Computer Forensics & Data Recovery

I had a case recently where I had basically three hours  from hands on the computer to finding the evidence. If not the bad guy was going to get out of jail. To make things even more interesting the drives were in a RAID 0 configuration.

Well, I removed the drives, hooked them both to a forensic machine with Tableau write blockers. I fired up X-Ways forensics. I went into the feature to reassemble the RAID. After about 10 to 15 minutes of guessing raid striping size and header location settings, I was into the RAID. Thankfully the data was not hidden, deleted, encrypted or anything interesting like that.

I was able to quickly find the evidence in the case with supporting evidence to show personal possession/ knowledge. I still had enough time left to write arrest paperwork and drive to the jail.

Thanks to X-Ways and some quick work…. one more bad guy waiting for his day in court!

This entry was posted on Sunday, March 23rd, 2008 at 5:48 am and is filed under Uncategorized. You can follow any responses to this entry through the RSS 2.0 feed. You can leave a response, or trackback from your own site.