Page 2 of 4 FirstFirst 1234 LastLast
Results 11 to 20 of 31

Thread: Urgent questions about recovering data and information

  1. #11
    Senior Member nihil's Avatar
    Join Date
    Jul 2003
    Location
    United Kingdom: Bridlington
    Posts
    17,188
    What's properly? How do you know if those have been used properly?
    Basically, because "normal" recovery products such as Recuva won't find anything that is recoverable. If those products or one of the many similar ones is present you can also look at the settings to see what was erased and how it was done.

    Should i use Roadkil, Recuva and Disk invest? What should i do with these tools? What the "wipe free space" option would do, what software?
    Roadkil is what I use as a last resort as it basically searches the whole drive at a very low level and tries to recover any file or part of a file that it can. It takes a very long time to run and you need a recipient drive the size or bigger than your target drive. I use it when I think that the HDD is about to die, as I will probably only get one chance at recovery.

    Recuva is the simplest to use. If you go into the Wizard it lets you pick file types to look for (e,g, "pictures") you then select the drive and (if you want) individual folder.

    I would suggest that you download these tools and have a look at the webpages and instructions; then try them out on another machine/drive.
    I am sure that half an hour's hands on experience will answer a lot of your questions, and give you a much better feel for things.

    The Page File is a Windows system file that it uses for a variety of mysterious things. You normally cannot access it if you have booted Windows on that machine as it is locked when Windows starts. In XP look for pagefile.sys in C:\ (that is the root of C) and in C:\Windows. If you look in Control Panel and Advanced Settings you can see how it has been set up. I think that the default is to one or other of those two locations depending on whether you let Windows manage it or you assign manual values. You can also direct it to another HDD if you want.

    If you are going to look at Windows system files, then it would be advisable to have the drive or image slaved to another computer, or use a live CD/DVD. Windows locks a lot of files when it starts.

    Generally, if you are looking for data that is or might be there then use File Investigator and/or Windows Explorer both of which have search functions.

    Things to search for are Index.dat files, .log .tmp .sys .bak and for key words or file types like .jpg .bmp .gif .png for picture files.

    .net, .com and so on for internet addresses.

    The place to look is the entire C:\ drive in the first instance. Obviously, this will be a different drive letter on the system you have slaved it to

    Is the password in the Page File ?
    It might be or it might simply be held in RAM. It might also be encrypted

    Where is the file's metadata?
    It is normally a part of the file itself that you don't see when you open it with its proper application.

    To demonstrate this; get a small Word document and open it in notepad.

    Is there any other place to look?
    Possibly The Registry, but as I have suggested the last opened and last modified are more common metrics.

    What software would recover these temproary files? What professional evidence gathering applications would recover that commonly available tools wouldn't?
    EnCase and the two that HYBR|D has suggested. There are doubtless others but I will warn you that these applications are expensive and require expensive training to learn how to use them properly. If you do a Google search for forensics tools you will probably find free stuff to try out.

    Is everything in that Page File?
    No, but it is a potential source of security leaks so it must be a good hunting ground for forensics? I am afraid that there is a lot about Windows that Microsoft don't tell you.

    What would System Restore recover?
    Theoretically it will restore your system to its status on a previous date. I am not sure exactly what it does in the way of user data, but it can certainly restore viruses and other malware

    What are cluster tips and alternate data streams?
    Cluster tips are the unused part of clusters on your HDD. Say your clusters are 4KB and you save a 6KB file, it will use 2 clusters and the 2KB that isn't used will contain previous data. That is, it will not be overwritten.

    Alternate data streams are another place where sensitive data may hide.

    CCleaner and similar tools are capable of wiping both.

    As a start I would suggest that you look in the recycle bin, then open the web browser and look at history and "favourites" or "bookmarks" also look at the backup files for them.

    Also look to see if there has been a system backup.... this would typically create a backup of user files and folders.

    EDIT:

    What the "wipe free space" option would do, what software?
    Both CCleaner and Eraser have the option to wipe free space. This is the area of the HDD that Windows considers available for use. It thus contains all the files that have been deleted from within Windows but are still on the drive and potentially recoverable. It overwrites this space making any data it contains irrecoverable.
    Last edited by nihil; June 22nd, 2012 at 09:11 PM.

  2. #12
    Friend of Site Staff
    Join Date
    May 2012
    Posts
    389

  3. #13
    Junior Member
    Join Date
    Jun 2012
    Posts
    7
    Basically, because "normal" recovery products such as Recuva won't find anything that is recoverable. If those products or one of the many similar ones is present you can also look at the settings to see what was erased and how it was done.
    How would Recuva help then?
    Roadkil is what I use as a last resort as it basically searches the whole drive at a very low level and tries to recover any file or part of a file that it can. It takes a very long time to run and you need a recipient drive the size or bigger than your target drive. I use it when I think that the HDD is about to die, as I will probably only get one chance at recovery.
    Can i choose the specific folder the pictures were in to recover the pictures with Roadkil?

    The Page File is a Windows system file that it uses for a variety of mysterious things. You normally cannot access it if you have booted Windows on that machine as it is locked when Windows starts. In XP look for pagefile.sys in C:\ (that is the root of C) and in C:\Windows. If you look in Control Panel and Advanced Settings you can see how it has been set up. I think that the default is to one or other of those two locations depending on whether you let Windows manage it or you assign manual values. You can also direct it to another HDD if you want.

    If you are going to look at Windows system files, then it would be advisable to have the drive or image slaved to another computer, or use a live CD/DVD. Windows locks a lot of files when it starts.
    Can i copy and paste pagefile.sys files and read it on another computer? How?
    Where in Control Panel and Advanced Setting do you set it up?

    It might be or it might simply be held in RAM. It might also be encrypted
    How do i find the email password in the Page File or RAM? If it is encrypted, can i decrypt the password?
    It is normally a part of the file itself that you don't see when you open it with its proper application.

    To demonstrate this; get a small Word document and open it in notepad.
    Where do i find those metadata files? What can i find in those files?

    Possibly The Registry, but as I have suggested the last opened and last modified are more common metrics.
    Where do i find how many times a file has been opened in the Registry?


    Cluster tips are the unused part of clusters on your HDD. Say your clusters are 4KB and you save a 6KB file, it will use 2 clusters and the 2KB that isn't used will contain previous data. That is, it will not be overwritten.

    Alternate data streams are another place where sensitive data may hide.
    Where do i find them and how do i use them?
    As a start I would suggest that you look in the recycle bin, then open the web browser and look at history and "favourites" or "bookmarks" also look at the backup files for them.

    Also look to see if there has been a system backup.... this would typically create a backup of user files and folders.
    Where do i find the backup files for history,favourites and bookmarks?
    Where do i find the system backup files? and how do i open and see what is in those files?

    Thanks

  4. #14
    Senior Member nihil's Avatar
    Join Date
    Jul 2003
    Location
    United Kingdom: Bridlington
    Posts
    17,188
    OK, a lot of what I have mentioned depends on how computer aware the user is. If they are your normal average type then normal data recovery techniques might work. If they are pretty well clued up on security and forensics then they almost certainly wont.

    However, there wouldn't be anyone in prison if all criminals knew what they were doing? Even the best make mistakes from time to time?

    How would Recuva help then?
    It will show you deleted files, and what condition they are in from a recovery viewpoint. It does not look at cluster tips as far as I know. If the user has simply deleted the files and emptied the recycle bin then RECUVA is a good enough tool for the job.

    Can i choose the specific folder the pictures were in to recover the pictures with Roadkil?
    I believe that you can with versions 5.0 and higher but if not, you can just select the partition. It is more of a bulk processing tool, and does find stuff in cluster tips, so I would be inclined to go for all partitions that have been used (I think you said c:/?) as you never know what you might find I would use RECUVA first though.

    Can i copy and paste pagefile.sys files and read it on another computer? How?
    The short answer is "no", Windows locks the file on bootup, so you have to find a work around:

    1. Boot from a live CD and use it to copy the file.
    2. Slave the drive to another computer, so Windows doesn't lock any files.
    3. With XP (not sure about Vista) go into Control Panel and Advanced Settings and change the "virtual memory" to manual and pick a different size...........this will move it to a new location (root of C:\ I think) but leave the old file there. Reboot and the old file will not be locked. If it is already manual then change it to "let Windows decide", as this will have the same effect apart from the unlocked file being in the other location.

    Where in Control Panel and Advanced Setting do you set it up?
    <START>
    <Control Panel>
    <System>
    <Advanced>
    <Performance> [Click the "settings" button]
    <Advanced> [Tab at the top]
    <Virtual Memory> [Click the "change" button]

    You have the choice of "Custom Size" or "System Managed Size" The size is in Megabytes. If the setting is for system to manage then give the custom size twice the RAM amount in both boxes, then you will easily find which pagefile.sys is the old one............Windows will default to 1.5x

    How do i find the email password in the Page File or RAM?
    I guess that you won't so you can forget it. You would need a good forensics tool and/or a lot of luck. With RAM you would need to be there inside 30 minutes of access with the right equipment and skills........to be honest I don't know exactly how to do it, only that it can be done.

    Where do i find those metadata files? What can i find in those files?
    They are a hidden part of a normal existing file, where there is any metadata. Office application files usually have metadata, as do pictures.

    Where do i find how many times a file has been opened in the Registry?
    I don't know because I have never actually looked.........try Google for that one?

    Where do i find them and how do i use them?
    If you are good with a hex editor or Disk Investigator you could find them, but it would be a very laborious process. As I suggested earlier, if you run Roadkil against the partition or drive, it will see them and convert them into files for you.

    Where do i find the backup files for history,favourites and bookmarks?
    Sorry, I don't think that you can with IE, as I don't believe that it makes automatic backups like FireFox? If it were done manually then only the user would know.

    Where do i find the system backup files? and how do i open and see what is in those files?
    They could be anywhere just do a Windows search for *.bak, where * is a wildcard search parameter. They will be very large, as they are single files for each backup.

    If you have made an exact mirror or clone of the original drive then just make a second one. Remove the existing drive and start reinstalling the backups, looking at what appears with each one.

    If the user has simply backed up their files then this is simpler as you can do it on a spare machine and not get all the Windows DRM moaning that you would if they have done a complete system save.

    All this assumes, of course, that you have the media to launch the backup.........

  5. #15
    Junior Member
    Join Date
    Jun 2012
    Posts
    7
    It will show you deleted files, and what condition they are in from a recovery viewpoint. It does not look at cluster tips as far as I know. If the user has simply deleted the files and emptied the recycle bin then RECUVA is a good enough tool for the job.

    I believe that you can with versions 5.0 and higher but if not, you can just select the partition. It is more of a bulk processing tool, and does find stuff in cluster tips, so I would be inclined to go for all partitions that have been used (I think you said c:/?) as you never know what you might find I would use RECUVA first though.
    Using RECUVA, it doesn't recover the pictures from the folder, but if you recover pictures, you don't know what folder they were in. Is it possible to know that with Roadkil or is there a software that can tell you that after recovering those pictures(all pictures on the hard drive)

    The short answer is "no", Windows locks the file on bootup, so you have to find a work around:

    3. With XP (not sure about Vista) go into Control Panel and Advanced Settings and change the "virtual memory" to manual and pick a different size...........this will move it to a new location (root of C:\ I think) but leave the old file there. Reboot and the old file will not be locked. If it is already manual then change it to "let Windows decide", as this will have the same effect apart from the unlocked file being in the other location.
    Can i change it back after doing that so it is not seen by the user(the change)? What size to pick?


    <START>
    <Control Panel>
    <System>
    <Advanced>
    <Performance> [Click the "settings" button]
    <Advanced> [Tab at the top]
    <Virtual Memory> [Click the "change" button]

    You have the choice of "Custom Size" or "System Managed Size" The size is in Megabytes.
    where is "Custom Size" or "System Managed Size"?

    If the setting is for system to manage then give the custom size twice the RAM amount in both boxes, then you will easily find which pagefile.sys is the old one............Windows will default to 1.5x
    I don't understand that. you said there is more than one file(pagefile.sys)

    They are a hidden part of a normal existing file, where there is any metadata. Office application files usually have metadata, as do pictures.
    Where do i find this hidden part? Can i find it even if it was deleted?
    Would i be able to recover the pictures from their metadata?

    Sorry, I don't think that you can with IE, as I don't believe that it makes automatic backups like FireFox? If it were done manually then only the user would know.
    How can i recover all of the browser history then?


    They could be anywhere just do a Windows search for *.bak, where * is a wildcard search parameter. They will be very large, as they are single files for each backup.

    If you have made an exact mirror or clone of the original drive then just make a second one. Remove the existing drive and start reinstalling the backups, looking at what appears with each one.

    If the user has simply backed up their files then this is simpler as you can do it on a spare machine and not get all the Windows DRM moaning that you would if they have done a complete system save.

    All this assumes, of course, that you have the media to launch the backup........
    Can't you just open the .bak file and see what's in it with a software?
    What would be in it that wouldn't be in the computer?

    Thanks

  6. #16
    All the Certs! 11001001's Avatar
    Join Date
    Mar 2002
    Location
    Just West of Beantown, though nobody from Beantown actually calls it "Beantown."
    Posts
    1,230
    tl;dr
    Roadkil misses a lot
    Above ground, vertical, and exchanging gasses.
    Now you see me | Now you don't
    "Relax, Bender; It was just a dream. There's no such thing as two." ~ Fry
    sometimes my computer goes down on me

  7. #17
    Senior Member nihil's Avatar
    Join Date
    Jul 2003
    Location
    United Kingdom: Bridlington
    Posts
    17,188
    Hi there Binary Bobby...............I was waiting for you

    Can i change it back after doing that so it is not seen by the user(the change)? What size to pick?
    Now why would you want to do that if your intentions were honourable, and in accordance with the AUP of this site? That isn't forensics, or data recovery even..........that sounds like hacking to me?

    Please explain the situation and your intentions..................

    @BB

    Roadkil misses a lot
    Very true, but I don't think that the OP can afford the alternatives or even the learning curve required.......... and that is notwithstanding evidence acceptability requirements?

    I just suggested what I thought might be the best options for commonly available free stuff, given that my practical experiences have been almost exclusively simple disaster recovery situations.

    A while back an acquaintance did give me a copy of that Microsoft "Coffee" (spelling could be different?) to evaluate for her............... I cannot say that I was that impressed..... have you ever seen it or have any thoughts?
    Last edited by nihil; June 26th, 2012 at 09:46 PM.

  8. #18
    Senior Member nihil's Avatar
    Join Date
    Jul 2003
    Location
    United Kingdom: Bridlington
    Posts
    17,188
    Hey, Aaron old chap, I haven't accused anybody of anything now have I?

    But it does seem to me that the OP doesn't really know quite enough for computer forensics.......... so what is it they really want?

    At first I thought High School Senior needs a bit of help................but just look at the follow on questions?

    But not the "how do I hack my g/fs e-mail" that we used to get?

    Please do have a look at the follow on questions...............

  9. #19
    Junior Member
    Join Date
    Jun 2012
    Posts
    7
    Hi there Binary Bobby...............I was waiting for you

    Now why would you want to do that if your intentions were honourable, and in accordance with the AUP of this site? That isn't forensics, or data recovery even..........that sounds like hacking to me?

    Please explain the situation and your intentions..................

    @BB
    As the user still uses that computer sometimes, it is necessary that it is not seen until it is known to the user.


    Very true, but I don't think that the OP can afford the alternatives or even the learning curve required.......... and that is notwithstanding evidence acceptability requirements?

    I just suggested what I thought might be the best options for commonly available free stuff, given that my practical experiences have been almost exclusively simple disaster recovery situations.

    A while back an acquaintance did give me a copy of that Microsoft "Coffee" (spelling could be different?) to evaluate for her............... I cannot say that I was that impressed..... have you ever seen it or have any thoughts?
    What are the alternatives?

  10. #20
    Senior Member nihil's Avatar
    Join Date
    Jul 2003
    Location
    United Kingdom: Bridlington
    Posts
    17,188
    As the user still uses that computer sometimes, it is necessary that it is not seen until it is known to the user.
    I am sorry, I don't understand................how could they know what you do on a clone/mirror/image, such as I told you to create?

    Who do you know who checks the page file.............or even know that it is there and understands what it might do? It just doesn't happen, and even if they did, it would not alert them to anything. After all, we are using an image of the disk aren't we?

    1. Who owns the computer?
    2. How many people currently use it/have access to it?
    3. How many of those have system or local administrator privileges?

    What are the alternatives?
    In your case you have one alternative:

    Employ a professional with the skill-set, experience and tools. Even that doesn't guarantee that they will find anything, if it was never there in the first place, or has been obliterated.

Similar Threads

  1. Windows Error Messages
    By cheyenne1212 in forum Miscellaneous Security Discussions
    Replies: 7
    Last Post: February 1st, 2012, 02:51 PM
  2. Port List
    By ThePreacher in forum Miscellaneous Security Discussions
    Replies: 17
    Last Post: December 14th, 2006, 09:37 PM
  3. Newbies, list of many words definitions.
    By -DaRK-RaiDeR- in forum Newbie Security Questions
    Replies: 9
    Last Post: December 14th, 2002, 08:38 PM
  4. The Worlds Longest Thread!
    By Noble Hamlet in forum AntiOnline's General Chit Chat
    Replies: 1100
    Last Post: March 17th, 2002, 09:38 AM
  5. Information Leakage from Optical Emanations
    By E5C4P3 in forum Miscellaneous Security Discussions
    Replies: 5
    Last Post: March 7th, 2002, 07:35 AM

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •