Forensic tools
|
To do any forensic investigation, one must be able to access the media, and recover files from the same media. Investigation often goes further, trying to establish when files where written, which files have been deleted, or modified, and also what is on the disk, but cannot be seen by the standard operating system.
As a forensic investigation tool, CnW Recovery has a significant feature in that it will logically recover files from otherwise damaged or corrupt media. This will give the investigator many files that cannot normally be seen on the disk. In addition, files in unallocated space can also be recovered.
Although CnW Recovery software does not attempt to analyse file content, it will detect files that have been renamed to try and disguise the contents, in particular, most image files can be recognised by a signature rather than a (false) filename.
How each type of disk is analysed tends to be different, and so each type is described in sections below. However, common tools are based around the log which gives useful information on
The Forensic Report (Forensic option only) does give details on operations and tests, along with many errors detected. This generated in XML so that it may be included in a specific report on a particular disk.
A significant feature of using CnW Recovery software for recovery is that it does not use standard functions to recover files. The program is design to be tolerant of disk errors, and hence also tolerant of deliberate changes to try and hide data. For instance, changing a boot sector will not necessarily allow a user to lock an area of the disk out. In this instance, it is also possible to modify certain parameters for a restore function so that for instance a large area of a disk could be examined.
The forensic option will include recovery of slack space for FAT and NTFS disks. For NTFS disks, this includes slack within the directory.