Data Forensic questions

[TerraNova]

Hi guys

I have a client who asked me to recover a single document file which has been deleted in 2006. Since the deletion of the file, the computer was rarely used. The File system = NTFS.

The requirement is to recover the sentences in the deleted file (unformatted text), not necessary the whole working document.
What is the possibility of recovering the unformatted text? Its for litigation purposes.

What i have done is to search the whole sector based on keywords, undelete programs does not give any meaningful results. Any other methods much appreciated.

Thank's

[poehere]

Did you try winhex?

[HDD Spaz]

use winhex, search for text strings.

[scratchy]

Try winhex like Poehere and HDD Spaz says, if that doesnt find the text, change mode to Unicode rather than ASCII

MS Word can save text in Unicode format..

[TerraNova]

thank you all, i will give it a try

[lcoughey]

If you aren't familiar with forensic procedures, you might as well just type out the lines in MS Word and provide it to your client's lawyer. Though it is unlikely, the opponent's lawyer may request the drive for their forensic expert's opinion. You will need to prove that the drive was not altered while in your possession, that the file is legitimate (date, time & author) and document every step of the way in finding the text.

It really depends on how good the lawyers are with digital forensic evidence. Your steps in acquiring the files could help win or lose the case. So, be careful and have fun!

[quasimodo]

lcoughey is correct, be very careful.

undelete programs will most likely change the time stamp of the file. It would be best to use a write blocker, in order to ensure that no modifications of the time stamps occur. Also instead of Winhex regular edition, I would use Winhex forensic edition in your case.

[lcoughey]

This is what we would do:

- forensically clean drives needed for project mirrors
- using DeepSpar Disk Imager FE, create an exact mirror of the drive, calculating the HASH. (Store this in our safe)
- using DeepSpar Disk Imager FE, create a second mirror of the drive, calculating the HASH. (This is for creating further copies of the drive)
- Pass the original back to the lawyer for them to store in a secure location
- create an image file from the second mirror either using DeepSpar Disk Imager FE or using a write blocker and X-Ways Forensics and store the file on a drive dedicated to the project (Working copy of X-Ways would be stored on the working drive, as well)
- create a case file in X-Ways forensics with the image file, verify the HASH, then scan for the file contents

Throughout the whole process, we would document and photograph each step of the way. The client pays us in blocks of time, in advance. We stop searching when we find what we are looking for or the client decides to have us stop.

Things to consider:
- chain of custody for the original drive
- write blocking of the original drive
- MD5 HASH calculation and verification of the original drive
- document everything

It may take longer to prepare and document the whole process than to do the process itself. That is why digital forensics isn't done for $200.

[quasimodo]

I agree
I use almost the same procedures, only difference I don't use DeepSpar for cloning and I use FTK for the analysis.

[lcoughey]

I agree
I use almost the same procedures, only difference I don't use DeepSpar for cloning and I use FTK for the analysis.

You must be a pretty smart guy.

[quasimodo]

ohh.. why is that?

[lcoughey]

ohh.. why is that?

Because you agree with me.

[hddbug]

Hi lcoughey
Your post was informative. I have few queries. I have Yec-USA Ninja which write protects master disk & makes sector by sector clone.It does not calculate SHA1 / MD5 , i calculate md5 later by using write blocker , is it ok from forensic point of view? Considering moderin disk size of 500gb / 1TB it is time consuming & difficult to make image so , is it ok to use cloned disk for further analysis instead of image ?
Thanks

[lcoughey]

Hi lcoughey
Your post was informative. I have few queries. I have Yec-USA Ninja which write protects master disk & makes sector by sector clone.It does not calculate SHA1 / MD5 , i calculate md5 later by using write blocker , is it ok from forensic point of view? Considering moderin disk size of 500gb / 1TB it is time consuming & difficult to make image so , is it ok to use cloned disk for further analysis instead of image ?
Thanks

That being said, you may want to use a write blocker and calculate the SHA1/MD5 before you start doing anything else. This way, you can continue the verification process as you proceed. If you have documentation and can prove that the Ninja can't modify the source drive, you should be okay to do the calculations after.

If you want to work with a physical drive clone, you can do that instead of the image file. The great thing about the image file is that you don't need a write blocker when you are working with the evidence file. As most write blockers are connected to the system via USB, it means that you analysis will be slowed down.

[hddmania]

Ninja is a forensic sound write blocker. Just ask YES-USA to get you the white paper. i know it's a PITA job but I alwas work from the forensic images E01 files.

now you can buy the blocker that transport data via eSata but still forensic images are a lot better way to go. Keep them in your server, transfer them to our workstation. When something goes wrong, you wipe that images and copy them back from the server. Take lots of photos while you are working on it!!! I use video capture on some cases.

[hddbug]

Thanks HDDMANIA & lcoughey
Yes i need to calculate sha1 before starting anything. Is there any standard or certification we can use to prove that write blocker & cloning has not written amything?
As opposition can take doubt on our equipments , besides proving Sha1 is there some procedure for the same? Is there any other software which can take sha1 of hard disk?
Thanks & Regards
Hddbug

[quasimodo]

You can take a look at NIST. Although it's for the US. http://www.cftt.nist.gov/hardware_write_block.htm
I am not sure what applies to India. But usually if you use any of the common known and proven write blockers you should be fine. If you use a write blocker which is little known you run the risk that a good attorney may question the validity and capability of your write blocker during cross examination. In that case you must be prepared to demonstrate that it truly prevents any writing to the drive both via BIOS and ATA commands.

[withyou]

Hi friend,
First we have to make the image of the original evidence or clone the hard drive. And make the MD5#.
Keep safe the original evidence and analysis the cloned hard drive or image.
We can analysis data with FTK 1/2 or Winhex /Any other good tool. We should use two to three tools for data analyzing so we could not miss the data.
Analysis deleted file, from recycle bin and slack space also. search required data.

[hddbug]

Hi Withyou
Thanks. As per my knowledge , MD5 /SHA1 must be taken while collecting evidence. all professional tools like encase calculate md5 while imaging . I dont know if you calculate sha1 later , it will be accepted or not.