Forensic Data Recovery with ReclaiMe Pro

Presenter: Elena Pakhomova, co-founder of ReclaiMe Data Recovery

Join the forum discussion here.
View the webinar on YouTube here.
Read a full transcript of the webinar here.

Transcript

Elena Pakhomova: Hello, everybody. My name is Elena Pakhomova, and I am a founder of ReclaiMe Data Recovery Company. In this video I will discuss how to work with our new data recovery software ReclaiMe Pro.


Get The Latest DFIR News

Join the Forensic Focus newsletter for the best DFIR articles in your inbox every month.

Unsubscribe any time. We respect your privacy - read our privacy policy.


First, a few words about our company. ReclaiMe Data Recovery was founded in 2009 in Russia, Volgograd. The first product was ReclaiMe File Recovery, which we tried to make as simple as possible. Then we created ReclaiMe Free RAID Recovery, which has become pretty popular among data recovery technicians. Then we were the first vendor who developed data recovery algorithms for storage spaces, released by Microsoft. In this video, I discuss our new software ReclaiMe Pro, specially designed for data recovery experts. I talk about how to run the software, work with disk image files, and about initial settings. Then I discuss disk image file formats and how you can create them. Next I move on to the recovery procedure from simple to complex data recovery cases. First I show how to do file system recovery in ReclaiMe Pro, then I talk about partition recovery, and in the end I discuss recovering data from a RAID.

So you can download the software at www.reclaime-pro.com from the Download section. Type in your name, email, and company name if you wish, and click the ‘Request download link’ button. Within a few minutes, you get the download link, along with trial key in the email. Go to the link, run the software, [pause] install the software, [pause] type in the trial key, [pause] and click ‘Proceed’. Then we see the ‘Disk and image scan options’ window, where you can specify which devices should be displayed and what partitioning schemes should be [parsed]. Also, at this step, you should add disk image files if you are going to recover data from them, using ‘Add image’ button.

Now let’s talk about disk image files in more detail. ReclaiMe Pro can create disk image files for you. Keep in mind that when you recover data from client device, it is recommended always to [image] disks. It is particularly important to create disk images for mechanically damaged devices. In this video, I will use a compact flash as an example.

To launch Disk Imager you need to click ‘Proceed’. Wait till ReclaiMe Pro scans all the desired partitioning schemes, and then select the device and the [disk and partition] list window. Our flash is located under the USB devices section. Check it, and click ‘Save image’. ReclaiMe Pro can image any storage it recognizes, including physical disks, partitions, and software [indecipherable] in one of the three formats: sector-by-sector, which is the same as raw disk image file; VHD disk image file; and VHDX disk image file.

Raw disk image file is a sector by sector [copy] of the device, by far the most simple and common disk image format out there. The downside of the raw image is its size – exactly as large as the original device.

VHD format is typically used to create a disk image file of the device up to 2TB for further mounting it on a Windows PC. VHDX image files are created with the same purpose. The difference is that VHDX format supports the devices larger than 2TB, and is only available on at least Windows [over] 2012 or Windows 8.

Once you have decided what image file format you need by selecting the appropriate item in the dropdown list – I choose ‘sector-by-sector’ – ReclaiMe Pro asks you to specify the target location along with a name for the disk image file. In my case, it is ‘Disk Image Files’ folder. The window with disk images setting appears, where you can set the image up, depending on your particular case. More information about disk images settings you can find in the manual. In my case, I leave the default settings and click ‘Start’.

[pause] Now let’s return to the ‘Disk and image scan options window’ and load the image file just created. Click ‘Add image’ and load it.

Below the ‘Disk image files’ section, you can specify the desired partition schemes ReclaiMe Pro should search the devices for during the initial scan. For example, if you know for sure that the device you are going to recover data from worked under Windows, like in my case, you can uncheck Linux and Apple partitioning schemes – [Apple, LVM], and [indecipherable], thereby reducing the recovery time. Then click ‘Proceed’.

ReclaiMe Pro starts to analyze the devices and partitions, and shows them in the ‘Disk and partition list’ window. In this window, you need to select one of several devices for the recovery. Select our disk image file under the ‘Disk image files’ section. All buttons on the right except ‘Start RAID’ and ‘Save XML file’ become available. To recover data, you need to click ‘Start scan’.

The file system settings allow you to selectively enable or disable file system recognition. This provides faster speeds when exact file system type is known. Additionally, there are several presets for different recovery cases. Here, you also find the deep scan settings. Deep scan is used for damaged file systems, [while file system] scan is best for undamaged. Since we know for sure that our disk image file contains NTFS file system, we can safely uncheck all other file systems and leave only NTFS. This allows us to reduce the recovery time.

Then click ‘Start’. Immediately, the ‘Files and folders’ window appears, where we see what ReclaiMe Pro was able to find with quick scan. And after some time – in our case immediately – we see a message stating that the quick scan is finish. Click ‘Okay’ and [estimate] the quality of recovery. If you are satisfied with the quality of the recovery results, you can start to copy data. Note that there are special options for duplicate files and deleted files. Additionally, ReclaiMe Pro can export file list and import file list. This is especially useful for data recovery specialists recovering data for a client who for some reason doesn’t want to recover all the data, but only part of it. In this case, it is convenient to provide a client access to the list of the recovered folders and files, so that he or she can select all the needed data and then [indecipherable] the client’s [indecipherable] back to ReclaiMe Pro for copying.

Now let’s consider a situation when you are not satisfied with the recovery result. In this case, you need to run a deep scan by clicking ‘Resume’. ReclaiMe Pro starts to analyze the device from the beginning to the end, rather than just in places where metadata is usually located, as the software did during the quick scan. At any moment, as soon as you find the files you were looking for, you can stop the analysis and start copying data.

Now let’s discuss partition recovery in ReclaiMe Pro. First, let’s return to the ‘Disk and image scan options’ window. ReclaiMe Pro analyses all these partitioning schemes during the initial scan. Click ‘Proceed’ to launch the partition analysis. However, during the scan, the software can detect only healthy or slightly damaged partitions. If there is [more severe] damage, you need to use a special feature of ReclaiMe Pro [Find Partitions]. Select the device on which you need to do partition recovery, and click ‘Find Partitions’. ReclaiMe Pro switches to the partition scan mode, where you see a list of found partitions and the progress bar. For each partition found, [each] start offset, size, file system, and score are provided. The score indicates how confident ReclaiMe Pro is about the particular found partition.

Once you are satisfied with the partition recovery result, click ‘Stop’. Select all the recovered partitions you need, and click ‘Add selected partitions’. This brings you back to the list of devices where you need to select found partition, and click ‘Start scan’ on the right to proceed with file system recovery, which we have already discussed.

Now I want to talk about [complex case] data recovery from RAID. For this, let’s [load] disk image files from [array memory disks] into ReclaiMe Pro. Back to the ‘Disk and image scan options’ window, click at the image and load the files. Note that you should check Linux partitioning schemes – that is LVM and md-raid. Click ‘Proceed’.

There are two possible cases. The first case is when fully automatic recovery is possible because RAID metadata is good or slightly damaged, as often happens with [indecipherable] recoveries. The second case is when RAID metadata is severely damaged. In this case, first, you need to recover RAID configuration, and only then to recover data.

First, let’s consider in more details the case when RAID metadata is not damaged. In this case, you connect [the array memory disks] to your PC and launch ReclaiMe Pro, which is able to reconstruct the [RAID] based on metadata. In such a case, you see a RAID under the Linux LVM or in the RAID sections. [This just occurred] in my case – I see a RAID0 under Linux LVM section. To recover data from the RAID, select the top-level device and click ‘Start scan’.

If you do not see a RAID under LVM or in the RAID sections, most likely RAID metadata is damaged beyond recognition, and first you need to detect RAID parameters. Let’s assume that there is no reconstructed RAID, and there are only [array member] disks. To do RAID recovery, select all the disks which are [array memory disks], and click ‘Start RAID’.

In the ‘RAID recovery parameters’ window that appears, you need to specify the RAID type – RAID0, RAID5, or RAID6. RAID0 in my case. Note that ReclaiMe Pro requires that you specify the RAID level correctly. Even if a client is absolutely certain that they know the RAID level, good practice is to do a quick check using [built-in content and entropy] analysis tools. However, the details here are too complex for this introductory video. If you want to learn more about this, visit our training website at www.data.recovery.training.

So in ‘RAID recovery parameters’ window, to reduce the recovery time, you can specify the value for min and max block size. Additionally, you can specify scan direction. However, you need to leave the scan direction selector in automatic mode if you have one array on the disk set, which is the common configuration. Then you can make [other] settings and click ‘Start’. Some preliminary checkings go.

You will see a window where RAID recovery progress information along with detected RAID parameters will be shown. Once RAID parameters are detected, you can use ‘Stop – accept’ option. However, you should allow the parameters set to stabilize for maybe 10 or so samples.

Once the RAID is reconstructed successfully, you can proceed with file system recovery by clicking ‘Start scan’. Also, ReclaiMe Pro allows you to set RAID configuration parameters manually, and then add the assembled RAID to the list of devices available for data recovery. For [reconfigured RAID], ReclaiMe Pro graphically depicts the configuration you set up.

For now, that’s all about ReclaiMe Pro. In this video, I tried to tell you about basic features. However, ReclaiMe Pro has much more built-in tools that recovery technicians would find useful. For more information, please visit www.reclaime-pro.com.

End of Transcript

Leave a Comment