I am not a big fan of “tooting” my own horn, but I have to publicize the accomplishment of a long time goal.

Yesterday, in the Rhoden v Rhoden in the 8th Judicial Circuit of Florida I testified as an expert witness in “Computer Forensics and Cybercrime!” 

Since there is not a universally accepted gold standard in computer forensics certifications, testifying as an expert in court is about the only standard that indicates you have entered the top tier of the field. 

I very pleased to have accomplished a goal I set for myself in 2006.  Hopefully this is just the mid-point of great career in computer forensics.

I have been pleased to review “Active File Recovery.”  The specific version that I reviewed was the “Active Boot Disk” version 4.1.4.  The software is delivered by download.  The process of creating the disk is well documented and straight forward.  Once the disk is created, your license code is already set up on it.

The wonderful thing about this product is that it will support data recovery for the home user that only has one computer and their operating system will no longer boot.  The disk boots a computer into a easy to use interface based on a Microsoft Windows File System.  The file system automatically mounts the file systems of attached drives as different pieces of software are launched.  Great for ease of use, bad for any forensics applications.

As for mounting external drives, to dump data or disk images to, the software performed very well with internal drives and external USB drives.  On my test machine with an e-sata drive attached, the e-sata drive was not detected.

There are actually several different useful utilities that come with the product.  I will go through each.

Active Disk Image:

This is a disk imager utility.  A disk image is just a copy of all the data contained on a drive.  This utility has the ability to copy off and restore the data in a cloning style for the average user.  It also has the ability to produce a dd style image of the drive.  Their is no option for segmenting or hashing.  I did test the validity of the image produced with X-Ways forensics.  It did produce an image whose hash checked.  (This was one test run, not extensive “forensic” testing.)

Active Data CD/DVD Burner:

This utility allows the user to burn data onto CDs or DVDs.

Active Partition Recovery:

Recovering a damaged partition is probably an area that would be pretty confusing for the average user.  Not because the programs interface is bad at all.  Just the subject of what you are doing is pretty technical.  I did go into a test drive and intentionally damage the partition structure to make the drive un-mountable.  I used the partition recovery utility to repair the partition successfully.  The utility basically provides you template partition data and the information from the partition backup.  If these items are in sync, then it recommends to write this partition information onto the primary partition information.

Active File Recovery:

This is probably the bread and butter application of the whole product.  This allows the user to mount and browse an NTFS or a FAT file system.  The application has “quick scan” and “super scan” function.

The “Quick Scan” appears to just read the file systems of any mountable partition displaying existing and deleted files.  These files can then be selected and exported to another attached device.  I tested this functionality in NTFS with existing and deleted files. The application functioned properly.  The interface is intuitive and easy to use.

The “Super Scan” function looks for lost partitions and optionally scans for file signatures.  What this means is that if you have no readable file system at all, the software will look for files based on well known file headers.  The built in file signatures support what most users request in a data recovery job.  If the file type is specialized/ unusual, the user will probably need professional help.

Active Hex Editor:

This is a basic hex editor.  It allows the user to see the raw data on the computer.  This has some use for a data recovery professional.  For the average user, the major use is probably to look and see if the software is seeing data on a drive.

Active Password Changer:

This is for the Windows user who has forgot their password.  This allows the user to clear the password.  Meaning that no password will be required to log into the account after the change.  The software doesn’t warn you though that if the Windows Encrypted File System is in use, this will destroy access to those encrypted files.  I successfully used the utility to change the password on a Windows Vista 64-bit system.

Active Kill Disk:

This application allows the user to wipe free space or to “Kill” and entire disk.  The utility will overwrite the selected areas or the entire drive.  I tested and verified its ability to successfully wipe an entire drive.

Active Partition Manager:

This application allows the user to initialize and format a drive in either NTFS or the FAT file system. The disk offers support for networking and includes a basic web browser.   There is a check box on one of the initial screens on whether you want to enable networking.   I was able to use the the browser to connect to the internet during two machine boot ups.  On other boots I could not. I have no explanation for why.  (Normally this shouldn’t matter.  In data recovery you don’t usually need to access the internet.)

I tried a couple of additional “tricks” using this bootable disk as my Windows system.  I was able to use it as the OS for my X-Ways Foresics software to run from a USB flash drive.  X-Ways gave a couple errors during different operations, but most of the primary features seemed to be working.

I also tried running a few diffrent virus clean-up tools from USB.  I was able to successfully run these.  Running application from this “known” windows enviroment will provide a great computer clean-up platform.

I have to say that I found the software to be extremly user friendly.  It performed as advertised in almost every instance.  The manual is understandable, detailed, and well written.

At $80 dollars, the product is a bit pricey.  CNW Recovery is a much better value for deleted file recovery, if you have a functional computer to use.  If you must have a bootable environment and don’t want to learn Linux, this is the way to go right now!

I just completed a week of training with X-Ways in Washington, DC.   The instructor was the CEO of the company and principal software designer Stefan Fleischmann.  This class is taught all over the world, generally only a couple times a year in the United States.

The class is broken up into two segments, which you can purchase seperately.  The first three days is disigned specifically to teach the student how to use X-Ways Forensics.  The last two days is a file systems course.  Since the segments are very different, I will cover them individually.

X-Ways Forensics Course:

If you have read my previous blogs you know I was already a fan of X-Ways Forensics prior to attending the course.  I knew though that there had to be functionality I was missing out on having not attended the training.  I was right!  lol   I of course had learned a lot of the features through use and reading the manual.  There were areas that I had not really explored that I will probably use in every investigation. 

All students are provided with printed training material, digital copy of training material, a computer, and a copy of X-Ways to use during the course.

The class starts out with an overall tour of the user interface and how to navigate in X-Ways Forensics.  Mr. Fleischmann regularly demonstrates that there is multiple ways to do almost everything in X-Ways.  I gained an appreciation for the phrase: How many ways are there to  _______? “X-Ways”  You have to use the “X” to denote the number of ways to do a task because you can’t easily count them all! That is a bit of joke, but whether you prefer context menus, main menus, or keyboard shortcuts there is probably the choice of doing it your preferred way in X-Ways Forensics.  Additionally, along with all those normal ways there are often sorta hidden short-cuts built in to make common tasks faster.  Once you see theses, there location makes great sense.   But they are one on the kinda of things that are hard to pick up on in a manual, but easy to learn when you see someone do it.

While teaching, Mr. Fleischmann shows students through the tasks that he is performing.  After learning a series of features, Mr. Fleischmann has very well planned out exercises that the students execute on their own.  These are very good at reinforcing what you just learned.  After giving you time to practice, Mr. Fleischmann then leads you through the ideal solution to the exercise.

Mr. Fleischmann starts off each day of class with a review of what was learned the day before.  This is another great adult learning teaching method that reinforces learning. 

There were a wide variety of computer examiners in the course.  Everything from private to the biggest name federal LE agencies.  I did not hear one examiner that was not impressed with the software, Mr. Fleischmann, or the training.

File Systems:

The last two days of the five day course, are a class on file systems.  These two days are very fast paced.  If you don’t come into the class with some knowledge of file systems it is probably to fast to comprehend a lot.  That said, if you come in with some knowledge;  you will leave with a lot more.  Mr. Fleischmann has an amazing knowledge of file systems.  He moves through the MFT in NTFS very fluidly.  He explains all the ends and out.  I don’t mean the usual, “this is a journaling file system that maintain individual entries of each file and their location..”  Mr. Fleishman dives into the actual binary code in example after example, breaking down file entries.   Mr. Fleishman also breaks down and explains other important system files like the $logfile.  I have already used information in this portion of the class to find evidence in a couple cases I would have otherwise missed.

Mr. Fleischmann is nothing short of amazing as an instructor.  He is extremely punctual and efficient throughout the class.  There is not a moment of the course that is not well organized.  He is able to intelligently answer almost any computer question that comes up, no matter how trivial it may be. The course is definitely fast paced, though.  Get your rest, because you will need all your focus. 

This was certainly one of the best computer courses I have had the opportunity to attend.  I would highly recommend it to any computer examiner or data recovery technician!

I wanted tell everyone about a newer piece of data recovery software I have been using/ testing.   It is “CNW Recovery.”  I have been very impressed by the software!

This software has a whole lot of functionality and power “under the hood.”  I have used it in a few cases/recoveries so far. Its results have been most impressive.  For the readers information, my comparrison is to my other software such as Encase, X-ways, R-studio, and an assortment of other data recovery products that I have tested that are targeted at consumers and techs.  Encase and X-ways are obviously much more mature pieces of software with a great deal of emphasis on forensic features.  Most of the “data recovery” software targeted at the consumer market is not very powerful or versatile; and they milk their customers for every dime. (NTFS version, FAT version, CD-ROM version…on and on)  With most of the consumer data recovery products the end user is not getting much for their money in results or functionality.

With CNW Recovery there has been a total departure from the what is the “norm” in consumer data recovery software.  This software is a very powerful piece of data recovery software at reasonable cost.  Currently a 30-day license is only $19.99!  That is a super deal in the data recovery world.

The software actually functions at three different levels.  These descriptions are mine for the reader, not the software authors mind you.

Wizard mode:  This is where the average consumer would work.  The software opens up the a screen that scans your computer for currently existing media.  It asks you to choose what type of media you are working with.  You choose from floppy, hard drive, dd image, cd-rom, flash, DVD, Jazz, or Zip drive.  The software then walks the user through either an extraction of files or creating an image of the drive.  The wizard mode might be somewhat confusing to the computer novice, but if you just trust the software and go through the process it would result in good recovery work.

Manual Mode: The manual mode of the software allows the user to go directly to the various functions.  The major ones are Recover, Partition, Image, View, Properties, and Log.  The recovery mode is where most of the work will be done for data recovery.  This allows the user to use the File Table to recover files.  Partition allows the user to locate the partitions and file tables. Partition also includes the ability to do repair operations on these structures, although I haven’t had the opportunity to test that feature.  View allows the user to see the contents of the drive in a HEX editor sort of view. Properties displays fundamental information about the device.  The log actually provides a print out of all the file names recovered or mapped for recovery including the physical location, parent directory, parent directory location, short file name, and directory path.

This manual mode allows the skilled computer user to do alot of very powerful data recovery.  As far as data recovery work goes, it is very user friendly.

Expert mode:  Although not explicitly a “mode” I wanted to note this usefulness of the program.  Because of how robust the log is in displaying details about the files, if you understand all the data it is delivering the expert can actually jump directly into a hex editor and use the information to start manually carving out the data.

Forensic Edition: CNW is rapidly expanding the features in the forensic side of the software.  While the interface to the data is much different than something like X-ways, it is still very informative.  The logs and pop-ups while scanning the MFT allow a very granular view of the raw data the program in using. This provides for the investigator to have a more in-depth understanding of the data.  While it is not as much of a “point and click” interface, this is actually a good thing for when you are trying to manually validate findings, educate yourself, or prepare for courtroom presentation of the evidence.

Just a couple notes on what I have personally used the program to do with success.

I was able to use the software to carve out previously existing image and videos from an NTFS hard drive.  This resulted in very robust recovery of data.  I compared the recovered data to work done on the same drive with X-ways Forensics.  The recovered data was very consistent.

I used the software in a data recovery job that involved a hard drive with bad sectors, inconsistent reads, and a Master File Table (MFT) that would read very inconsistently due the errors the drive was having.  CNW Recovery was able to read the MFT and retain the MFT information.  I was then able to use CNW Recovery to gather the needed files from the sectors that they mapped to with the MFT.  The recovery was very robust and complete.

A neat feature of CNW Recovery is during recovery work its directory pane maps the directory structure of the drive you are working on, but also shows you the directory structure of the recovery you are working on.  This allows a quick reference to what has been recovered and what still needs to be recovered.

If at any point in using the program you are confused, you can go to the programs manual.  Regardless though, I highly recommend reading this manual if you are interested in data recovery.  The manual is a guide to the software, but CNW has done an awsome job of making their manual an education on data recovery also.  There is a lot of good information within the manual.  It is as beneficial a read as any computer forensic book I have ever purchased.

I can’t say enough positive things about this program, most especially at the current price point!!!  The author has shared with me that he will continue development on the software this year.  I expect the program to be truly amazing with the author’s continued enhancements!

If a consumer is looking for data recovery program, to try a do-it-yourself recovery of data this software would be my first choice.  It is so affordable it is certainly worth trying before seeking out professional data recovery help.