Create an account Home  ·  Topics  ·  Downloads  ·  Your Account  ·  Submit News  ·  Top 10  
Modules
· Home
· Content
· FAQ
· Forensic Downloads
· Forensics Feedback
· Forums
· Members List
· Statistics
· Surveys
· Top 10
· Topics
· Training Reviews
· Web Links
· Your Account

Our Membership

Latest: bradshaw48
New Today: 1
New Yesterday: 1
Overall: 29280

Computer Forensics
This is a free and open peer to peer medium for digital and computer forensics professionals and students. Please help us maintain it by contributing and perhaps linking to us from your own website.

Recent Posts

 Final Year Project
 Android devices with PIN screen lock and without USBdebb. on
 Can file creation and modifications on pendrives be found?
 Viewing real MAC times of a timestomped file
 software that can view files in Volume Slack

Computer Forensics World Forums


Pages Served
We received
49763374
page views since August 2004

Security Sources

FTC
OnGuard Online
ISO 17799 ISO 27001
ISO 27000 Toolkit
ISO 27001 & 27000
Cryptography
Security Policies

Computer Forensics World: Forums

Computer Forensics World :: View topic - Does imaging HDD capture deleted files too?
 Forum FAQForum FAQ   SearchSearch   UsergroupsUsergroups   ProfileProfile   Log in to check your private messagesLog in to check your private messages   Log inLog in 

Does imaging HDD capture deleted files too?
Goto page Previous  1, 2, 3
 
Post new topic   Reply to topic    Computer Forensics World Forum Index -> General Computer Forensic Issues
View previous topic :: View next topic  
Author Message
cyber101
Newbie
Newbie


Joined: Sep 22, 2016
Posts: 28
Location: cyberspace

PostPosted: Tue Nov 22, 2016 8:35 pm    Post subject: A 100% free recovery program recomendations? Reply with quote

cybercop wrote:
If all you are trying to do is recover files from a messed up drive, you don't need to go through all that. There are much better tools that are designed just for data recovery. A forensics tool is an over complicated way to do it.

Is there a 100% free data recovery program that you recommend? Easeus partly recovered the files from raw usb stick however to complete the recovery i.e. get access to all my files, it wants payment; something similar to it but free would be great; I'm on a tight budget.
"http://www.easeus.com/resource/raw-usb-drive-recovery.htm"

Thanks in advance.

Moderator Note: Direct links are not allowed.
Back to top
View user's profile
cybercop
Newbie
Newbie


Joined: Nov 01, 2005
Posts: 551
Location: Marion, Indiana, USA

PostPosted: Tue Nov 22, 2016 9:54 pm    Post subject: Reply with quote

I am pretty sure there is a live cd of the Testdisk Suite which includes Photorec. The Testdisk Suite is free OSS.
Back to top
View user's profile
PreferredUser
Newbie
Newbie


Joined: Jan 01, 2007
Posts: 1130
Location: USA

PostPosted: Tue Nov 22, 2016 10:03 pm    Post subject: Re: A 100% free recovery program recomendations? Reply with quote

cyber101 wrote:
Is there a 100% free data recovery program that you recommend?
There are many programs that can be used for data recovery that are free if you have the proper skills. FTK Imager is one of those programs.

cyber101 wrote:
Easeus partly recovered the files from raw usb stick however to complete the recovery i.e. get access to all my files, it wants payment; something similar to it but free would be great; I'm on a tight budget.
If you want to recover the data you will either need to pay for a program that automagically recovers the data or learn the skills to use the free tools.

At this point you have spent two months posting about this problem, it would seem the data is not that important so take some time to learn about data carving it will likely be helpful in the future. Maybe you can rescue lost data for a friend some day. Here is a link to a primer at SANS: "https://www.sans.org/reading-room/whitepapers/forensics/data-carving-concepts-32969"

If you have Linux skills check out this article that describes some carving tools: "https://help.ubuntu.com/community/DataRecovery"

Handy hint: You should use the forensic image (the E01, E02, etc.) files you created with Imager to work from.
Back to top
View user's profile
cyber101
Newbie
Newbie


Joined: Sep 22, 2016
Posts: 28
Location: cyberspace

PostPosted: Wed Nov 23, 2016 1:52 pm    Post subject: making an iso of the usb Reply with quote

cybercop wrote:
If the data is raw, you are going to have to recover everything and then sort through and keep what you want. There is no way for the software to tell the difference between files that were deleted and files that weren't when the format is gone.

Can I make an iso of the usb instead of using other imaging methods?
Back to top
View user's profile
cybercop
Newbie
Newbie


Joined: Nov 01, 2005
Posts: 551
Location: Marion, Indiana, USA

PostPosted: Wed Nov 23, 2016 9:17 pm    Post subject: Reply with quote

You could, IF you could see the data which you can't. Raw basically means it has lost its file allocation table. That means there are no pointers to where the files start and stop. You need to just use a data recovery tool and then sort through the files. If you would just use a tool and do it, you would be done by now.
Back to top
View user's profile
cyber101
Newbie
Newbie


Joined: Sep 22, 2016
Posts: 28
Location: cyberspace

PostPosted: Thu Nov 24, 2016 12:32 am    Post subject: What to do after you imaged the usb with FTK? Reply with quote

cybercop wrote:
. You need to just use a data recovery tool and then sort through the files. If you would just use a tool and do it, you would be done by now.

I made an image of the raw usb thanks to FTK imager. There is about 20 recovered items inside the File List of AcessData FTK 3.4.3.3 . The recovered files are sitting inside FTK File List and are named as usb recovery.E01 (E02, E03 etc). What should I do next? I'm stuck.
Back to top
View user's profile
cybercop
Newbie
Newbie


Joined: Nov 01, 2005
Posts: 551
Location: Marion, Indiana, USA

PostPosted: Thu Nov 24, 2016 4:16 am    Post subject: Reply with quote

At this point, with you obvious lack of ability to do any research on your own, you should just pay someone that does data recovery to recover the files.
Back to top
View user's profile
SgtJackie
Newbie
Newbie


Joined: Dec 01, 2015
Posts: 19
Location: Aberdeen, Scotland

PostPosted: Fri Nov 25, 2016 12:35 am    Post subject: Re: What to do after you imaged the usb with FTK? Reply with quote

cyber101 wrote:
cybercop wrote:
. You need to just use a data recovery tool and then sort through the files. If you would just use a tool and do it, you would be done by now.

I made an image of the raw usb thanks to FTK imager. There is about 20 recovered items inside the File List of AcessData FTK 3.4.3.3 . The recovered files are sitting inside FTK File List and are named as usb recovery.E01 (E02, E03 etc). What should I do next? I'm stuck.


Download a free copy of OS Forensics and open up the E01 file, you should then be able to see the deleted files and just highlight them and download them.
Back to top
View user's profile
cyber101
Newbie
Newbie


Joined: Sep 22, 2016
Posts: 28
Location: cyberspace

PostPosted: Fri Nov 25, 2016 11:14 am    Post subject: Re: What to do after you imaged the usb with FTK? Reply with quote

SgtJackie wrote:
cyber101 wrote:
cybercop wrote:
. You need to just use a data recovery tool and then sort through the files. If you would just use a tool and do it, you would be done by now.

I made an image of the raw usb thanks to FTK imager. There is about 20 recovered items inside the File List of AcessData FTK 3.4.3.3 . The recovered files are sitting inside FTK File List and are named as usb recovery.E01 (E02, E03 etc). What should I do next? I'm stuck.


Download a free copy of OS Forensics and open up the E01 file, you should then be able to see the deleted files and just highlight them and download them.


The 'E' in say E01 stands for Encase or something else or nothing in particular?
Back to top
View user's profile
PreferredUser
Newbie
Newbie


Joined: Jan 01, 2007
Posts: 1130
Location: USA

PostPosted: Fri Nov 25, 2016 3:03 pm    Post subject: Re: What to do after you imaged the usb with FTK? Reply with quote

cyber101 wrote:
The 'E' in say E01 stands for Encase or something else or nothing in particular?
Since you are apparently incapable of searching for the most basic information on your own: "https://lmgtfy.com/?q=forensic+file+formats"
Back to top
View user's profile
cyber101
Newbie
Newbie


Joined: Sep 22, 2016
Posts: 28
Location: cyberspace

PostPosted: Fri Nov 25, 2016 11:08 pm    Post subject: Re: What to do after you imaged the usb with FTK? Reply with quote

PreferredUser wrote:
cyber101 wrote:
The 'E' in say E01 stands for Encase or something else or nothing in particular?
Since you are apparently incapable of searching for the most basic information on your own: "https://lmgtfy.com/?q=forensic+file+formats"

EnCase's Evidence File (.E01) format
Back to top
View user's profile
Display posts from previous:   
Post new topic   Reply to topic    Computer Forensics World Forum Index -> General Computer Forensic Issues All times are GMT + 10 Hours
Goto page Previous  1, 2, 3
Page 3 of 3

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum

Powered by phpBB 2.0.10 © 2001 phpBB Group
phpBB port v2.1 based on Tom Nitzschner's phpbb2.0.6 upgraded to phpBB 2.0.4 standalone was developed and tested by:
ArtificialIntel, ChatServ, mikem,
sixonetonoffun and Paul Laudanski (aka Zhen-Xjell).

Version 2.1 by Nuke Cops 2003 http://www.nukecops.com

Forums ©

 

TMs property of their respective owner. Comments property of posters. 2007 Computer Forensics Science World.
Digital forensic computing news syndication: Computer Forensics Training News or UM Text
Software is copyrighted phpnuke.org (c)2003, and is free under licence agreement. All Rights Are Reserved.