might need an application such as VMWARE.
Well, thanks for taking the time to even read this far…and nice to meet you
NM
Mountimage pro and P2 Explorer will mount an acquired image as drive a letter.
FTK imager can also mount a acquired image of a system as well. This would be the free option.
Welcome to the forum and to data forensics )
Depending upon the file system type recovering the deleted file may or may not be easy. The second variable is how much system activity occurred between the time of deletion and the time of acquisition. I'm presuming since you set up this test you deleted the file, shut down, and then did your acquisition. So the key variable then become the FS TYPE. Some file systems don't make for easy recovery of deleted files. FAT variants, NTFS, and ext2 do allow for easy recovery of deleted files.
My suggestion would be to use 'dd' or 'dcfldd' to acquire (learn the command line first, then the GUI wrappers) the target. You can acquire a physical image (the entire disk, including partitions, file systems, and partition waste space), or a logical image (the file system).
Mounting a logical image within Linux is easy as you don't have to pass an offset to the 'mount' command because the file system code is at the beginning of the image file. Mounting a physical image requires you to pass the offset to the 'mount' command where the file system begins within the image file.
Additionally, since you're dealing now with a regular file (your image file) instead of a block device (mountable) you'll need to use the special device 'loop'. One option you'll pass to the 'mount' command is to use the 'loop' device, which treats a regular file as a block device so that it can be mounted.
On my boot CD I have a GUI program that allows for quick listing and recovery of deleted files for the FAT, ext2, and NTFS file systems. Remember to test and validate your tools for recovery of deleted files, be it The Sleuth Kit, fatback, e2recover, etc. You will find mileage does vary.
cheers!
farmerdude
I ended up using Mount Image pro (ty Ryu-san), due to simplicity. With FTK, how exactly do you mount an image?…through the evidence tree?
farmerdude, thanks for the explanation (on both forums =)).
Well, everything worked out fine, except for when I restore the deleted files (in this case a word document) it comes out looking like gibberish (sort of like a Hex dump)…I gotta read up on this
…could anyone guide me towards the right direction from here?
FTK Imager doesn't actually "mount" the image, in the sense that MIP does by creating a read-only volume that's accessible in Windows as an ordinary volume (or physical disk). In Imager, the image and its objects are available within the Imager interface. Perhaps your Word file was overwritten in part, making it dificult to recover. Encrypted perhaps?
Check to see if you can extract any metadata from the recovered word file.
PS Ryu-san. Good catch. I suspect you train as well.
Thanks for the info Jimmy….
Ryu-san, I haven't had time to look into metadata…I'v been trying to find an efficient way to obtain an image from a Server PC that is running on Windows NT to my Laptop… I ended up using VMware to connect to the NT server…worked great.
P.S. Unfortunately, I'v only trained in Tae Kwon Do. My main interests have always been in Japanese martial arts, and Kaze Arahi Ryu being a top choice due to its disposition, variety and completeness. Sadly, I don't know when or if I'll ever have the chance to train in K.A.R…it's not easy finding a place to train here in Greece, and with the 60 hour work-weeks I would consider time a big issue (mayb if I get back to the States).
Btw Ryu, which art have you focused on mostly (Ken/Jo, Nage, Atemi…) ?