I am by no means a forensics expert but I have had success with recovering data off of wiped drives using power quest's little utility "Lost and Found". I was able to pull off unbelievable amounts of data off ide drives. Files that had been deleted 2 years prior and such. I even was able to recover couple hundred meg asf files without error. And it did take DAYS to analyze the hard drives. One of the drives I did a recovery on was mine and it was defragmented regularly, and it still yielded all kinds of stuff I thought I had deleted a long, long time ago. -----Original Message----- From: dhibbelnat_private [mailto:dhibbelnat_private] Sent: Friday, August 24, 2001 8:08 AM To: FORENSICSat_private Subject: How to be a Computer Crime Investigator Folks, I would welcome comments on this post from another list that a long time member made: " I spent a week in May learning how to be a Computer Crime Investigator, I have attended a number of FBI seminars this year on Computer Crime and at the Information Systems and Control Association's annual convention, I sat in for another week on multiple seminars on hacking, computer crime and forensic investigation. These seminars were put on by industry and by the DEA and Justice Department. I have appllied for a Computer Crime Investigator certifiaction, I am waiting for that to come through. "First on the low level formatting. It used to be that any IDE drive could be easily low level formated. That is no longer so. Each manufacturer has its own algorithims for doing this. So in order to low level format more recent IDE drives you have to have software specific for THAT drive. Apparently there is no standard software anymore. SCSI still has low level format capabilities, usually built into the controller. A high level format (the one you normally do on your computer) does not really erase much of anything. The forensic experts claim that they can recover data after 7 (seven) high level formats. One lecture I was in, was put on by a company in Oregon who are forensic experts, talked about recovery. The question was asked about how much a defragment operation permanently erases. The expert's comment was that very few people defragment, so most information is easily recoverable. The defragmenting does make it harder, if is has been done over time many times. Essentially it has to do with how much disk activity there has been, how much deleting and rewriting has gone on and the level of expertise of the forensic technician. This company in Oregon puts their diplomas in fragments on a formated floppy. You have to retreive the pieces forensically and reassemble them to get your diploma. The porno cops have indexed many of the known child pornography pictures as many of the pictures have been around for a lot of years. Many of them came from a series done in the early 1980's. If, forensically, they find snippets of the pictures on a hard drive, not the entire picture, only small pieces, they will prosecute based on that snippet because they can identify which picture it originally came from. Usually prosecution is based on one count per picture. Snippets are also used in hacker prosecution. Often hackers will leave traces of their activity with these snippets after they think they have deleted all of their activity. There are software forensic tools that will examine a hard drive cluster by cluster. Much of the forensic data is found in slack space between files. It takes as long as 40 hours to examine a 4 gb drive. If you have the time, money, expertise, equipment and software, you can do an amazing amount of recovery. Most people do not take steps or know the steps to take, to minimize or eliminate what is left on an erased hard drive or how to truly delete files" Regards David R. Hibbeln . ----------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com ----------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
This archive was generated by hypermail 2b30 : Mon Aug 27 2001 - 12:23:27 PDT