Brandon, Another option may be to compare the results from your Encase search and then run another search using the Unix port of "cat","strings", and "grep" on that filesystem and see if it produces any hits. Example: C:\>cat \\.\PhysicalDrive0 | strings | grep test Or if you have multiple strings put them in a file and run C:\>cat \\.\PhysicalDrive0 | strings | fgrep -f file-with-patterns Or if you do not have the ports of these tools, mount the drive on your favorite Linux flavor or choice and run the same test. Just a thought... I would be interested to see if that produces the hits you are looking for. --Rob -----Original Message----- From: Ng, Nicholas [mailto:ngnat_private] Sent: Wednesday, March 13, 2002 10:24 PM To: 'forensicsat_private' Subject: RE: Encase and data recovery I would have thought this would be a generic issue, not particular to a filesystem. However, after a single over-write, it is not 'never again accessible' - just to normal utilities such as is available retail. Data recovery companies can go deep into the recesses of the disk and retrieve information you even used PGP to wipe 3 times! Of course this does not work 100% of the time, but it _does_ work. But now we're straying off topic somewhat... :) -----Original Message----- From: Pence, Derek A. [mailto:Derek.Penceat_private] Sent: Thursday, 14 March 2002 7:00 AM To: 'forensicsat_private' Subject: RE: Encase and data recovery So is this just an NTFS issue, or is it true for other file systems as well. That is, rather, is overwritten data never again accessible? -----Original Message----- From: Collins, Steve [mailto:Steve.Collinsat_private] Sent: Tuesday, March 12, 2002 1:45 PM To: 'forensicsat_private' Subject: Re: Encase and data recovery Hi Brandon, After any files like your original logs have been deleted, the space they once occupied is fair game for any data that comes along. That space was likely partially overwritten by the modified logs you sent back to the server. As for the space occupied by the tools,(I am assuming you deleted them _after_ uploading the logs) Windows modifies quite a number of files during the shutdown process and this activity probably overwrote that space. Cheers, Steve Collins GIAC NTSA Information Systems Security Analyst Information Protection Centre National Research Council of Canada Ottawa, Ontario K1A 0R6 -----Original Message----- From: Young, Brandon [mailto:Brandon.Youngat_private] Sent: Tuesday, March 12, 2002 12:54 PM To: 'forensicsat_private' Subject: Encase and data recovery All, My colleague and I setup a default installation of IIS web server 5.0 on Windows 2000 Server using NTFS. We put together a mock incident response scenario where one of us broke into the machine dropped tools on it, edited web server logs to cover tracks, deleted event logs to cover up auditing tracks and then deleted all of the tools off. During the incident response phase we used Encase to investigate what actually was done to the box, since from the investigator's point of view, the logs had obviously been edited and therefore couldn't be relied upon. When he looked through the evidence files there was no remnants left of the original logs, as well as only a partial listing of the tools that were dropped on during the break in. The question we have is why weren't we able to recover the original logs? What I did when I broke into the server was stop the w3svc and tftp the IIS logs up and edited them, deleted the old logs and replaced them with the edited versions. In addition to this Encase only saw about three of the six or so tools I used while I was in the server. Why was Encase only able to recover some of tools used in the incident? One answer we came up with was that the OS used the unallocated space where the tools previous existed and therefore were overwritten. But this seems unlikely since there wasn't any legitimate activity on the machine. This box was only used for this scenario. Any ideas? Thanks, Brandon Young CISSP, CCSA, CCSE, CCNA, MCSE Information Security Engineer Honeywell International Global IT Security & Systems Assurance Email: brandon.youngat_private Voice: 480.592.3988 Intranet: http://itg.honeywell.com/secarch ----------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com ----------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com ----------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com ----------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
This archive was generated by hypermail 2b30 : Mon Mar 18 2002 - 10:32:30 PST