Join 3,557 readers in helping fund MetaFilter (Hide)


Hard drive forensics and data recovery
June 7, 2010 3:18 PM   Subscribe

I am doing a research project for my CS degree and am looking at how to present an example for the class of forensic type data recovery. Say for example a company had files they didn't investigators to find out about and they deleted them. What tools would/should I use to prove that they have deleted them?

So far i have decided that I would first start with a hard disk image that I would put on a usb key, and follow that up with some type of file recovery scanning software (any suggestions?). I would then check the event logs for file deletion (is that possible?). Would it be necessary to get a bit by bit clone copy of the hard drive itself? if that is the case would i need an identical hard drive/system setup to access it later?

Any help that you can provide would be most appreciated as i feel in the dark on this a little.
posted by l2yangop to Computers & Internet (3 answers total)
 
There are many options. Sleuthkit it open source and free, so it is easier to use than commercial tools, which are very expensive and often require hardware dongles.

Most file systems do not log deletion. Windows Server 2003 does as an option, but I don't know of any other that does that is commonly used.

You can get a bit-by-bit disk image by using dd or dcfldd or one of many other tools. Once you have the image, you can (and should) work with the image directly. You do not need to restore it to hardware in the general case.

Feel free to MeMail me if you have other questions.
posted by procrastination at 3:25 PM on June 7, 2010


Try this thread on SA for a starting point.
posted by Four Flavors at 3:40 PM on June 7, 2010


Document everything. Computer forensics needs to reproducible. If you were doing the forensics with the thought of going to court one should probably use software that courts have recognized (EnCase, for example).

Also, if you are looking to reproduce a forensics experience, pay close attention to chain of custody (eg: have witnesses to your drive duping, then put the original in a tamper evidence pouch, and safely store it away).

I understand that this is an academic exercise, but all that process stuff is key to a solid forensic investigation.

For extra fun you can discuss Anti-Forensics.
posted by el io at 3:52 PM on June 7, 2010


« Older Where should 12 people get a c...   |  Help me understand the limits ... Newer »
This thread is closed to new comments.