Security Basics mailing list archives
RE: Digital Evidence Question - What is an effective Windows hard -disk search tool?
From: <dave () netmedic net>
Date: Thu, 19 Jun 2003 19:30:12 -0400
http://www.r-tt.com/RStudio.shtml Host OS: Win9x, ME, NT, 2000, XP. Remote data recovery over network. Data can be recovered on network computers running Win95/98/ME/NT/2000/XP, Linux, UNIX. Supported file systems: FAT12, FAT16, FAT32, NTFS, NTFS5(created or updated by Win2000), Ext2FS (Linux). Recognition and parsing Dynamic (Windows 2000/XP), Basic and BSD (UNIX) partitions layout schema. Damaged RAID reconstruction. If OS cannot recognize your RAID, you can create a virtual RAID from its components. Such virtual RAID can be processed like a real one. Creates IMAGE FILES for an entire DISK, PARTITION or its part. Such image files can be processed like regular disks. Recovers files on damaged or deleted partitions, encrypted files (NTFS 5), alternative data streams (NTFS, NTFS 5). Recovering data if: FDISK or other disk utilities have been run; VIRUS has invaded; FAT is damaged; MBR is destroyed. Recognizes localized names. Recovered files can be saved on any (including network) disks accessible by the host operating system. File or disk content can be viewed and edited in the hexadecimal editor. The editor supports NTFS file attribute editing. Without a doubt the best bang for your buck. _____________________ Dave Kleiman dave () netmedic net www.netmedic.net "High achievement always takes place in the framework of high expectation." Jack Kinder -----Original Message----- From: Wilcox, Stephen [mailto:StephenWilcox () universalcomputersys com] Sent: Thursday, June 19, 2003 12:02 To: Ansgar Wiechers; security-basics () securityfocus com Subject: RE: Digital Evidence Question - What is an effective Windows hard -disk search tool? Do to the lack of knowledge and impatience I formatted the drive. I now have looked at a couple recovery tools out there but they run around $75.. ouch. I will bite the bullet and get one I guess. Here is the question, once that the information is recover will the application be able to read the file again or does the file have to be reassembled by a third party? I friend said that recovery is not a probable, reassembling the information in a order so the application can read it is another thing. I have no idea on this, what is your thoughts? Stephen -----Original Message----- From: Ansgar Wiechers [mailto:bugtraq () planetcobalt net] Sent: Wednesday, June 18, 2003 6:50 PM To: security-basics () securityfocus com Subject: Re: Digital Evidence Question - What is an effective Windows hard -disk search tool? On 2003-06-18 Gene LeDuc wrote:
It funny that this discussion started in the last few days.. As Murphy would have it, last night while installing a new nic card. Something happened to the boot.ini file and corrupted it. I don't know how or why except the possibility of it writing to the boot.ini file the nic information. I don't think that this information is stored in the boot.ini file but maybe. Anyway the problem I ran into is that the win would not load and I couldn't recover it. (No safe mode, no fixboot, no fixmbr, nothing) I figured I would just overlay an OS on top of the old one and then recover the information, no luck the process would not perform unless I format. Great... If you know what I mean. I have been researching free tools to recover lost data but no real luck in a software that performs properly. I was wondering if anyone has/knows of one. Looking to recover my office files - *.xls, *.pst file and *.doc files.If all you want to do is recover the info, you can attach the hard drive to a linux box and mount the NTFS partition. From that point you can browse the NTFS file system and copy any files you want. Depending on the flavor and version of linux, you may have to load an NTFS driver; I believe sourceforge has a read-only driver. If you don't have a linux box hanging around then I suppose you could also attach the drive to another MS box and access it natively.
Most distributions provide (read-only-)access to NTFS out of the box, since it is part of the official kernel. The only exception I know of is RedHat (you have to install the driver yourself there). If you don't happen to have a Linux box you could try tomsrtbt [1] which runs from a single floppy disk. With another harddisk in the box you can easily copy the files you want to preserve onto the second harddisk. Use FAT32 as filesystem for the second harddisk so it will be read- and writable from Windows as well as from Linux. [1] http://www.toms.net/rb/ Best regards Ansgar Wiechers --------------------------------------------------------------------------- Evaluating SSL VPNs' Consider NEOTERIS, chosen as leader by top analysts! The Gartner Group just put Neoteris in the top of its Magic Quadrant, while InStat has confirmed Neoteris as the leader in marketshare. Find out why, and see how you can get plug-n-play secure remote access in about an hour, with no client, server changes, or ongoing maintenance. Visit us at: http://www.neoteris.com/promos/sf-6-9.htm ---------------------------------------------------------------------------- ---------------------------------------- The information transmitted in this message is intended only for the person or entity to whom it is addressed and may contain confidential and/or privileged material. Any review, retransmission, dissemination or other use of, or taking of any action in reliance upon this information by persons or entities other than the intended recipient is prohibited. If you received this in error, please contact the sender and destroy any copies of this document. --------------------------------------------------------------------------- Evaluating SSL VPNs' Consider NEOTERIS, chosen as leader by top analysts! The Gartner Group just put Neoteris in the top of its Magic Quadrant, while InStat has confirmed Neoteris as the leader in marketshare. Find out why, and see how you can get plug-n-play secure remote access in about an hour, with no client, server changes, or ongoing maintenance. Visit us at: http://www.neoteris.com/promos/sf-6-9.htm ---------------------------------------------------------------------------- --------------------------------------------------------------------------- Evaluating SSL VPNs' Consider NEOTERIS, chosen as leader by top analysts! The Gartner Group just put Neoteris in the top of its Magic Quadrant, while InStat has confirmed Neoteris as the leader in marketshare. Find out why, and see how you can get plug-n-play secure remote access in about an hour, with no client, server changes, or ongoing maintenance. Visit us at: http://www.neoteris.com/promos/sf-6-9.htm ----------------------------------------------------------------------------
Current thread:
- RE: Digital Evidence Question - What is an effective Windows hard -disk search tool? Wilcox, Stephen (Jun 18)
- <Possible follow-ups>
- RE: Digital Evidence Question - What is an effective Windows hard -disk search tool? Chris Berry (Jun 18)
- RE: Digital Evidence Question - What is an effective Windows hard -disk search tool? Wilcox, Stephen (Jun 19)
- RE: Digital Evidence Question - What is an effective Windows hard -disk search tool? dave (Jun 20)