Page 1 of 3 123 LastLast
Results 1 to 10 of 31

Thread: Urgent questions about recovering data and information

Hybrid View

  1. #1
    Junior Member
    Join Date
    Jun 2012
    Posts
    7

    Urgent questions about recovering data and information

    I need to recover the following data and information:
    1)Recovering ALL the pictures that have been deleted from a folder
    2)Finding Instant messaging that have been deleted OR not saved
    3)Being able to VIEW all the websites(Being able to view the website pages) that the user has been visiting for the last 3 years, which have been deleted(cookies and history deleting)
    4)Finding email password that the user hasn't deleted cookies and history after logging in
    5)Being able to see how many times a file has been opened

    Is it possible? Please help me

  2. #2
    Senior Member nihil's Avatar
    Join Date
    Jul 2003
    Location
    United Kingdom: Bridlington
    Posts
    17,188
    I am afraid that your questions are too vague.

    1. What operating system(s)
    2. What internet browser & version(s)
    3. What instant messenger client.
    4. What e-mail client & host
    5. HDD or SSD or both

    And that's just to start with..................

    Basically, if I didn't want you to find any of that stuff...............you wouldn't and most of it I would obliterate every day or just deactivate to stop my machines from fragmenting to hell and choking to death. OK you will still get fragmentation but do you defragment useless garbage?

    We need some more details please.

  3. #3
    Junior Member
    Join Date
    Jun 2012
    Posts
    7
    1. Vista and XP
    2. Internet Explorer, not sure about the version(s)
    3. MSN
    4. hotmail.com
    5. Regular Hard Disk Drive inside that comes with it when you buy it, I assume SDD means it is not inside?

    Is it possible? How?

  4. #4
    THE Bastard Sys***** dinowuff's Avatar
    Join Date
    Jun 2003
    Location
    Third planet from the Sun
    Posts
    1,253
    Quote Originally Posted by antiforens View Post
    1. Vista and XP
    2. Internet Explorer, not sure about the version(s)
    3. MSN
    4. hotmail.com
    5. Regular Hard Disk Drive inside that comes with it when you buy it, I assume SDD means it is not inside?

    Is it possible? How?
    OK forum people, let's take a look at a few things here.

    First, the OP either knows ingrish as a second language or is a complete moron, n00b, troll, or all three. I give you the following proof in the above quote.

    Now to make things worse, the OP did not follow Spec's wonderful link on how to use google (The french definition was great btw)

    I have a PM from the OP asking me what is so special about EnCase - you know my post with the link to guideancesoftware dot com?

    So the OP isn't very good with:
    English
    Hardware Configuration
    Software Versions
    and/or how to use links and Google...

    AND NO ONE HAS FLAMED THIS ONE YET

    Shame on all of you!
    09:F9:11:02:9D:74:E3:5B8:41:56:C5:63:56:88:C0

  5. #5
    Senior Member nihil's Avatar
    Join Date
    Jul 2003
    Location
    United Kingdom: Bridlington
    Posts
    17,188
    AND NO ONE HAS FLAMED THIS ONE YET

    Shame on all of you!
    But dino~ ............whenever I do something like that, somebody slaps my wrist

    Anyways, if somebody doesn't understand English that well, it is rather rude to flame, be sarcastic, ironic, facetious or supercilious. Hell! there are five year olds in their country speak their language better than I do ........... well except for when I ask for the bill

    Hell! as you well know, I have upset people on this forum over the years ..... but only if it was a fair fight.

    I do see your point mate! but I am afraid that some people watch too much CSI/NCIS and I think that our pilgrim is one of those?

    BTW to those whom it may concern.......... I am NEVER condescending .... hey, that implies that you take prisoners doesn't it?

  6. #6
    Only african to own a PC! Cider's Avatar
    Join Date
    Jun 2003
    Location
    Israel
    Posts
    1,683
    like hes going to read that ...
    The world is a dangerous place to live; not because of the people who are evil, but because of the people who don't do anything about it.
    Albert Einstein

  7. #7
    Senior Member nihil's Avatar
    Join Date
    Jul 2003
    Location
    United Kingdom: Bridlington
    Posts
    17,188

    Series #1 Episode #1

    Hi antiforens, and thank you for your reply.

    I am afraid that this will take several posts, given the broad aspects that we have to cover?

    FIRST:

    1. Computer forensics should only be carried out by an accredited professional, if the evidence is to be used in a court of law.

    2. Deleted isn't it is still there unless overwritten.

    OK Now for the fun stuff.............

    From your last post:

    1. Vista or XP............... OK, they are different. In particular Vista introduced two things from a forensics viewpoint:

    (a) Overwrite existing data on a "clean" or "fresh" install
    (b) An automatically scheduled defragmentation (every Wednesday evening IIRC?)

    Please also remember that Windows (any flavour) has fixed sizes for some temporary files, and once they are full it will start to overwrite from the start. This is how it comes out of the box.

    5. SSD = Solid State Drive, these work differently from the traditional electro-mechanical, magnetic media drives (HDD), in that they do not require defragmentation............they use transistors, so can find fragmented data as fast as defragmented. Windows XP is not an issue, but Vista introduced automatic defragmentation................it should ignore an an SSD, but might not.

    2. Internet Explorer...............with XP that should be 7 and have possibly updated to 8. With Vista it should be 8 or 9.

    If a file is defragmented, the utility will use available space......... that can kill forensics evidence stone dead as something that is overwritten even once cannot be recovered by non-destructive means.

    So, my next question is:

    Are you trying to play private detective? because if you are, my advice is to forget it.........you will contaminate the evidence, I assure you.!!!!!

  8. #8
    Senior Member nihil's Avatar
    Join Date
    Jul 2003
    Location
    United Kingdom: Bridlington
    Posts
    17,188

    season #1 episode #2

    OK, the first thing you would need to do is copy the HDD to a fresh drive.

    I would then run Roadkil's unstoppable copier, as that is non-destructive and doesn't rely on the Windows OS. It literally tries to copy all files that it finds, even if they are damaged, partly overwritten, deleted, or whatever.

    Do not try to recover onto the same HDD as the one you are investigating as Windows might well overwrite stuff you are interested in.

    As mentioned, there are numerous applications for data recovery, but apart from Roadkil's, I don't know of one that will work on a corrupted or damaged drive, and most rely on the Windows MBR/MFT.

    The question would be how have the items been deleted?

    Please look at these:

    http://www.piriform.com/CCLEANER

    http://eraser.heidi.ie/

    If those have been used properly you won't be able to recover anything

    Also:

    http://www.roadkil.net/

    http://www.piriform.com/recuva

    http://download.cnet.com/Disk-Invest...-10255339.html

    I have already mentioned that a deleted file is marked as "free space" by Windows and could be overwritten at any time. You can speed up this process by running the "wipe free space" option in either of the two tools mentioned above.

    You might like to experiment with these tools yourself?

  9. #9
    Senior Member nihil's Avatar
    Join Date
    Jul 2003
    Location
    United Kingdom: Bridlington
    Posts
    17,188

    season #1 episode #3

    I will try to answer your specific questions, but please bear in mind that it is a few years since I did any detailed research, so this would apply to XP.

    I need to recover the following data and information:
    1)Recovering ALL the pictures that have been deleted from a folder
    2)Finding Instant messaging that have been deleted OR not saved
    3)Being able to VIEW all the websites(Being able to view the website pages) that the user has been visiting for the last 3 years, which have been deleted(cookies and history deleting)
    4)Finding email password that the user hasn't deleted cookies and history after logging in
    5)Being able to see how many times a file has been opened
    #1. Provided that the files have not been overwritten or corrupted then this should be possible, although you can never guarantee "ALL"

    #2. Can't really say as I don't use IM. The usual rules regarding overwriting and wiping will apply, but I suspect that the Page File might leak this information, unless you have it set to be wiped on shutdown, which is not the Windows default setting. I think that your application settings would also influence what got saved.

    #3. Depending on browser settings, wiping and overwriting, I believe that you could retrieve many of the website addresses, but I don't think that you could find the exact pages to view as an image. 3 years.......... that's a long time for temporary data to be held, or for a web page to still exist? I would say that it is theoretically possible in part at least.

    #4. No, I don't think so. Cookies and history shouldn't contain the password, although the Page File might?. The way it should work is that the e-mail site will send you a "session authentication" "cookie" which is valid for that session only, and is not reusable; nor can the password be derived from it, as it is not used in generating it. When you close the session or the host closes it due to inactivity, it will no longer work.

    #5. It would depend on the type of file and the application used to open it. For example, opening a file in a hex editor would generally not create a usage record, and using a Linux live CD would go totally undetected by Windows. I think that "date last accessed" is a much more common metric. The first place I would look is in the file's metadata.

    I am basing these answers on using commonly available tools rather than professional evidence gathering applications (I think that EnCase is still the classic?). As you will no doubt appreciate, a lot of this information is stored in temporary files, so you cannot guarantee anything other than to say that it is possible in part at least.

    My personal view is that the two critical areas to look at would be the Page File and System Restore, as these are generally ignored by conventional housekeeping applications. Cluster tips and alternate data streams can also be quite interesting.

    Hope that helps............fire away if you have any questions
    Last edited by nihil; June 22nd, 2012 at 02:33 PM.

  10. #10
    HYBR|D
    Guest
    If you've got the money, buy helix http://www.e-fense.com/products.php

    or if you know some1 in the law enforcement then get them to aquire Aperio.

Similar Threads

  1. Windows Error Messages
    By cheyenne1212 in forum Miscellaneous Security Discussions
    Replies: 7
    Last Post: February 1st, 2012, 02:51 PM
  2. Port List
    By ThePreacher in forum Miscellaneous Security Discussions
    Replies: 17
    Last Post: December 14th, 2006, 09:37 PM
  3. Newbies, list of many words definitions.
    By -DaRK-RaiDeR- in forum Newbie Security Questions
    Replies: 9
    Last Post: December 14th, 2002, 08:38 PM
  4. The Worlds Longest Thread!
    By Noble Hamlet in forum AntiOnline's General Chit Chat
    Replies: 1100
    Last Post: March 17th, 2002, 09:38 AM
  5. Information Leakage from Optical Emanations
    By E5C4P3 in forum Miscellaneous Security Discussions
    Replies: 5
    Last Post: March 7th, 2002, 07:35 AM

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •