When you are looking for deleted files, you are to NEVER restore the file, correct? Shouldn't you create a report SHOWING the file instead? What would you do if you have to investigate what was IN the file?
Thanks!
John
When you are looking for deleted files, you are to NEVER restore the file, correct? Shouldn't you create a report SHOWING the file instead? What would you do if you have to investigate what was IN the file?
Thanks!
John
Why would you "never" restore the file? It should depend on the case. I have restored deleted files plenty of times.
I agree with Earn…what's the issue with restoring the file? I do it all the time…to show logs, examine PE files, etc. In fact, I'm doing it right now! 😉
So you CAN restore the file? HOW would you restore it? If you restored the file back to the suspect's drive, then you've just written to the drive, no?
I'm still learning, please bear with me.
Ok. So you understand the part about making an image of the suspect device/drive/etc, right? Whether using a write-blocking device or making an image of a live system, you've created a "bit-for-bit" image file of said device to another location.
Now you've got that image file loaded up on your forensic analysis workstation. (At this point, the image file is not located on the suspect device.) Still with me right? Also, you want to make sure you have a 'master' compy of that image and only work on copies of that image that you have made a hash comparison of to ensure that the two match.
This is the part where you have to consider what you mean by the term "restore". Yes, you are restoring a file, but not to its original location. You would be restoring, or essentially, copying it from an image file, which, if you simplify it immensely, is pretty much like a really big tar file that hasn't been compressed.
Anyway, as long as you can re-create and document what you've done to the image file or files contained within it and prepare a report that makes sense, you should be fine.
Again, this is a super-simplification of the whole process. In a nutshell though, that's it.
jblakley,
First of all, there's no reason in the world why you'd restore a file back to the suspect drive. There's no reason to do so, and you've got a write-blocker. You'll usually want to restore the file to some other media.
Here's what did tonight with a case. I have a 300GB USB-connected external hard drive with image files on it. I opened the image in ProDiscover, and was reviewing the Event Log Viewer. I then went into the file structure, selected the file, right-clicked, chose "Copy", and selected a location…which, in this case, was a separate directory on the external drive. Done.
So, yes, you can restore files from an image. The *how* depends on what program (TSK, PyFlag, ProDiscover, FTK, etc) you're using.
okay, thanks! That's straightened up for me, now I'm sure I'll have more questions as I go along. Thanks!