-
June 19th, 2012, 05:50 PM
#1
Junior Member
Urgent questions about recovering data and information
I need to recover the following data and information:
1)Recovering ALL the pictures that have been deleted from a folder
2)Finding Instant messaging that have been deleted OR not saved
3)Being able to VIEW all the websites(Being able to view the website pages) that the user has been visiting for the last 3 years, which have been deleted(cookies and history deleting)
4)Finding email password that the user hasn't deleted cookies and history after logging in
5)Being able to see how many times a file has been opened
Is it possible? Please help me
-
June 19th, 2012, 07:17 PM
#2
I am afraid that your questions are too vague.
1. What operating system(s)
2. What internet browser & version(s)
3. What instant messenger client.
4. What e-mail client & host
5. HDD or SSD or both
And that's just to start with..................
Basically, if I didn't want you to find any of that stuff...............you wouldn't and most of it I would obliterate every day or just deactivate to stop my machines from fragmenting to hell and choking to death. OK you will still get fragmentation but do you defragment useless garbage?
We need some more details please.
-
June 20th, 2012, 04:57 PM
#3
Junior Member
1. Vista and XP
2. Internet Explorer, not sure about the version(s)
3. MSN
4. hotmail.com
5. Regular Hard Disk Drive inside that comes with it when you buy it, I assume SDD means it is not inside?
Is it possible? How?
-
July 6th, 2012, 06:13 PM
#4
Originally Posted by antiforens
1. Vista and XP
2. Internet Explorer, not sure about the version(s)
3. MSN
4. hotmail.com
5. Regular Hard Disk Drive inside that comes with it when you buy it, I assume SDD means it is not inside?
Is it possible? How?
OK forum people, let's take a look at a few things here.
First, the OP either knows ingrish as a second language or is a complete moron, n00b, troll, or all three. I give you the following proof in the above quote.
Now to make things worse, the OP did not follow Spec's wonderful link on how to use google (The french definition was great btw)
I have a PM from the OP asking me what is so special about EnCase - you know my post with the link to guideancesoftware dot com?
So the OP isn't very good with:
English
Hardware Configuration
Software Versions
and/or how to use links and Google...
AND NO ONE HAS FLAMED THIS ONE YET
Shame on all of you!
09:F9:11:02:9D:74:E3:5B 8:41:56:C5:63:56:88:C0
-
July 7th, 2012, 07:05 PM
#5
-
June 20th, 2012, 10:16 PM
#6
like hes going to read that ...
The world is a dangerous place to live; not because of the people who are evil, but because of the people who don't do anything about it.
Albert Einstein
-
June 21st, 2012, 12:34 PM
#7
Series #1 Episode #1
Hi antiforens, and thank you for your reply.
I am afraid that this will take several posts, given the broad aspects that we have to cover?
FIRST:
1. Computer forensics should only be carried out by an accredited professional, if the evidence is to be used in a court of law.
2. Deleted isn't it is still there unless overwritten.
OK Now for the fun stuff.............
From your last post:
1. Vista or XP............... OK, they are different. In particular Vista introduced two things from a forensics viewpoint:
(a) Overwrite existing data on a "clean" or "fresh" install
(b) An automatically scheduled defragmentation (every Wednesday evening IIRC?)
Please also remember that Windows (any flavour) has fixed sizes for some temporary files, and once they are full it will start to overwrite from the start. This is how it comes out of the box.
5. SSD = Solid State Drive, these work differently from the traditional electro-mechanical, magnetic media drives (HDD), in that they do not require defragmentation............they use transistors, so can find fragmented data as fast as defragmented. Windows XP is not an issue, but Vista introduced automatic defragmentation................it should ignore an an SSD, but might not.
2. Internet Explorer...............with XP that should be 7 and have possibly updated to 8. With Vista it should be 8 or 9.
If a file is defragmented, the utility will use available space......... that can kill forensics evidence stone dead as something that is overwritten even once cannot be recovered by non-destructive means.
So, my next question is:
Are you trying to play private detective? because if you are, my advice is to forget it.........you will contaminate the evidence, I assure you.!!!!!
-
June 22nd, 2012, 12:57 PM
#8
season #1 episode #2
OK, the first thing you would need to do is copy the HDD to a fresh drive.
I would then run Roadkil's unstoppable copier, as that is non-destructive and doesn't rely on the Windows OS. It literally tries to copy all files that it finds, even if they are damaged, partly overwritten, deleted, or whatever.
Do not try to recover onto the same HDD as the one you are investigating as Windows might well overwrite stuff you are interested in.
As mentioned, there are numerous applications for data recovery, but apart from Roadkil's, I don't know of one that will work on a corrupted or damaged drive, and most rely on the Windows MBR/MFT.
The question would be how have the items been deleted?
Please look at these:
http://www.piriform.com/CCLEANER
http://eraser.heidi.ie/
If those have been used properly you won't be able to recover anything
Also:
http://www.roadkil.net/
http://www.piriform.com/recuva
http://download.cnet.com/Disk-Invest...-10255339.html
I have already mentioned that a deleted file is marked as "free space" by Windows and could be overwritten at any time. You can speed up this process by running the "wipe free space" option in either of the two tools mentioned above.
You might like to experiment with these tools yourself?
-
June 22nd, 2012, 02:09 PM
#9
season #1 episode #3
I will try to answer your specific questions, but please bear in mind that it is a few years since I did any detailed research, so this would apply to XP.
I need to recover the following data and information:
1)Recovering ALL the pictures that have been deleted from a folder
2)Finding Instant messaging that have been deleted OR not saved
3)Being able to VIEW all the websites(Being able to view the website pages) that the user has been visiting for the last 3 years, which have been deleted(cookies and history deleting)
4)Finding email password that the user hasn't deleted cookies and history after logging in
5)Being able to see how many times a file has been opened
#1. Provided that the files have not been overwritten or corrupted then this should be possible, although you can never guarantee "ALL"
#2. Can't really say as I don't use IM. The usual rules regarding overwriting and wiping will apply, but I suspect that the Page File might leak this information, unless you have it set to be wiped on shutdown, which is not the Windows default setting. I think that your application settings would also influence what got saved.
#3. Depending on browser settings, wiping and overwriting, I believe that you could retrieve many of the website addresses, but I don't think that you could find the exact pages to view as an image. 3 years.......... that's a long time for temporary data to be held, or for a web page to still exist? I would say that it is theoretically possible in part at least.
#4. No, I don't think so. Cookies and history shouldn't contain the password, although the Page File might?. The way it should work is that the e-mail site will send you a "session authentication" "cookie" which is valid for that session only, and is not reusable; nor can the password be derived from it, as it is not used in generating it. When you close the session or the host closes it due to inactivity, it will no longer work.
#5. It would depend on the type of file and the application used to open it. For example, opening a file in a hex editor would generally not create a usage record, and using a Linux live CD would go totally undetected by Windows. I think that "date last accessed" is a much more common metric. The first place I would look is in the file's metadata.
I am basing these answers on using commonly available tools rather than professional evidence gathering applications (I think that EnCase is still the classic?). As you will no doubt appreciate, a lot of this information is stored in temporary files, so you cannot guarantee anything other than to say that it is possible in part at least.
My personal view is that the two critical areas to look at would be the Page File and System Restore, as these are generally ignored by conventional housekeeping applications. Cluster tips and alternate data streams can also be quite interesting.
Hope that helps............fire away if you have any questions
Last edited by nihil; June 22nd, 2012 at 02:33 PM.
-
June 22nd, 2012, 03:06 PM
#10
If you've got the money, buy helix http://www.e-fense.com/products.php
or if you know some1 in the law enforcement then get them to aquire Aperio.
Similar Threads
-
By cheyenne1212 in forum Miscellaneous Security Discussions
Replies: 7
Last Post: February 1st, 2012, 02:51 PM
-
By ThePreacher in forum Miscellaneous Security Discussions
Replies: 17
Last Post: December 14th, 2006, 09:37 PM
-
By -DaRK-RaiDeR- in forum Newbie Security Questions
Replies: 9
Last Post: December 14th, 2002, 08:38 PM
-
By Noble Hamlet in forum AntiOnline's General Chit Chat
Replies: 1100
Last Post: March 17th, 2002, 09:38 AM
-
By E5C4P3 in forum Miscellaneous Security Discussions
Replies: 5
Last Post: March 7th, 2002, 07:35 AM
Posting Permissions
- You may not post new threads
- You may not post replies
- You may not post attachments
- You may not edit your posts
-
Forum Rules
|
|