RE: Encase and data recovery

From: Young, Brandon (Brandon.Youngat_private)
Date: Tue Mar 12 2002 - 12:37:50 PST

Next message: Collins, Steve: "Re: Encase and data recovery"

Previous message: Andrew Falanga: "Re: Keylogger Needed Quick!"
Maybe in reply to: Young, Brandon: "Encase and data recovery"
Next in thread: Collins, Steve: "Re: Encase and data recovery"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Eoghan,

Actually what we did was a keyword search for specific strings that i knew where in the original logs. The only hits
that were found were remnents in the pagefile.sys. But the problem is in that a real scenario how would we have known to
look for those key words? There are alot of variables in that scenario. Additionally, were only able to recover a few of
the commands from the page file so that gave us only an idea of had happened. The log files I can see being over written
to the same space on the disk which is an interesting fact, but what I can't figure out is why all of the tools weren't
able to be recovered since AFAIK there wasn't anything written to that particular portion of the disk. When we did the
searches for the tools, I actually did a keyword search for all of the tools and files I created in the directory tree
and came up with nothing. I guess another question that arises is, is this a result of NTFS since the option to recover
folders is not availble within Encase as is the case with FAT. I need to do more resaerch into why this is. I know it is
briefly mentioned in the encase documentation but I haven't researched it further.


-Brandon

-----Original Message-----
From: Eoghan Casey [mailto:eoghan.caseyat_private]
Sent: Tuesday, March 12, 2002 1:07 PM
To: Young, Brandon
Subject: Re: Encase and data recovery


Brandon,

Interesting.

How did you search for the deleted logs? Did you rely on the file system
view or did you search the entire disk for log fragments? Is there a
chance that you missed fragments or did you search for unique
characteristics? Similarly, did you search the entire disk for the
deleted tools or were you relying on the file system view?

Eoghan Casey
Information Security Office
Yale University


-----------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management 
and tracking system please see: http://aris.securityfocus.com

Next message: Collins, Steve: "Re: Encase and data recovery"
Previous message: Andrew Falanga: "Re: Keylogger Needed Quick!"
Maybe in reply to: Young, Brandon: "Encase and data recovery"
Next in thread: Collins, Steve: "Re: Encase and data recovery"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Tue Mar 12 2002 - 19:35:00 PST