Mike, We use Norton's Utilities, Including Undelete, Diskedit, etc. We also use Safeback. It is now owned and supported by NTI (http://www.forensics-intl.com/). It is an excellent imaging utility and will make verifiable forensic images of MS operating systems, Unix, Linux, MAC, Novell, etc. We also use the NTI forensic tools. We use Encase Pro. We use RecoverNT. They are about to release a beta version of a new forensic utility that will do some additional things that we asked them to write to assist in forensic examinations. We use our own wiping utilities. Why a multiple pass wipe? It takes special equipment to go below the first level. We had a rather involved thread about this topic not too long ago. Outlook (not Outlook Express) has a nice recovery tool called SCANPST.EXE. If you zero out a few bytes in the file header, it will view the file as corrupt and it will scan the entire Outlook file and recover all recoverable mail messages, even deleted mail messages that have not been removed, and send them to a new file that can be accessed by Outlook. We also use QuickView Plus, KeyView Pro, Captain Nemo, Access Data's Password Recovery Toolkit and the Password Kit from www.lostpassword.com, just to mention a few other tools. Don't drool over Encase too much, it is a great tool, but you still need to know the basic methodology and fundamentals of forensic examinations to successfully testify in court. Don't get caught in the trap of relying solely on a "tool" to conduct your forensic examination. John Mellon Mike F wrote: > I am Curious to those of you who Retrieve Evidence from computers. > When using ANY OR ALL OF these software programs to do so, > Norton UNDELETE, http://www.symantec.com <==mAY HAVE dEMO > > SAFEBACK, http://www.sydex.com <===I HAVE NOT FOUND ANY USABLE INFO???????? > > ENCASE PRO http://EnCase.com <<===I hope 2 one day be able to afford,ENCASE > PROv3.0 > I want to use ENCASE so Bad it hurts!!! > > EASY RECOVERY PRO, http://www.ontrack.com <==DOWNLOADABLE DEMO > > RECOVERYNT http://www.lc-tech.com > Support pages 4 LC-Tech's products > ===>http://www.lc-tech.com/supportmain.asp > TOOLS PAGE NO PASSWORD NEEDED HERE > http://www.lc-tech.com/downloadable_tool_demos.asp > I would like to know how these tools work against a DATA Wiping & Overwrite > software tool > such as, > BCWIPE > EVIDENCE ELIMINATOR Ver 5.054 and other similar programs. > I am asking if you have run any tests,I have put differant word documents in > a test folder. > I then used evidence eliminator to wipe & overwrite these documents.I > changed the options on E.E. at times I used > only 3 passes to wipe then overwrite documents. > At other times I would set standard as High as DOD which > is 7and higher.My results are & were Mixed!! > I fully expected them to be mixed since I am new at this. > I am hoping a that some of you with more expertise & controlled > testing,could tell us results or lack of results. > > Here is a Software Program that SAYS IT Recovers OUTLOOK FILES 740kBYTES > http://www.officerecovery.com/outlook/index.htm <=NEWSLETTER AT TOP OF PAGE > ATTENTION MAC OWNERS ,LOOKS LIKE THESE PEOPLE HAVE TOOLS 4 u 2. > > I am reposting this info below: > I just noticed you can download RecoverNT,Demo > I thought some of you would be interested. > download RecoveryNT > http://www.lc-tech.com/form/R98NT_demoform.asp > > Tools Page more stuff > http://www.lc-tech.com/downloadable_tool_demos.asp > > or go here clck on demo downloads ==> > http://www.lc-tech.com/ > > OoPS I almost did not include a link for Evidence Eliminator > need something to test above Products on Now Don't we!!!!!!!!!!!!!!!111 > Go to http://www.webattack.com <==right side 3rd of shareware programs > > http://ml4mi.com > Mike Fiorentino > 237 South Edwards Ave #3 > Syracuse,NY 13206 -- John J. Mellon, CFCE ------------------------------------------- Key Computer Service, Inc. Computer Forensic Examinations and Training www.keycomputer.net 305-453-7862 ------------------------------------------- IACIS Board Chairman Certification Chairman
This archive was generated by hypermail 2b30 : Tue May 29 2001 - 17:17:51 PDT