June 22nd, 2012, 09:07 PM
Basically, because "normal" recovery products such as Recuva won't find anything that is recoverable. If those products or one of the many similar ones is present you can also look at the settings to see what was erased and how it was done.
What's properly? How do you know if those have been used properly?
Roadkil is what I use as a last resort as it basically searches the whole drive at a very low level and tries to recover any file or part of a file that it can. It takes a very long time to run and you need a recipient drive the size or bigger than your target drive. I use it when I think that the HDD is about to die, as I will probably only get one chance at recovery.
Should i use Roadkil, Recuva and Disk invest? What should i do with these tools? What the "wipe free space" option would do, what software?
Recuva is the simplest to use. If you go into the Wizard it lets you pick file types to look for (e,g, "pictures") you then select the drive and (if you want) individual folder.
I would suggest that you download these tools and have a look at the webpages and instructions; then try them out on another machine/drive.
I am sure that half an hour's hands on experience will answer a lot of your questions, and give you a much better feel for things.
The Page File is a Windows system file that it uses for a variety of mysterious things. You normally cannot access it if you have booted Windows on that machine as it is locked when Windows starts. In XP look for pagefile.sys in C:\ (that is the root of C) and in C:\Windows. If you look in Control Panel and Advanced Settings you can see how it has been set up. I think that the default is to one or other of those two locations depending on whether you let Windows manage it or you assign manual values. You can also direct it to another HDD if you want.
If you are going to look at Windows system files, then it would be advisable to have the drive or image slaved to another computer, or use a live CD/DVD. Windows locks a lot of files when it starts.
Generally, if you are looking for data that is or might be there then use File Investigator and/or Windows Explorer both of which have search functions.
Things to search for are Index.dat files, .log .tmp .sys .bak and for key words or file types like .jpg .bmp .gif .png for picture files.
.net, .com and so on for internet addresses.
The place to look is the entire C:\ drive in the first instance. Obviously, this will be a different drive letter on the system you have slaved it to
It might be or it might simply be held in RAM. It might also be encrypted
Is the password in the Page File ?
It is normally a part of the file itself that you don't see when you open it with its proper application.
Where is the file's metadata?
To demonstrate this; get a small Word document and open it in notepad.
Possibly The Registry, but as I have suggested the last opened and last modified are more common metrics.
Is there any other place to look?
EnCase and the two that HYBR|D has suggested. There are doubtless others but I will warn you that these applications are expensive and require expensive training to learn how to use them properly. If you do a Google search for forensics tools you will probably find free stuff to try out.
What software would recover these temproary files? What professional evidence gathering applications would recover that commonly available tools wouldn't?
No, but it is a potential source of security leaks so it must be a good hunting ground for forensics? I am afraid that there is a lot about Windows that Microsoft don't tell you.
Is everything in that Page File?
Theoretically it will restore your system to its status on a previous date. I am not sure exactly what it does in the way of user data, but it can certainly restore viruses and other malware
What would System Restore recover?
Cluster tips are the unused part of clusters on your HDD. Say your clusters are 4KB and you save a 6KB file, it will use 2 clusters and the 2KB that isn't used will contain previous data. That is, it will not be overwritten.
What are cluster tips and alternate data streams?
Alternate data streams are another place where sensitive data may hide.
CCleaner and similar tools are capable of wiping both.
As a start I would suggest that you look in the recycle bin, then open the web browser and look at history and "favourites" or "bookmarks" also look at the backup files for them.
Also look to see if there has been a system backup.... this would typically create a backup of user files and folders.
Both CCleaner and Eraser have the option to wipe free space. This is the area of the HDD that Windows considers available for use. It thus contains all the files that have been deleted from within Windows but are still on the drive and potentially recoverable. It overwrites this space making any data it contains irrecoverable.
What the "wipe free space" option would do, what software?
Last edited by nihil; June 22nd, 2012 at 10:11 PM.
By cheyenne1212 in forum Miscellaneous Security Discussions
Last Post: February 1st, 2012, 02:51 PM
By ThePreacher in forum Miscellaneous Security Discussions
Last Post: December 14th, 2006, 09:37 PM
By -DaRK-RaiDeR- in forum Newbie Security Questions
Last Post: December 14th, 2002, 08:38 PM
By Noble Hamlet in forum AntiOnline's General Chit Chat
Last Post: March 17th, 2002, 09:38 AM
By E5C4P3 in forum Miscellaneous Security Discussions
Last Post: March 7th, 2002, 07:35 AM