Articles

Hard Disk Details (1)

Data recovery is necessary when source material fails and where no good backup exists, either Physical or Logical. There are two types of data recovery in the standard basic sense.  One type of data recovery is when there is damage to the media and the pre-existing data need to be retrieved. This will usually require the media to be repaired.

The second form of data recovery is when files were purposely or accidently deleted.  When this type of data recovery is necessary there is usually no damage to the media and standard software can be used to recover the data.  This is the process that most software performs. Very few software programs understand damaged media. Because most software relies on calls and functions from the operating system for its input, it has no control itself over error correction or any functions that the operating system performs on the drive. I believe there a four phases to any data recovery.

Four Phases of Recovery
1. Repair the Hard Drive so it is running in some form, usually requiring hardware or special equipment.

2. Image, Copy or recover the physical drive and sectors primarily by bitstream imaging. If the drive is functioning, it is possible to do this with software, however there are some hardware solutions that work very well; i.e. DeepSpar Disk Imager. This is a situation where some software is better than others, such as dd_rescue (use with dd_rhelp script) on a Linux system has a special feature that allow it to image backward (understanding why you need to image backwards is very important in data recovery).

3. Perform Logical Recovery of files, partition structures, or necessary items; usually this is by software and is the most common type of application sold.

4. Repair of files that might have existed in damaged space or sectors to recover what is possible.  This is usually the requirement in Forensics to be able to re-assemble data to display what was there, if whole or not. This is also applied in data recovery for corrupt Word and Excel documents.

Hard Disk Details (1) Read More »

Computer Forensic Tool: MacLockpick

MacLockpickMacLockPick™ is a valuable tool for law enforcement professionals to perform live forensics on Mac OS X systems. The solution is based on a USB Flash drive that can be inserted into a suspect’s Mac OS X computer that is running (or sleeping). Once the software is run it will extract data from the Apple Keychain and system settings in order to provide the examiner fast access to the suspect’s critical information with as little interaction or trace as possible. And also this is the only professional tool which can be use to extract the extensive encrypt information under the close-down condition of computer.

Computer Forensic Tool: MacLockpick Read More »

Computer Forensic Tool: F-Response

F-Response: The First Truly Vendor Agnostic Solution for Remote Forensics and eDiscovery

In the alibi or the enterprise inner investigation, how to completely do the physical data extraction from a running computer? How to do computer forensic on the running Mac OS, Linux, Window, the three different computer operation system? How to do computer forensic to the running server? How to do research on any computer in the local area network? With the F-Response software, all of these are possible. F-Response uses a patent-pending process based on well documented industry standards to create a secure, read-only connection between the examiner’s computer and the computer under inspection.

F-Response can be used with any kind of computer forensic tools. You may know that any error operation may change the source data, but F-Response connection is completely read-only, functioning much like a software write blocker, to make sure the data safe.

F-Response is available under the following three different licensing options which are designed to appeal to independent examiners, consultancies, and corporations:

The F-Response Field Kit Edition is a value priced single user version of the F-Response patent-pending software suite. An F-Response Field Kit, when physically connected to the remote computer, will give you access to all the physical drives on that remote computer via the network. Best of all the Field Kit is licensed for one year and priced at less than one typical hour of consulting time!

The Consultant Edition of F-Response was built and designed around the needs of larger and geographically distant consulting teams. Using F-Response Consultant Edition you will be able to simultaneously access multiple computer physical storage devices with a single Consultant Edition software key. F-Response Consultant Edition is an excellent choice for First Responders and Incident Response teams

The Enterprise Edition of F-Response is the service based (Non GUI) version, which is uniquely designed for Managed Services consulting and internal corporate wide deployments. F-Response Enterprise Edition provides all the features of F-Response Consultant Edition, streamlined for large network deployment, with a scriptable installation and is designed to support either an internal corporate investigations team or a managed services appliance. Best of all, F-Response Enterprise is not licensed on a seat basis.  One license of F-Response Enterprise provides unlimited usage on an unlimited number of client installations for a full year.

Computer Forensic Tool: F-Response Read More »

Computer Forensic Tool: X-way Forensics

X-Way Forensics: Integrated Computer Forensics Software

X-Way Forensics is an advanced work environment for computer forensic examiners. It provides a strong, compositive environment of forensic and analysis. It comprises all the general and specialist features known from WinHex, also it has more powerful functions:

It provides a function formidable, the synthesis evidence collection, the analysis environment, is also called the WinHex law card version

Disk cloning and imaging, even under DOS with X-Ways Replica (forensically sound)
Examining the complete directory structure inside raw (.dd) image files, even spanned over several segments
Native support for FAT, NTFS, Ext2/3/4, CDFS, UDF
Built-in interpretation of RAID 0 and RAID 5 systems and dynamic disks
Complete access to disks, RAIDs, and images more than 2 TB in size (more than 232 sectors)
Viewing and dumping physical RAM and the virtual memory of running processes
Various data recovery techniques and file carving
File header signature database, based on flexible GREP notation
Hard disk cleansing to produce forensically sterile media
Gathering slack space, free space, inter-partition space, and generic text from drives and images
File and directory catalog creation for all computer media
Easy detection of and access to NTFS alternate data streams (ADS), even where other programs fail
Mass hash calculation for files (CRC32, MD5, SHA-1, SHA-256, …)
Unlike a competing product, does not depend exclusively on MD5 (collisions in MD5)
Powerful physical and logical search capabilities for many search terms at the same time
Recursive view of all existing and deleted files in all subdirectories
Automatic coloring for the structure of FILE records in NTFS
Bookmarks/annotations
Bates-numbering files

Computer Forensic Tool: X-way Forensics Read More »

Computer Forensic Tool: OnScene Investigator

OnScene Investigator – the unique data recovery solution to Apple Macbook and Macbook pro

Onscene Investigator is the software which gets the data by crossover cable. Directly use it for quickly searching and/or imaging computer. The transmit speed is 1.2GB – 2GB

1. Viewing the contents of the internet cache in thumbnail view
2. Copying the suspect’s indec.dat for review in X-ways Trace or Digital Detective
3. Copying the suspect’s mail file for review in an email investigation software such as Paraben’s Email Examiner
4. Searching for keywords on a suspect computer before proceeding to imaging

Computer Forensic Tool: OnScene Investigator Read More »

Computer Forensic Tool: Final Forensics

FINAL Forensics — Would Class Forensics Analysis & Data Recovery Solution

1. Strong keyword Search function
2. Support regular expression equation
3. Check the file’s contents quickly
4. Support Unicode, can analyze, search multiple languages
5. Support various file types, such as HTML, Image and MS Office
6. Can recover and analyze various database types, such as Orale, Microsoft SQL, Access, DB2, etc.
7. Unique file analysis technical, can clear classify multitudinous data in the HDD, ensure you quickly and correctly find the evidence which you concerned. By using it, you needn’t cost your energy to memorize software’ use method. You just need use your energy and wisdom to find the clues.

Computer Forensic Tool: Final Forensics Read More »

G-List

‘G-List’ or ‘Grown’ list (again stored within the service area) and again these sectors will be avoided, with the firmware arranging data around them. This process takes place automatically, with the user largely if not completely unaware that it is being carried out.

G-List Read More »

P-List

This is a list of known bad sectors detected as part of the post-manufacture testing process. Any sectors recorded in the P or ‘Production’ List will not be used for the storage of data, the firmware will automatically arrange the data around them.

P-List Read More »

Hard Drive Firmware

A Hard Drive can be compared to a small computer. It employs microprocessors to control both the physical behaviour of the various electro-mechanical components, and the logical operations that store and retrieve data as an arrangement of the magnetic particles on the disk surface. This operation is completely independent of the operation of the host PC. Like any computer, the hard drive needs its own software to control the operation of the microprocessors, but unlike a PC this software is limited to the drive’s operational functionality, and is not (and under normal circumstances cannot be) changed by the user. This hard drive ‘software’ is, as a result, more usually referred to as ‘Firmware’. The firmware carries out a range of functions, from what might be termed ‘Analogue’ functions such as controlling the spinning of the disc and positioning of the read/write heads, as well as the ‘Digital’ functions used to pass data files to and from the PC, keeping track of the location and parameters of the data files stored, and many, many more. Without firmware the drive is simply a collection of electronic components.

Just as the software on a PC can have problems, so the firmware can also cause a hard drive to fail if it becomes lost or corrupted. Statistical analysis shows that up to 60% of hard drive problems are due to firmware failure. Firmware problems can arise from a range of causes:

·Instability or failure of electronic components
·Accidental or inadvertent removal of power to the drive
·Deterioration of the magnetic response of the data recording surfaces

The latter cause is virtually inevitable over time, and the deterioration will accelerate the longer or more intensively the drive is used. Additionally the disk manufacturing process is not 100% perfect and as a result disks will commonly leave the factory already having problems with certain areas of the disk. These areas where the drive has problems correctly reading data from the disk are known as ‘Bad Sectors’. Sectors that fail simply because the data stored on them has become corrupted are known as ‘Logical’ bad sectors and these can be ‘repaired’ by re-recording the data correctly or in the correct format, however areas with problems arising from the magnetic response of the disk surface failing are known as ‘Physical’ bad sectors, and these cannot be repaired. Bad sectors of either kind can occur both in the data storage area of drive, but also in a ‘reserved’ area dedicated to storage of part of the drive firmware called the ‘Service Area’. User data area bad sectors can cause the loss or corruption of data files or reduced performance of the drive, bad sectors in the firmware area can lead to the drive failing completely. As the firmware area needs to be accessed every time the computer is switched on and every time drive is accessed, the chance of bad sectors becoming a problem in this area is consequently higher.

Hard Drive Firmware Read More »

Scroll to Top