Reviewed by Scar de Courcier
I would be tempted to argue that you can tell a lot about a piece of software by how easy it is to install.
There are times when finding, downloading and installing a product update feels like repeatedly banging your head on a brick wall: constant freezing, confused Windows popups, license key errors…
Then there are times when you click ‘Download’, then ‘Install’, then tick ‘Yes’ in the little box, and boom! The software appears.
I am pleased to be able to report that the installation process of ReclaiMe Pro falls into the second category. It can be found on the Download page of the website, and it sets itself up in just a few minutes.
After that, of course, it’s time to get down to business.ReclaiMe has been around for several years now, and their Pro option has recently been updated with a few new and improved features.
The first thing to do is to open the program and load your evidence. One thing to note here is that ReclaiMe Pro opens in a small window and prompts you to click ‘Proceed’ in order to continue. It then takes a few seconds to open properly, however it’s important to not click the ‘Proceed’ button again as this will automatically start scanning for evidence and will slow you down.
Once you have the evidence menu open, you are presented with the option to add an image or a RAID XML. You can then choose to target specific partition types from the list of options below.
Adding an image is straightforward and it takes very little time to load. In fact, the software on the whole feels very easy to use. Although it will of course depend on the nature and size of the items you are analysing, I found it was a very smooth process which did everything it was meant to do and didn’t suddenly crash or freeze, even when presented with multiple items at once.
Once you’ve loaded your image and chosen your partition types, you can then click ‘Proceed’ to get it going.
While it opens and scans the items you have loaded, ReclaiMe Pro will run through a list of what it is doing, which is useful as you don’t have that feeling of waiting around to see whether the program has crashed or is just doing something in the background.
Once it has finished scanning, you will be able to choose the relevant item from the list that appears in the main window, and then click ‘Save Image’.
Scanning for evidence once you’ve loaded the image is very easy, although it does involve going back to the original menu, loading the image you have just saved, clicking ‘Proceed’, choosing it from the drop-down menu and then clicking ‘Scan’. This can feel a bit fiddly, but it only takes a few moments and so doesn’t detract from the usefulness of the tool.
You will then be able to choose your recovery parameters:
If you accidentally leave several of these checked, your recovery will take longer to complete, however even leaving all options checked didn’t crash my computer or take an unusually long time.
Once the scanning is complete you will be presented with a list similar to the kind found in most recovery software:
The interface is very user-friendly, and it is easy to click around and locate the various pieces of evidence that are particularly pertinent to your case.
The bottom right box shows text, hex or a preview of the selected item, once again allowing you to get an overview of your evidence and identify which items you need to examine further.
There are options available for deleted or duplicate files, and the ‘Export file list’ option is particularly useful if you need to acquire evidence but do not wish to export the whole list into your report.
The file list will download as a .csv, once again making it straightforward for anyone – including a client or colleague with limited technical ability – to open and sift through the list.
RAID recovery is also available on ReclaiMe Pro and once again is easy to set up and run. It supports all common RAID levels and will automatically detect block size once the XML has been loaded. If you already know the specific block size, you can choose it when you begin the recovery process, which will reduce the amount of time it takes to load.
Once you click ‘Start’ after choosing your parameters, ReclaiMe Pro begins recovery of the RAID configuration. Again, a useful feature at this stage is the progress bar, which keeps you up to date with exactly what is happening at every step.
Entropy analysis also deserves a mention, as it is most frequently used during RAID recovery. This is launched from the disk recovery menu on the right-hand side of the screen.
In conclusion, I would highly recommend ReclaiMe Pro as an easy to use and intuitive solution for data recovery tasks. Its recovery options for both RAID XMLs and disk image files are extensive and the tool is both reliable and not too complex for investigators with limited forensic knowledge.
The team at ReclaiMe also create useful videos and articles about their tools, allowing anyone to train themselves on the basics of their forensic solutions. This is a nice touch and makes ReclaiMe Pro a good solution for small forensics labs and individual practitioners, as there is no requirement for very extensive and expensive training!
Overall, ReclaiMe Pro is an excellent tool and highly recommended for digital forensic practitioners. You can find out more by visiting ReclaiMe's website, and keep up to date with the latest news on their YouTube channel.