RE: Digital Evidence Question - What is an effective Windows hard -disk search tool?

[<dave () netmedic net>]

http://www.r-tt.com/RStudio.shtml

Host OS: Win9x, ME, NT, 2000, XP. 
Remote data recovery over network. Data can be recovered on network
computers running Win95/98/ME/NT/2000/XP, Linux, UNIX.
Supported file systems: FAT12, FAT16, FAT32, NTFS, NTFS5(created or updated
by Win2000), Ext2FS (Linux).
Recognition and parsing Dynamic (Windows 2000/XP), Basic and BSD (UNIX)
partitions layout schema.
Damaged RAID reconstruction. If OS cannot recognize your RAID, you can
create a virtual RAID from its components. Such virtual RAID can be
processed like a real one.
Creates IMAGE FILES for an entire DISK, PARTITION or its part. Such image
files can be processed like regular disks.
Recovers files on damaged or deleted partitions, encrypted files (NTFS 5),
alternative data streams (NTFS, NTFS 5). 
Recovering data if:  FDISK or other disk utilities have been run;
VIRUS has invaded; FAT is damaged; MBR is destroyed. 
Recognizes localized names. 
Recovered files can be saved on any (including network) disks accessible by
the host operating system.
File or disk content can be viewed and edited in the hexadecimal editor. The
editor supports NTFS file attribute editing.



Without a doubt the best bang for your buck.


 
_____________________
Dave Kleiman
dave () netmedic net
www.netmedic.net

"High achievement always takes place in the framework of high expectation."
Jack Kinder

 


-----Original Message-----
From: Wilcox, Stephen [mailto:StephenWilcox () universalcomputersys com] 
Sent: Thursday, June 19, 2003 12:02
To: Ansgar Wiechers; security-basics () securityfocus com
Subject: RE: Digital Evidence Question - What is an effective Windows hard
-disk search tool?

Do to the lack of knowledge and impatience I formatted the drive.  I now
have looked at a couple recovery tools out there but they run around $75..
ouch.  I will bite the bullet and get one I guess.  Here is the question,
once that the information is recover will the application be able to read
the file again or does the file have to be reassembled by a third party?  I
friend said that recovery is not a probable, reassembling the information in
a order so the application can read it is another thing.  I have no idea on
this, what is your thoughts?

Stephen

-----Original Message-----
From: Ansgar Wiechers [mailto:bugtraq () planetcobalt net]
Sent: Wednesday, June 18, 2003 6:50 PM
To: security-basics () securityfocus com
Subject: Re: Digital Evidence Question - What is an effective Windows
hard -disk search tool?


On 2003-06-18 Gene LeDuc wrote:
> > It funny that this discussion started in the last few days..  As
> > Murphy would have it, last night while installing a new nic card.
> > Something happened to the boot.ini file and corrupted it. I don't
> > know how or why except the possibility of it writing to the boot.ini
> > file the nic information.  I don't think that this information is
> > stored in the boot.ini file but maybe.  Anyway the problem I ran into
> > is that the win would not load and I couldn't recover it.  (No safe
> > mode, no fixboot, no fixmbr, nothing)  I figured I would just overlay
> > an OS on top of the old one and then recover the information, no luck
> > the process would not perform unless I format.  Great...  If you know
> > what I mean.  I have been researching free tools to recover lost data
> > but no real luck in a software that performs properly.  I was
> > wondering if anyone has/knows of one.  Looking to recover my office
> > files - *.xls, *.pst file and *.doc files.
>
> If all you want to do is recover the info, you can attach the hard
> drive to a linux box and mount the NTFS partition.  From that point
> you can browse the NTFS file system and copy any files you want.
> Depending on the flavor and version of linux, you may have to load an
> NTFS driver; I believe sourceforge has a read-only driver.  If you
> don't have a linux box hanging around then I suppose you could also
> attach the drive to another MS box and access it natively.

Most distributions provide (read-only-)access to NTFS out of the box,
since it is part of the official kernel. The only exception I know of is
RedHat (you have to install the driver yourself there).
If you don't happen to have a Linux box you could try tomsrtbt [1] which
runs from a single floppy disk. With another harddisk in the box you can
easily copy the files you want to preserve onto the second harddisk. Use
FAT32 as filesystem for the second harddisk so it will be read- and
writable from Windows as well as from Linux.

[1] http://www.toms.net/rb/

Best regards
Ansgar Wiechers

---------------------------------------------------------------------------
Evaluating SSL VPNs' Consider NEOTERIS, chosen as leader by top analysts!
The Gartner Group just put Neoteris in the top of its Magic Quadrant,
while InStat has confirmed Neoteris as the leader in marketshare.
     
Find out why, and see how you can get plug-n-play secure remote access in
about an hour, with no client, server changes, or ongoing maintenance.
          
Visit us at: http://www.neoteris.com/promos/sf-6-9.htm
----------------------------------------------------------------------------


----------------------------------------
The information transmitted in this message is intended only for the person
or entity to whom it is addressed and may contain confidential and/or
privileged material.  Any review, retransmission, dissemination or other use
of, or taking of any action in reliance upon this information by persons or
entities other than the intended recipient is prohibited.  If you received
this in error, please contact the sender and destroy any copies of this
document.

---------------------------------------------------------------------------
Evaluating SSL VPNs' Consider NEOTERIS, chosen as leader by top analysts!
The Gartner Group just put Neoteris in the top of its Magic Quadrant,
while InStat has confirmed Neoteris as the leader in marketshare.
     
Find out why, and see how you can get plug-n-play secure remote access in
about an hour, with no client, server changes, or ongoing maintenance.
          
Visit us at: http://www.neoteris.com/promos/sf-6-9.htm
----------------------------------------------------------------------------





---------------------------------------------------------------------------
Evaluating SSL VPNs' Consider NEOTERIS, chosen as leader by top analysts!
The Gartner Group just put Neoteris in the top of its Magic Quadrant,
while InStat has confirmed Neoteris as the leader in marketshare.

Find out why, and see how you can get plug-n-play secure remote access in
about an hour, with no client, server changes, or ongoing maintenance.

Visit us at: http://www.neoteris.com/promos/sf-6-9.htm
----------------------------------------------------------------------------