Forensic data recovery vs Data recovery
When files have been lost, or a disk corrupted, or damaged, data recovery is required. Many forensic investigation tools expect a disk to be in good working and not logically corrupted. Forensic data recovery allows for damaged disks and corrupted file systems. To stand up to critical forensic analysis, possibly in court, it is necessary to provide detailed reporting on how and where files have been recovered. Hashing the recovered files ensures that any later changes, accidental or deliberate can be tracked. The whole chain of custody is as important as the data recovered.
CnW forensic data recovery software is first class at recovering files, but also contains extensive logs. This is where simple data recovery and the forensic side diverge. The comprehensive log saves full details of where files were recovered from, along with all directory metadata. There is a comprehensive set of forensic tools to assist any recovery that has to be forensically based. Operations can be repeated
The two key elements of CnW is the log system which has details of all files, errors, and media. This works in conjunction with the XML report that can be generated from a series of logs enabling an outline report to be generated for a summary of log details. For straight data recovery, no logs are required and at times data on the failed disk may be changed. A critical part of any legal investigation is that no data must ever be changed on a disk drive.
Some key elements in a forensic data recovery are as below
●
Establish chain of custody and documentation procedures.
●
Create safe image of disk (using a write blocker).The image must have hash* values calculated for whole disk, or each section if incremental imaging is being performed.
●
Analysis of partitions. This includes the ability to reconstruct lost partitions. To help with this, CnW will create a virtual boot sector to ensure that no data is actually written to the disk
●
Selection of partition to be read
●
Read all known good files, and save information on dates, and locations on disk, including all data fragments
●
Find all lost files and deleted files - typically by scanning the disk for directory entries, FAT and NTFS. Sector location of each file is logged
●
Find all files in unallocated space.
*Find data in slack space, including directory slack on NTFS
●
Examine file content to match with file extension - detect files that have been renamed
●
Search the disk for data strings - including within compressed NTFS sectors
●
Show data runs for all parts of a fragmented file.
●
Locate which file(s) a sector is used in.
Verify the validity of FATs - correct obvious errors. This is done in memory and never changes the original disk
Locate the correct location of a deleted FAT32 file( - the upper 16 bits of a cluster number are set to zero when a file is deleted)
●
Scan disk for files based on signature
●
Reconstruct files that have been fragmented, but have no cluster allocation details, typically deleted files on a FAT disk.
●
*Auxilary log of all errors found
●
*XML report analysis of recovery results for a batch of recovery procedures
●
*Unerase CD-RW. Contact CnW for a service to recover erased DVD-RW.
* Only part of the Forensic option
To help an investigation CnW has interesting built in tools such as instance analysis of certain key sectors such as MFTs which as decoded when being viewed. A data carving function will assist in joining partial file fragments together, thus complimenting the automatic procedure built into the Image raw function .
Forensic data recovery does not try and analyse file content, but will often try and validate a file based on its structure. It will also highlight files where the content does not match the extension, often a ‘trick’ used to try and hide JPEG files
For a forensic package, the licence fee of $194.99 including a dongle and RAID option is very attractive. The free download does not include the forensic features, please contact CnW for details of how to enable such features for evaluation purposes