Results 1 to 10 of 31

Threaded View

  1. #12
    Senior Member nihil's Avatar
    Join Date
    Jul 2003
    United Kingdom: Bridlington
    What's properly? How do you know if those have been used properly?
    Basically, because "normal" recovery products such as Recuva won't find anything that is recoverable. If those products or one of the many similar ones is present you can also look at the settings to see what was erased and how it was done.

    Should i use Roadkil, Recuva and Disk invest? What should i do with these tools? What the "wipe free space" option would do, what software?
    Roadkil is what I use as a last resort as it basically searches the whole drive at a very low level and tries to recover any file or part of a file that it can. It takes a very long time to run and you need a recipient drive the size or bigger than your target drive. I use it when I think that the HDD is about to die, as I will probably only get one chance at recovery.

    Recuva is the simplest to use. If you go into the Wizard it lets you pick file types to look for (e,g, "pictures") you then select the drive and (if you want) individual folder.

    I would suggest that you download these tools and have a look at the webpages and instructions; then try them out on another machine/drive.
    I am sure that half an hour's hands on experience will answer a lot of your questions, and give you a much better feel for things.

    The Page File is a Windows system file that it uses for a variety of mysterious things. You normally cannot access it if you have booted Windows on that machine as it is locked when Windows starts. In XP look for pagefile.sys in C:\ (that is the root of C) and in C:\Windows. If you look in Control Panel and Advanced Settings you can see how it has been set up. I think that the default is to one or other of those two locations depending on whether you let Windows manage it or you assign manual values. You can also direct it to another HDD if you want.

    If you are going to look at Windows system files, then it would be advisable to have the drive or image slaved to another computer, or use a live CD/DVD. Windows locks a lot of files when it starts.

    Generally, if you are looking for data that is or might be there then use File Investigator and/or Windows Explorer both of which have search functions.

    Things to search for are Index.dat files, .log .tmp .sys .bak and for key words or file types like .jpg .bmp .gif .png for picture files.

    .net, .com and so on for internet addresses.

    The place to look is the entire C:\ drive in the first instance. Obviously, this will be a different drive letter on the system you have slaved it to

    Is the password in the Page File ?
    It might be or it might simply be held in RAM. It might also be encrypted

    Where is the file's metadata?
    It is normally a part of the file itself that you don't see when you open it with its proper application.

    To demonstrate this; get a small Word document and open it in notepad.

    Is there any other place to look?
    Possibly The Registry, but as I have suggested the last opened and last modified are more common metrics.

    What software would recover these temproary files? What professional evidence gathering applications would recover that commonly available tools wouldn't?
    EnCase and the two that HYBR|D has suggested. There are doubtless others but I will warn you that these applications are expensive and require expensive training to learn how to use them properly. If you do a Google search for forensics tools you will probably find free stuff to try out.

    Is everything in that Page File?
    No, but it is a potential source of security leaks so it must be a good hunting ground for forensics? I am afraid that there is a lot about Windows that Microsoft don't tell you.

    What would System Restore recover?
    Theoretically it will restore your system to its status on a previous date. I am not sure exactly what it does in the way of user data, but it can certainly restore viruses and other malware

    What are cluster tips and alternate data streams?
    Cluster tips are the unused part of clusters on your HDD. Say your clusters are 4KB and you save a 6KB file, it will use 2 clusters and the 2KB that isn't used will contain previous data. That is, it will not be overwritten.

    Alternate data streams are another place where sensitive data may hide.

    CCleaner and similar tools are capable of wiping both.

    As a start I would suggest that you look in the recycle bin, then open the web browser and look at history and "favourites" or "bookmarks" also look at the backup files for them.

    Also look to see if there has been a system backup.... this would typically create a backup of user files and folders.


    What the "wipe free space" option would do, what software?
    Both CCleaner and Eraser have the option to wipe free space. This is the area of the HDD that Windows considers available for use. It thus contains all the files that have been deleted from within Windows but are still on the drive and potentially recoverable. It overwrites this space making any data it contains irrecoverable.
    Last edited by nihil; June 22nd, 2012 at 09:11 PM.

Similar Threads

  1. Windows Error Messages
    By cheyenne1212 in forum Miscellaneous Security Discussions
    Replies: 7
    Last Post: February 1st, 2012, 01:51 PM
  2. Port List
    By ThePreacher in forum Miscellaneous Security Discussions
    Replies: 17
    Last Post: December 14th, 2006, 08:37 PM
  3. Newbies, list of many words definitions.
    By -DaRK-RaiDeR- in forum Newbie Security Questions
    Replies: 9
    Last Post: December 14th, 2002, 07:38 PM
  4. The Worlds Longest Thread!
    By Noble Hamlet in forum AntiOnline's General Chit Chat
    Replies: 1100
    Last Post: March 17th, 2002, 08:38 AM
  5. Information Leakage from Optical Emanations
    By E5C4P3 in forum Miscellaneous Security Discussions
    Replies: 5
    Last Post: March 7th, 2002, 06:35 AM

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts

We have made updates to our Privacy Policy to reflect the implementation of the General Data Protection Regulation.