Mike, None of the tools you mentioned is of any value for recovering files that have been wiped/overwritten. Data recovery software is of value only where the files have been deleted, but not overwritten. At best, data recovery utilities see what the hard drive sees, and when data has been overwritten (and this is what file wiping is), what the hard drive sees is only the data that is currently there, i.e., the data that was written over the old data. Nonetheless, data recovery software is valuable. The size of files makes manual recovery difficult and time consuming, although manual recovery is a skill everyone in the forensics business ought to know. Undeleting utilities reconstruct deleted files from their parts. How well they do it depends on how well they can identify the parts of a deleted file scattered about a hard drive. My favorites are PowerQuest's Lost and Found, for FAT systems, and RecoverNT for NTFS. Safeback is an utility for creating evidentiary images or copies of drives. It doesn't recover deleted files. For information, contact NTI, in Gresham, Oregon. Encase is an imaging and analytical software package that does file undeleting. If you contact Guidance Software and act real nice, they might send you a demo CD so you can play around with it. I don't know what their policy is for sending out demo software, but I have found the Encase people very accommodating. As far as evaluating file wiping products, I have found that their capabilities really depend on the users. Often times it is quite obvious that someone has used a wiping product, and in certain contexts that fact can be more harmful than what was wiped. Windows systems and application software leave file artifacts all over hard drives, and it's rare to find someone who can clean a system without leaving tracks. Troy Larson Computer Forensics, Electronic Evidence and Legal Support Fiderus Strategic Security and Privacy Services (Direct) 425-793-1988 (Cell) 425-503-5845 tlarsonat_private www.fiderus.com ---------------------------------- 24 Hour Emergency Response Hotline 1-877-595-8491 ---------------------------------- -----Original Message----- From: Mike F [mailto:friindy@a-znet.com] Sent: Monday, May 28, 2001 7:19 AM To: FORENSICS-FOCUS Cc: Kathleen Lundeen Subject: computer forensics I am Curious to those of you who Retrieve Evidence from computers. When using ANY OR ALL OF these software programs to do so, Norton UNDELETE, http://www.symantec.com <==mAY HAVE dEMO SAFEBACK, http://www.sydex.com <===I HAVE NOT FOUND ANY USABLE INFO???????? ENCASE PRO http://EnCase.com <<===I hope 2 one day be able to afford,ENCASE PROv3.0 I want to use ENCASE so Bad it hurts!!! EASY RECOVERY PRO, http://www.ontrack.com <==DOWNLOADABLE DEMO RECOVERYNT http://www.lc-tech.com Support pages 4 LC-Tech's products ===>http://www.lc-tech.com/supportmain.asp TOOLS PAGE NO PASSWORD NEEDED HERE http://www.lc-tech.com/downloadable_tool_demos.asp I would like to know how these tools work against a DATA Wiping & Overwrite software tool such as, BCWIPE EVIDENCE ELIMINATOR Ver 5.054 and other similar programs. I am asking if you have run any tests,I have put differant word documents in a test folder. I then used evidence eliminator to wipe & overwrite these documents.I changed the options on E.E. at times I used only 3 passes to wipe then overwrite documents. At other times I would set standard as High as DOD which is 7and higher.My results are & were Mixed!! I fully expected them to be mixed since I am new at this. I am hoping a that some of you with more expertise & controlled testing,could tell us results or lack of results. Here is a Software Program that SAYS IT Recovers OUTLOOK FILES 740kBYTES http://www.officerecovery.com/outlook/index.htm <=NEWSLETTER AT TOP OF PAGE ATTENTION MAC OWNERS ,LOOKS LIKE THESE PEOPLE HAVE TOOLS 4 u 2. I am reposting this info below: I just noticed you can download RecoverNT,Demo I thought some of you would be interested. download RecoveryNT http://www.lc-tech.com/form/R98NT_demoform.asp Tools Page more stuff http://www.lc-tech.com/downloadable_tool_demos.asp or go here clck on demo downloads ==> http://www.lc-tech.com/ OoPS I almost did not include a link for Evidence Eliminator need something to test above Products on Now Don't we!!!!!!!!!!!!!!!111 Go to http://www.webattack.com <==right side 3rd of shareware programs http://ml4mi.com Mike Fiorentino 237 South Edwards Ave #3 Syracuse,NY 13206
This archive was generated by hypermail 2b30 : Mon May 28 2001 - 20:50:23 PDT