Page 1 of 4 123 ... LastLast
Results 1 to 10 of 31

Thread: Urgent questions about recovering data and information

  1. #1
    Junior Member
    Join Date
    Jun 2012
    Posts
    7

    Urgent questions about recovering data and information

    I need to recover the following data and information:
    1)Recovering ALL the pictures that have been deleted from a folder
    2)Finding Instant messaging that have been deleted OR not saved
    3)Being able to VIEW all the websites(Being able to view the website pages) that the user has been visiting for the last 3 years, which have been deleted(cookies and history deleting)
    4)Finding email password that the user hasn't deleted cookies and history after logging in
    5)Being able to see how many times a file has been opened

    Is it possible? Please help me

  2. #2
    Senior Member nihil's Avatar
    Join Date
    Jul 2003
    Location
    United Kingdom: Bridlington
    Posts
    17,188
    I am afraid that your questions are too vague.

    1. What operating system(s)
    2. What internet browser & version(s)
    3. What instant messenger client.
    4. What e-mail client & host
    5. HDD or SSD or both

    And that's just to start with..................

    Basically, if I didn't want you to find any of that stuff...............you wouldn't and most of it I would obliterate every day or just deactivate to stop my machines from fragmenting to hell and choking to death. OK you will still get fragmentation but do you defragment useless garbage?

    We need some more details please.

  3. #3
    Junior Member
    Join Date
    Jun 2012
    Posts
    7
    1. Vista and XP
    2. Internet Explorer, not sure about the version(s)
    3. MSN
    4. hotmail.com
    5. Regular Hard Disk Drive inside that comes with it when you buy it, I assume SDD means it is not inside?

    Is it possible? How?

  4. #4
    Only african to own a PC! Cider's Avatar
    Join Date
    Jun 2003
    Location
    Israel
    Posts
    1,683
    like hes going to read that ...
    The world is a dangerous place to live; not because of the people who are evil, but because of the people who don't do anything about it.
    Albert Einstein

  5. #5
    Senior Member nihil's Avatar
    Join Date
    Jul 2003
    Location
    United Kingdom: Bridlington
    Posts
    17,188

    Series #1 Episode #1

    Hi antiforens, and thank you for your reply.

    I am afraid that this will take several posts, given the broad aspects that we have to cover?

    FIRST:

    1. Computer forensics should only be carried out by an accredited professional, if the evidence is to be used in a court of law.

    2. Deleted isn't it is still there unless overwritten.

    OK Now for the fun stuff.............

    From your last post:

    1. Vista or XP............... OK, they are different. In particular Vista introduced two things from a forensics viewpoint:

    (a) Overwrite existing data on a "clean" or "fresh" install
    (b) An automatically scheduled defragmentation (every Wednesday evening IIRC?)

    Please also remember that Windows (any flavour) has fixed sizes for some temporary files, and once they are full it will start to overwrite from the start. This is how it comes out of the box.

    5. SSD = Solid State Drive, these work differently from the traditional electro-mechanical, magnetic media drives (HDD), in that they do not require defragmentation............they use transistors, so can find fragmented data as fast as defragmented. Windows XP is not an issue, but Vista introduced automatic defragmentation................it should ignore an an SSD, but might not.

    2. Internet Explorer...............with XP that should be 7 and have possibly updated to 8. With Vista it should be 8 or 9.

    If a file is defragmented, the utility will use available space......... that can kill forensics evidence stone dead as something that is overwritten even once cannot be recovered by non-destructive means.

    So, my next question is:

    Are you trying to play private detective? because if you are, my advice is to forget it.........you will contaminate the evidence, I assure you.!!!!!

  6. #6
    Senior Member nihil's Avatar
    Join Date
    Jul 2003
    Location
    United Kingdom: Bridlington
    Posts
    17,188

    season #1 episode #2

    OK, the first thing you would need to do is copy the HDD to a fresh drive.

    I would then run Roadkil's unstoppable copier, as that is non-destructive and doesn't rely on the Windows OS. It literally tries to copy all files that it finds, even if they are damaged, partly overwritten, deleted, or whatever.

    Do not try to recover onto the same HDD as the one you are investigating as Windows might well overwrite stuff you are interested in.

    As mentioned, there are numerous applications for data recovery, but apart from Roadkil's, I don't know of one that will work on a corrupted or damaged drive, and most rely on the Windows MBR/MFT.

    The question would be how have the items been deleted?

    Please look at these:

    http://www.piriform.com/CCLEANER

    http://eraser.heidi.ie/

    If those have been used properly you won't be able to recover anything

    Also:

    http://www.roadkil.net/

    http://www.piriform.com/recuva

    http://download.cnet.com/Disk-Invest...-10255339.html

    I have already mentioned that a deleted file is marked as "free space" by Windows and could be overwritten at any time. You can speed up this process by running the "wipe free space" option in either of the two tools mentioned above.

    You might like to experiment with these tools yourself?

  7. #7
    Senior Member nihil's Avatar
    Join Date
    Jul 2003
    Location
    United Kingdom: Bridlington
    Posts
    17,188

    season #1 episode #3

    I will try to answer your specific questions, but please bear in mind that it is a few years since I did any detailed research, so this would apply to XP.

    I need to recover the following data and information:
    1)Recovering ALL the pictures that have been deleted from a folder
    2)Finding Instant messaging that have been deleted OR not saved
    3)Being able to VIEW all the websites(Being able to view the website pages) that the user has been visiting for the last 3 years, which have been deleted(cookies and history deleting)
    4)Finding email password that the user hasn't deleted cookies and history after logging in
    5)Being able to see how many times a file has been opened
    #1. Provided that the files have not been overwritten or corrupted then this should be possible, although you can never guarantee "ALL"

    #2. Can't really say as I don't use IM. The usual rules regarding overwriting and wiping will apply, but I suspect that the Page File might leak this information, unless you have it set to be wiped on shutdown, which is not the Windows default setting. I think that your application settings would also influence what got saved.

    #3. Depending on browser settings, wiping and overwriting, I believe that you could retrieve many of the website addresses, but I don't think that you could find the exact pages to view as an image. 3 years.......... that's a long time for temporary data to be held, or for a web page to still exist? I would say that it is theoretically possible in part at least.

    #4. No, I don't think so. Cookies and history shouldn't contain the password, although the Page File might?. The way it should work is that the e-mail site will send you a "session authentication" "cookie" which is valid for that session only, and is not reusable; nor can the password be derived from it, as it is not used in generating it. When you close the session or the host closes it due to inactivity, it will no longer work.

    #5. It would depend on the type of file and the application used to open it. For example, opening a file in a hex editor would generally not create a usage record, and using a Linux live CD would go totally undetected by Windows. I think that "date last accessed" is a much more common metric. The first place I would look is in the file's metadata.

    I am basing these answers on using commonly available tools rather than professional evidence gathering applications (I think that EnCase is still the classic?). As you will no doubt appreciate, a lot of this information is stored in temporary files, so you cannot guarantee anything other than to say that it is possible in part at least.

    My personal view is that the two critical areas to look at would be the Page File and System Restore, as these are generally ignored by conventional housekeeping applications. Cluster tips and alternate data streams can also be quite interesting.

    Hope that helps............fire away if you have any questions
    Last edited by nihil; June 22nd, 2012 at 02:33 PM.

  8. #8
    HYBR|D
    Guest
    If you've got the money, buy helix http://www.e-fense.com/products.php

    or if you know some1 in the law enforcement then get them to aquire Aperio.

  9. #9
    Junior Member
    Join Date
    Jun 2012
    Posts
    7
    http://www.piriform.com/CCLEANER

    http://eraser.heidi.ie/

    If those have been used properly you won't be able to recover anything
    What's properly? How do you know if those have been used properly?
    Also:

    http://www.roadkil.net/

    http://www.piriform.com/recuva

    http://download.cnet.com/Disk-Invest...-10255339.html

    I have already mentioned that a deleted file is marked as "free space" by Windows and could be overwritten at any time. You can speed up this process by running the "wipe free space" option in either of the two tools mentioned above.

    You might like to experiment with these tools yourself?
    Should i use Roadkil, Recuva and Disk invest? What should i do with these tools? What the "wipe free space" option would do, what software?

    #1. Provided that the files have not been overwritten or corrupted then this should be possible, although you can never guarantee "ALL"
    What software would recover the picture? Can i choose to recover the specific folder the pictures were in?
    #2. Can't really say as I don't use IM. The usual rules regarding overwriting and wiping will apply, but I suspect that the Page File might leak this information, unless you have it set to be wiped on shutdown, which is not the Windows default setting. I think that your application settings would also influence what got saved.
    What's Page File? Where is it? What software would recover these?

    #3. Depending on browser settings, wiping and overwriting, I believe that you could retrieve many of the website addresses, but I don't think that you could find the exact pages to view as an image. 3 years.......... that's a long time for temporary data to be held, or for a web page to still exist? I would say that it is theoretically possible in part at least.
    What software would recover these? Where should i look for it with the software?
    #4. No, I don't think so. Cookies and history shouldn't contain the password, although the Page File might?. The way it should work is that the e-mail site will send you a "session authentication" "cookie" which is valid for that session only, and is not reusable; nor can the password be derived from it, as it is not used in generating it. When you close the session or the host closes it due to inactivity, it will no longer work.
    Is the password in the Page File ? Where is the Page File?
    #5. It would depend on the type of file and the application used to open it. For example, opening a file in a hex editor would generally not create a usage record, and using a Linux live CD would go totally undetected by Windows. I think that "date last accessed" is a much more common metric. The first place I would look is in the file's metadata.
    Where is the file's metadata? Is there any other place to look?
    The file hasn't been opened in a hex editor or a Linux Live CD.

    I am basing these answers on using commonly available tools rather than professional evidence gathering applications (I think that EnCase is still the classic?). As you will no doubt appreciate, a lot of this information is stored in temporary files, so you cannot guarantee anything other than to say that it is possible in part at least.
    What software would recover these temproary files? What professional evidence gathering applications would recover that commonly available tools wouldn't?
    My personal view is that the two critical areas to look at would be the Page File and System Restore, as these are generally ignored by conventional housekeeping applications. Cluster tips and alternate data streams can also be quite interesting.
    Where's Page File? Is everything in that Page File?
    What would System Restore recover?

    What are cluster tips and alternate data streams?

    Thanks for your help

  10. #10
    THE Bastard Sys***** dinowuff's Avatar
    Join Date
    Jun 2003
    Location
    Third planet from the Sun
    Posts
    1,253
    Simple

    http://www.guidancesoftware.com/encase-forensic.htm

    Although you might want to figure out what metadata is and figure out that page file thing first. May I suggest google for your metadata and page file needs.
    09:F9:11:02:9D:74:E3:5B8:41:56:C5:63:56:88:C0

Similar Threads

  1. Windows Error Messages
    By cheyenne1212 in forum Miscellaneous Security Discussions
    Replies: 7
    Last Post: February 1st, 2012, 02:51 PM
  2. Port List
    By ThePreacher in forum Miscellaneous Security Discussions
    Replies: 17
    Last Post: December 14th, 2006, 09:37 PM
  3. Newbies, list of many words definitions.
    By -DaRK-RaiDeR- in forum Newbie Security Questions
    Replies: 9
    Last Post: December 14th, 2002, 08:38 PM
  4. The Worlds Longest Thread!
    By Noble Hamlet in forum AntiOnline's General Chit Chat
    Replies: 1100
    Last Post: March 17th, 2002, 09:38 AM
  5. Information Leakage from Optical Emanations
    By E5C4P3 in forum Miscellaneous Security Discussions
    Replies: 5
    Last Post: March 7th, 2002, 07:35 AM

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •