Computer Forensics & Data Recovery

After a hard drive crash, I repair the drive. I then extract out the needed data files. Sometimes, these files have to be recovered through data carving. They will get assigned random names like 14583.doc or 184893.jpg. Well, you can imagine these names are not real useful for my clients.

I was recently introduced to a program called Directory Opus. This is a very of Windows Explorer to view files. The awsome thing about it for data recovery is that it shows file metadata. If you don’t know, Microsoft Word documents and other have things like their title and author embedded in the document. Well, with Directory Opus you can see all this data in the file tree. It will also show the EXIF data associated with photos. The user can drill down into zip archives to see what they contain.

It also has a nice dual pane interface to allow files to be moved about onto the new locations the client needs them. It has advanced ways to automate the process for the client that wants to put in some more time learning how to operate the program.

The software comes with a free 30 day trial. That should be plenty of time to get your recovered files straightened out.

Before someone writes in and tells me… I know you can view these same file properties in Windows Explorer…just not in the default view. The view the metadata in Windows Explorer.. just go to the top of the view pane where you see the column titles, right click, and a list of attributes the user can add to the view will show up. Just left click on title, author, or whatever else you would like to add, This way is completely free with no new install… whichever you like. Directory Opus is prettier though

Happy file browsing!

I just completed the Internet Crimes Against Children (ICAC) undercover investigations course. It was a very good class. The class was held in Denver, Colorado. I went up to the town of Boulder a couple of times. The town of Boulder really is beautiful.

As far as the class.. other than to say it is a good course.. this is one I really can’t talk about.

I just completed the Basic Data Recovery and Acquisition (BDRA) course offered by NW3C in Miami, Florida.

The class is a combination of technical training on the FAT file systems and the acquisition of disk images. A third of the class time is devoted to labs that involved in depth looks and experience on the technical areas covered in class. The labs are excellent reinforcers of the technical material.

There are two instructors present at all times in the course. The second instructor is moving through the room and helping students while another is leading the exercises. This is a very efficient method of instruction used.

The course planning for the class is OUTSTANDING. It was the most well planned class for law enforcement that I have ever attended. Every powerpoint slide is clear, concise, and to the point. The graphics used to explain points are visually appealing along with representing the technical point in question. The labs are planned out to every last keystroke. The class is perfectly timed to fit the schedule.

The instructors were knowledgable, approachable, and entertaining. They are clearly teaching computer forensics because it is something they enjoy. They are happy to be passing on their knowledge.

I hope to be able to attend more NW3C courses. Especially, to someone new to computer forensics; the course would be highly valuable. I recommend the training. (FYI… It is law enforcement only.)

I just attended a training by Infosec in Washington, D.C.  The training was specifically on data recovery.

The first two days of the training focused on the physical function/ repair of hard drives.  We learned about how the drive functions internally.  We then began the hands on repair of the drives.  We also learned to evaluate the sounds of a malfunctioning hard drive.

We then moved onto the various software tools that can be used to repair/ read the data that has been salvaged from a crashed drive.  We performed multiple labs with the various pieces of software.   We even did a few RAID repairs.  Not surprisingly to me, or you if you have read my blog.  X-ways Forensics was one of the most highly regarded tools.

The class ended with a sort of seminar on solid state drives.  This provided alot of knowledge on how the dirves function internally.  Without going into alot of technical detail, I can tell you what the opinion I came now.  If you are going to use a solid state drive, beware of a failure.  If a solid state drives fails, your data is basically gone.  Data recovery on those drives, at least for now, is going to be very technical and expensive.  if your data is retrievable at all, you better send it to a fleet of electrical engineers to get it back.

The class ended with an exam to be a Certified Data Recovery Professional.  I passed the exam with a 96% !!  I was happy.  All my studying about drives and data recovery has paid off I guess.

The set of students in my class were a mix of military, IT network admins, forensic examiners, and data recovery business owners.   It was an impressive crowd.  I learned alot from the in and out of class discussions.  Specifically, I learned some great info on the business of running a data recovery shop.

I am very excited to bring all of this information back to the Crystal River, Gainesville, Ocala, and Lake City area of North Florida.

I do have to warn other techs though…. I would think hard about wether to attend the course, unless Infosec reduces the price from the $3,200 to $3,800 dollar mark it is at now.  There really wasn’t much in the way of material that you couldn’t learn yourself with diligent research and study.  Then of course, working on hard drives and playing with software on your own.  The class would be good though if you wanted to skip this study on your own, and just have the material given to you.  The more you know about data recovery walking into the class… the less thrilled you will be with your money being gone.

I was asked recently to find a parental control/ monitoring software for an agency to recommend to parents.  In looking at alot of software that is somewhat expensive for the average family with kids, I found Crawler Parental Control.  This software is FREE.

I installed the software.  I did some initial testing with it.  It looks very good.  The software has computer usage controls.  The program will even save screenshots and email user activity logs.

The usage controls by time are VERY important.  What I have seen time and again in law enforcement.. is kids getting in trouble online after mom and dad are in the bed.  This is especially bad if the computer is in junior’s room.  (Something I consider a safety nightmare for kids.)

If you are going to let junior have a computer in their room, this software allows the administrator to block them from being up secretly in the middle of the night chatting with some stranger.

I have by no means tested this product throughly.  There are ways around it.  I will not go into them.. as to not educate kids trying to get over on mom and dad.

This software is certainly far better than an unprotected unmonitored computer however.