Hello, I'm trying to recover a log that I forgot to backup before I did a complete nfts format and winxp reinstall. Is this possible? I have encase installed and a guide for it, but before I read through it I'd like to know if it's even possible to recover this file.
Thanks in advance.
So, if I understand your situation correctly, you have a log that you want to recover from a hard drive. However, since the log was created, you've
a) Performed a complete NTFS format of the system
b) Reinstalled Windows XP
If this is the case, it is *possible* to recover the log, however, I'm pretty sure that it's going to be a cost prohibitive procedure.
One option you can try is to image the drive with 'dd' (ie, boot to a bootable Linux distro) and then perform a keyword search, in hopes of locating fragments of the log file itself.
H. Carvey
"Windows Forensics and Incident Recovery"
http//
http//windowsir.blogspot.com
Ok appreciate the help. I could figure out how to use a bootable linux distro, but how would I image the drive from there? I'm not too knowledgable of linux or any of this. Thanks in advance.
Some simple Google searching reveals all!
All you need is one of the forensic/IR-based Linux bootable distros…these will generally include dd and netcat.
In a nutshell, here's what you do
1. Set up netcat running in server mode on a system…this can be Windows or Linux.
2. Boot your "victim" system to the Linux bootable CD.
3. Mount the "victim" hard drive(s) once you've logged into Linux.
4. Use dd to image the drive, piping the output to your waiting netcat server.
An alternative if you're in a Windows domain is to get a Linux distro with SAMBA, and map a network drive as the destination in step 4, above.
Here's a site with a good description of what you'll be doing
http//
Here's another
http//
Linux distros include
Knoppix - http//
Helix - http//
Whoppix - http//
H. Carvey
"Windows Forensics and Incident Recovery"
http//
http//windowsir.blogspot.com
Just curious, instead of doing this could I just boot from the disc and scan the original drive instead of creating an image? I have 2 120gb drives, I'm trying to find the file on the first one. Thanks for the information.
Sure, you could boot the Linux distro and scan the drive once they're mounted. Just make sure that you know ahead of time what you're going to be scanning for, and ensure that the necessary tools are located on the CD.
H. Carvey
"Windows Forensics and Incident Recovery"
windowsir.blogspot.com
Ok thanks. I downloaded Knoppix and have the disc ready. This will hopefully be my last question, what is a good Linux forensic tool to use?
…what is a good Linux forensic tool to use?
To do what? What tool or process you use depends on what it is you're trying to do.
You said in an earlier post that you wanted to scan the drive rather than image it…the tool/process you use depends on what kind of scan you want to do. If you want to do file signature analysis, use 'file'. I think PyFlag uses ClamAV for A/V scanning…you could use that.
There are Registry tools that run on Linux, but I don't think that they scan…they're just for viewing.
Hope that helps…
H. Carvey
"Windows Forensics and Incident Recovery"
windowsir.blogspot.com
oh, to scan for a log file that has been formatted over. Sorry I didn't specify.
And just wanted to add, thanks for being so helpful P I'm also a member of the Honda-Tech forums and they don't treat noobs too kindly (fortunately I'm not a noob when it comes to Hondas).
to scan for a log file that has been formatted over.
Well, go back and look at my first response to you. If you've completely wiped the machine, reformatted NTFS, and re-installed the operating system, it's unlikely that you're going to get anything back via a bootable Linux distro.
Note that I say "unlikely". Boot the Linux distro, mount the drive, and try doing a search for unique words within the log file…these might be in slack/unallocated space so you might need to use Autopsy or something.
HTH,
H. Carvey
"Windows Forensics and Incident Recovery"
windowsir.blogspot.com