How is data recovered exactly?
Page 1 of 2 12 LastLast
Results 1 to 10 of 17

Thread: How is data recovered exactly?

  1. #1
    Socialist Utopia Donkey Punch's Avatar
    Join Date
    Sep 2004
    Location
    In the basement
    Posts
    311

    Smile How is data recovered exactly?

    I am not all too familiar with how computer forensic experts recover data. All I know is this:

    1. The box has to be secured so no damage is done to the data

    2. All the files including hidden, deleted and encrypted files are copied

    My question for you guys are these:

    1. Securing the data seems easy enough, but what about data that has been purposefully damaged so evidence can be hidden? Also, can prosecutors add an obstruction of justice charge if the accused was in fact trying to detroy the data? Lastly, say for instance somebody was known to use the Internet for crimes say e-mail and the like, and the accused did get rid of the data, how can prosecutors connect the two?

    When trying to hide or destroy information, how does the forensic investigator recover the data from physically damaged disks? Is there always a way to recover it, or does it come to a point where it cannot be recovered? I know this much... overwriting the disk with hex values and the like may not save you because of swap space... but I could be wrong here.

    2. When copying files from physically damaged disks, how is this done? Is the information copied from the damaged disk to another disk, and how are you assured all the files will be intact and defense lawyers cannot contest planting of evidence?

    How do investigators decrypt encrypted files?

    Thanks for the help.

  2. #2
    Computer Forensics
    Join Date
    Jul 2001
    Posts
    672
    I'll try to address these in order.

    Data isn't "copied" per se. It's *officially*(I say officially because it's just a buzz word) called a bit stream copy. It's really just a mirror image of the original disk.

    Securing the data is one of the simplest, yet most botched part of forensics. An improperly imaged disk, or modified data can destroy any case. To my knowledge, obstruction of justice charges can only be applied IF it can be proven that the person in question caused the damage.
    Connecting a person to a crime is difficult and it's also a weak point in the system. Recently there was a kid in Europe that "hacked" an port harbor system in texas.(I can't remember all of the details..if someone can dig up the story..paste it here). In short, the kid got off because the prosecutors failed to link him to the use of the tools in question. The defense claimed that hackers compromised his system and used his computer a jump point. Whether this is true or not..we'll never know. Just like a regular crime..it must be proven without doubt. This is why the evidence collecting methods are imperative and why chain of evidence is so important.

    How do you recover physically damaged disks... Well it takes money and someone that is damn good with an electron microscope. Typically the hard drive will be put in a clean lab, the covers will be removed and the platters will be removed as well. The platters are then placed under the scope and what is left of them is recovered by determining a 1 or 0. Very tedious..very difficult..VERY expensive.
    The government deems something "unrecoverable" after the 5220 process but I don't think they trust it all that well. The air force has an even more rigorous procedure.

    Having never recovered something from a physically damaged disk I don't know exactly how it's done.
    the chain of evidence is what prevents things from being planted. never being alone with the evidence, documenting everything..

    here's a little snippet from a website: G) Remember to document everything that goes on! Who did what, how, why, and at what time. Also, make sure that you have your designated custodian for the chain of custody initial each item after double-checking the list you have created AT THE SCENE. So, you have noted the configuration, the components, etc., and then the custodian of the evidence double checks your list and puts his/her initials next to yours while at the scene. It is imperative to do this checking at the scene so as to dispel the possibility of evidence tainting at a later date.

    Decrypting encrypted files is a huge chore. This is partially where the volatile data collection comes in to play because the decryption key could potentially be resident in memory. Typically though, things like EFS have recovery keys, and using password crackers is always fun. If you have specific questions regarding decrypting encrypted files I, and others will try our best to answer them.

    HTH
    Antionline in a nutshell
    \"You\'re putting the fate of the world in the hands of a bunch of idiots I wouldn\'t trust with a potato gun\"

    Trust your Technolust

  3. #3
    Banned
    Join Date
    Aug 2001
    Location
    Yes
    Posts
    4,429
    if someone can dig up the story..paste it here)
    The story
    ...
    "The Caffrey case suggests that even if no evidence of a computer break-in is unearthed on a suspect's PC, they might still be able to successfully claim that they were not responsible for what their computer does, or what is found on its hard drive."

    The Trojan defence has been successfully used in the UK courts before.

  4. #4
    Computer Forensics
    Join Date
    Jul 2001
    Posts
    672
    Thanks neg!
    Antionline in a nutshell
    \"You\'re putting the fate of the world in the hands of a bunch of idiots I wouldn\'t trust with a potato gun\"

    Trust your Technolust

  5. #5
    Socialist Utopia Donkey Punch's Avatar
    Join Date
    Sep 2004
    Location
    In the basement
    Posts
    311
    heh, now here's another question. How can prodecutors get the info needed to get the evidence needed to know it was not a trojan? Like you said, that would be tough, but can data recovery tools see if the skiddot tools were there, or is that really circumstantial evidence than direct?
    In loving memory of my step daughter 1987-2006

    Liberty In North Korea

  6. #6
    Computer Forensics
    Join Date
    Jul 2001
    Posts
    672
    I think that's the problem the prosecution had. with something like this, you pretty much need to catch them in the act, or you have to hope there are logs of them saying they used it, or logs of them actually executing it. Most haxors like to brag about what they have done, and you might be able to find it in an email, or a chat log somewhere on the system. What you really have to try to do is build a case based on any piece of evidence you can find that is relevant to what you are trying to prove.
    Antionline in a nutshell
    \"You\'re putting the fate of the world in the hands of a bunch of idiots I wouldn\'t trust with a potato gun\"

    Trust your Technolust

  7. #7
    ********** |ceWriterguy
    Join Date
    Aug 2004
    Posts
    1,608
    In the middle of responding to your post by PM I thought I'd add in a little blurb here that might help some folks out. I went to Mrs |ce, who is in her final term at law school, for the answers to the legal issues raised in the first posting here. Her response was that she's quite sure the laws vary from state to state on most things, and to check a lawyer in your area for the specifics, but in general the following would apply. She also said that this is NOT legal advice and to consult a lawyer if you're in some sort of trouble, because she isn't one, only a student.

    Now that the disclaimer is done, on with the answers:
    1a. Obstruction of Justice is the minimal charge which could apply. More likely the accused would be charged with evidence tampering IF they could prove he destroyed it on his machine.

    1b. Email can be traced back through the sender's isp to the specific ip address from which it was sent. This trace path along with the original message sent is enough to constitute sufficient evidence for arrest and prosecution. This particular law varies from state to state, but in Texas, the above is true. If you're not from Texas, or want to double check Mrs. |ce, please feel free to call your local DA's office.

    2. We both collaborated on the answer to this one, from my techie point of view, and her legal point - here's our interpretation. Techie side - If I remember right, when a computer writes a file to disk, it's stamped with date/time. Even when the file is destroyed, this timestamp is included in the 'trashed' file which can be recovered. It is highly unlikely that a criminal would change the date/time on his machine to tamper with evidence, but it can be done if he thinks to do so. Such tampering can be detected however since there is a 'pattern' in which the computer writes its files to the drive. Although not necessarily in time ascending or descending order, the files are written to a disk in 'space available' and 'end of file' format - meaning it crams the files as tightly as possible in the sequence in which they're received. If a file is obviously out of synch with the others, it's most likely been written at a different time. Exception to this - defrag for efficient use, IF and only IF the files in question haven't yet been deleted, and are used often enough to be moved about on the disk. Again, tampering is possible, but the tamperer would have to be pretty sharp to think of doing this in the correct way. Legal side - evidence tampering is always difficult to prove unless the person is caught in the act of tampering, or the 'tampered' evidence is so deviant from the other evidence that it gets singled out.

    Hope that all helped!
    Even a broken watch is correct twice a day.

    Which coder said that nobody could outcode Microsoft in their own OS? Write a bit and make a fortune!

  8. #8
    Computer Forensics
    Join Date
    Jul 2001
    Posts
    672
    hmm the first response is consistent with what I said.

    The second one is arbitrary because email can be run through remailers that don't keep logs and it can be spoofed.

    You are right about timestamps. They are called MAC times. MAC== modified, accessed, changed. If you are dealing with NTFS partitions then the information is all stored in the MFT. The MFT is a story for another day though.

    Nice to know someone has access to a lawyer!
    Antionline in a nutshell
    \"You\'re putting the fate of the world in the hands of a bunch of idiots I wouldn\'t trust with a potato gun\"

    Trust your Technolust

  9. #9
    Regal Making Handler
    Join Date
    Jun 2002
    Posts
    1,668
    The fuz over here do not like it when they are made to bend over and touch there toes, just as much as anywhere in the world.

    The Trojan defence has been successfully used in the UK courts before.
    And boy are they pissed off about it. So we now have a bunch of stuff before the law makers trying to negate this.
    What happens if a big asteroid hits the Earth? Judging from realistic simulations involving a sledge hammer and a common laboratory frog, we can assume it will be pretty bad. - Dave Barry

  10. #10
    Computer Forensics
    Join Date
    Jul 2001
    Posts
    672
    jinxy: I'm interested to know..what is before the law makers?
    Antionline in a nutshell
    \"You\'re putting the fate of the world in the hands of a bunch of idiots I wouldn\'t trust with a potato gun\"

    Trust your Technolust

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •  

 Security News

     Patches

       Security Trends

         How-To

           Buying Guides