Create an account Home  ·  Topics  ·  Downloads  ·  Your Account  ·  Submit News  ·  Top 10  
Modules
· Home
· Content
· FAQ
· Forensic Downloads
· Forensics Feedback
· Forums
· Members List
· Statistics
· Surveys
· Top 10
· Topics
· Training Reviews
· Web Links
· Your Account

Our Membership

Latest: Sergioramos
New Today: 1
New Yesterday: 0
Overall: 29353

Computer Forensics
This is a free and open peer to peer medium for digital and computer forensics professionals and students. Please help us maintain it by contributing and perhaps linking to us from your own website.

Recent Posts

 A question for students and newbies
 E-DISCOVERY & DATA RECOVERY? WHICH ONE IS BETTER?
 Computer Forensic in e-commerce
 Computer Forensic as component in Information Security
 Small Business - Do You Prepared?

Computer Forensics World Forums


Pages Served
We received
51193813
page views since August 2004

Security Sources

FTC
OnGuard Online
ISO 17799 ISO 27001
ISO 27000 Toolkit
ISO 27001 & 27000
Cryptography
Security Policies

Computer Forensics World: Forums

Computer Forensics World :: View topic - Does imaging HDD capture deleted files too?
 Forum FAQForum FAQ   SearchSearch   UsergroupsUsergroups   ProfileProfile   Log in to check your private messagesLog in to check your private messages   Log inLog in 

Does imaging HDD capture deleted files too?
Goto page Previous  1, 2, 3  Next
 
Post new topic   Reply to topic    Computer Forensics World Forum Index -> General Computer Forensic Issues
View previous topic :: View next topic  
Author Message
cybercop
Newbie
Newbie


Joined: Nov 01, 2005
Posts: 551
Location: Marion, Indiana, USA

PostPosted: Fri Oct 28, 2016 12:22 pm    Post subject: Reply with quote

You can use pretty much anything to do it. Any Linux distro would have dd which would give you a bit level image.
Back to top
View user's profile
SgtJackie
Newbie
Newbie


Joined: Dec 01, 2015
Posts: 19
Location: Aberdeen, Scotland

PostPosted: Thu Nov 17, 2016 12:42 am    Post subject: Re: image clone first before recovery? Reply with quote

cyber101 wrote:
Should I make an image (clone) of the USB stick first before using an Recovery Software Tools on it? If so, which free open source imaging cloning product do you suggest?

FTK Imager works well and there are free versions.
Back to top
View user's profile
cyber101
Newbie
Newbie


Joined: Sep 22, 2016
Posts: 28
Location: cyberspace

PostPosted: Thu Nov 17, 2016 10:07 pm    Post subject: which format the USB stick was in originally? Reply with quote

SgtJackie wrote:
cyber101 wrote:
Should I make an image (clone) of the USB stick first before using an Recovery Software Tools on it? If so, which free open source imaging cloning product do you suggest?

FTK Imager works well and there are free versions.

Are you 100% certain that FTK imager will make an image of a USB stick that is in Raw format (not FAT or NTFS)? Cause that's what I'm trying to do for now before I convert the USB from RAW to FAT. Actually I'm not sure what format it was in originally; if it was in FAT or NTFS.

Q: How do I find out which format the USB stick was in originally?; does it matter?
Back to top
View user's profile
cyber101
Newbie
Newbie


Joined: Sep 22, 2016
Posts: 28
Location: cyberspace

PostPosted: Fri Nov 18, 2016 8:17 pm    Post subject: Re: image clone first before recovery? Reply with quote

SgtJackie wrote:
cyber101 wrote:
Should I make an image (clone) of the USB stick first before using an Recovery Software Tools on it? If so, which free open source imaging cloning product do you suggest?

FTK Imager works well and there are free versions.

Is it normal fo rthe USB stick to flash when FTK imager is taking the image. I had no idea it took ages to complete the imaging process; approaching 6 hour mark as of writing.
Back to top
View user's profile
cyber101
Newbie
Newbie


Joined: Sep 22, 2016
Posts: 28
Location: cyberspace

PostPosted: Sat Nov 19, 2016 9:41 am    Post subject: took 12 hours total Reply with quote

12hours total including verifying for a 32gb usb stick. Is this normal? So a 500 GH Hard drive would takes much longer I suppose?
Back to top
View user's profile
PreferredUser
Newbie
Newbie


Joined: Jan 01, 2007
Posts: 1130
Location: USA

PostPosted: Sat Nov 19, 2016 11:24 am    Post subject: Re: image clone first before recovery? Reply with quote

cyber101 wrote:
Is it normal fo rthe USB stick to flash when FTK imager is taking the image.
If the drive has an activity light.
Back to top
View user's profile
PreferredUser
Newbie
Newbie


Joined: Jan 01, 2007
Posts: 1130
Location: USA

PostPosted: Sat Nov 19, 2016 11:27 am    Post subject: Re: took 12 hours total Reply with quote

cyber101 wrote:
12hours total including verifying for a 32gb usb stick. Is this normal? So a 500 GH Hard drive would takes much longer I suppose?
It depends on the speed of the source and target drive. USB 1.1 to USB 1.1 would be much slower that SATA III SSD to SATA III SSD. There are also other factors that can impact the speed of imaging including among other things the size of the segments and compression level.
Back to top
View user's profile
cyber101
Newbie
Newbie


Joined: Sep 22, 2016
Posts: 28
Location: cyberspace

PostPosted: Mon Nov 21, 2016 12:11 am    Post subject: Re: took 12 hours total Reply with quote

PreferredUser wrote:
cyber101 wrote:
12hours total including verifying for a 32gb usb stick. Is this normal? So a 500 GH Hard drive would takes much longer I suppose?
It depends on the speed of the source and target drive. USB 1.1 to USB 1.1 would be much slower that SATA III SSD to SATA III SSD. There are also other factors that can impact the speed of imaging including among other things the size of the segments and compression level.


Are the dedicated imaging programs like Acronis True Image 2017 etc faster than this?
Back to top
View user's profile
PreferredUser
Newbie
Newbie


Joined: Jan 01, 2007
Posts: 1130
Location: USA

PostPosted: Mon Nov 21, 2016 1:11 am    Post subject: Re: took 12 hours total Reply with quote

cyber101 wrote:
Are the dedicated imaging programs like Acronis True Image 2017 etc faster than this?
A "backup" program like the one you mentioned will be faster than a forensic "imaging" program because less data is being copied. Their use of the word "Image" in the product name is misleading to those not familiar with the use of the term in forensics, it is better to reference the description of the software in their claim "The #1 Personal Backup Software".

In short, creating a backup of the logical folders and files on a drive and storing them as a proprietary "image" file will take less time than creating a bit-for-bit forensic image of a drive.

That said, no software can change the reality of physics, a 5400 RPM drive as a source or target drive will be slower than 15,000 RPM enterprise grade drives which will be slower than SAS or SATA III SSDs.
Back to top
View user's profile
cyber101
Newbie
Newbie


Joined: Sep 22, 2016
Posts: 28
Location: cyberspace

PostPosted: Mon Nov 21, 2016 2:03 pm    Post subject: How to tell if you have a logical file after FTK imaging? Reply with quote

PreferredUser wrote:
Are you making a logical copy or a bit-for-bit image?


Q1: I completed the FTK imaging process; how will I know if I made a logical copy of the usb stick and not a bit-for-bit image (I don't recall if I selected physical or logical)? Is there a way to tell by clicking the FTK image files? I only wanted a logical copy of the usb stick as I didn't require the deleted files from the usb stick.
Q2: After clicking "Add Evidence File" what should I select based on previous question to access the files? i.e. physical, logical, image, content of folder

Q3: If I have made a bit-to-bit image, is there a way to identify the non-deleted files from that bit-to-bit image within FTK Imager?

Thanks in advance.
Back to top
View user's profile
cyber101
Newbie
Newbie


Joined: Sep 22, 2016
Posts: 28
Location: cyberspace

PostPosted: Mon Nov 21, 2016 10:47 pm    Post subject: Are you 100% sure GetBackData will work with raw? Reply with quote

cybercop wrote:
If the format isnt recognized and all you need is to get the data back, then you don't need forensics. You need data recovery tools such as GetDataBack for windows or even photorec on linux.

Ok I will take your recommendation. Are you 100% sure that GetBackData
will do the job (i.e. recover my files in a raw USB stick)? I can't afford to make a mistake; razors edge feeling here; tension abound. Is this a free product all the way through the process?

Thanks in advance.


Last edited by cyber101 on Tue Nov 22, 2016 11:20 am; edited 2 times in total
Back to top
View user's profile
cyber101
Newbie
Newbie


Joined: Sep 22, 2016
Posts: 28
Location: cyberspace

PostPosted: Mon Nov 21, 2016 10:52 pm    Post subject: after a free product Reply with quote

PreferredUser wrote:

"http://www.easeus.com/resource/raw-usb-drive-recovery.htm"
I was after a free product though; this is not a free product all the way through; had me stoked though when it 'recovered' the files; was worth the trip; thanks anyway.
Back to top
View user's profile
cybercop
Newbie
Newbie


Joined: Nov 01, 2005
Posts: 551
Location: Marion, Indiana, USA

PostPosted: Tue Nov 22, 2016 6:16 am    Post subject: Reply with quote

If the data is raw, you are going to have to recover everything and then sort through and keep what you want. There is no way for the software to tell the difference between files that were deleted and files that weren't when the format is gone.
Back to top
View user's profile
cyber101
Newbie
Newbie


Joined: Sep 22, 2016
Posts: 28
Location: cyberspace

PostPosted: Tue Nov 22, 2016 10:41 am    Post subject: How to view the recovered files using "Add New Evidence Reply with quote

cybercop wrote:
If the data is raw, you are going to have to recover everything and then sort through and keep what you want. There is no way for the software to tell the difference between files that were deleted and files that weren't when the format is gone.

Thanks.

I have a number of folders that FTK has labelled E01, E02, E03 etc; these are contained in a folder called 'root'; I presume this is where FTK has recovered the files to. As to the next step with regards to accessing;

File>Add Evidence Item>
which one should I choose?
physcial, logical, image, or contents of folder?

Q2: there's another folder called unallocated space; what's that about?

Note: The recovered files are sitting in another new USB not in the HDD.
In other words:
USB 1 (raw format USB)
USB 2 (is where I told FTK to recover the files to from USB 1)
Back to top
View user's profile
cybercop
Newbie
Newbie


Joined: Nov 01, 2005
Posts: 551
Location: Marion, Indiana, USA

PostPosted: Tue Nov 22, 2016 11:26 am    Post subject: Reply with quote

If all you are trying to do is recover files from a messed up drive, you don't need to go through all that. There are much better tools that are designed just for data recovery. A forensics tool is an over complicated way to do it.
Back to top
View user's profile
Display posts from previous:   
Post new topic   Reply to topic    Computer Forensics World Forum Index -> General Computer Forensic Issues All times are GMT + 10 Hours
Goto page Previous  1, 2, 3  Next
Page 2 of 3

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum

Powered by phpBB 2.0.10 © 2001 phpBB Group
phpBB port v2.1 based on Tom Nitzschner's phpbb2.0.6 upgraded to phpBB 2.0.4 standalone was developed and tested by:
ArtificialIntel, ChatServ, mikem,
sixonetonoffun and Paul Laudanski (aka Zhen-Xjell).

Version 2.1 by Nuke Cops 2003 http://www.nukecops.com

Forums ©

 

TMs property of their respective owner. Comments property of posters. 2007 Computer Forensics Science World.
Digital forensic computing news syndication: Computer Forensics Training News or UM Text
Software is copyrighted phpnuke.org (c)2003, and is free under licence agreement. All Rights Are Reserved.