I have a problem with a case im looking into.
The problem is with my report i have been handed says the person im
looking into has used a program called erase and has admitted this on file.
He says he has wiped all data off the drives, pens and sd cards.
My promlem is i can find the files still but cannot recover intact the data he has overwritten.
im using encase and i can recover the files but they are all currupt.
Im looking for jpegs, avi, mpegs, images or videos.
Any ideas whens the next step please?
I would initially suggest trying to find the exact 'erase' program that was used and understand what it does.
Does it wipe the entire physical drive, or just file by file wiping? Does it leave zeros on the drive after wiping, or random data? Does it wipe slack space & unallocated space on the volume?
Then find our what type of hard drive was in the machine. For example SSD do wear levelling so a simple wipe might not be effective.
Then move on to see if any backups were being kept, maybe CD or in the cloud.
Generally speaking however, once it is wiped it is gone.
Our colleague Passmark is being modest in his suggestions, which I respect.
So, as a license holder of OSForensics, which is made by Passmark, I will suggest that you purchase a license of this underpriced (in my opinion) forensic tool and then
1) Use the "recent activity" function of OSForensics to build a timeline of the workstation image.
2) Using the "recent activity" function, look at what applications were installed on the subject workstation, specifically look for any wiping utilities, and then see if/when the wiping utility was run.
I do not know if your case is a civil litigation matter, but if the workstation owner was under an obligation to preserve their data, and you can prove that a "wipe" was performed after this date, then your attorneys will have a strong spoliation claim to make.
OSForensics also has a file carving capability built in that will allow you to recover files that may not have been wiped.
Your question actually requires a several hour discussion followed up with specific forensic analysis tasks to confirm critical items, but an excellent start, in my opinion, is purchasing OSForensics and digging in to your analysis using the tool.
P.S. I have no fiduciary interest directly nor indirectly whatsoever in Passmark -
I would go along with Passmark.
I would also try some simple data carving to see if there are file fragments about. JPEGS, videos etc are all easy to locate by signature. If nothing found, it looks like the erase program works!
Sounds like you found the metadata of the files - but the dataruns are overwritten.
You can't get the data back - if Encase marks a file as overwritten, but you still see the filename, then the MFT entry for that file is present but the clusters that held the data for that file are now being used by another file.
If it's a resident file - then there's some data, otherwise SOL
What is the OS of the machine where that erase program was run from, and what filesystem is on the target volumes?