Computer Forensics & Data Recovery

After a hard drive crash, I repair the drive. I then extract out the needed data files. Sometimes, these files have to be recovered through data carving. They will get assigned random names like 14583.doc or 184893.jpg. Well, you can imagine these names are not real useful for my clients.

I was recently introduced to a program called Directory Opus. This is a very of Windows Explorer to view files. The awsome thing about it for data recovery is that it shows file metadata. If you don’t know, Microsoft Word documents and other have things like their title and author embedded in the document. Well, with Directory Opus you can see all this data in the file tree. It will also show the EXIF data associated with photos. The user can drill down into zip archives to see what they contain.

It also has a nice dual pane interface to allow files to be moved about onto the new locations the client needs them. It has advanced ways to automate the process for the client that wants to put in some more time learning how to operate the program.

The software comes with a free 30 day trial. That should be plenty of time to get your recovered files straightened out.

Before someone writes in and tells me… I know you can view these same file properties in Windows Explorer…just not in the default view. The view the metadata in Windows Explorer.. just go to the top of the view pane where you see the column titles, right click, and a list of attributes the user can add to the view will show up. Just left click on title, author, or whatever else you would like to add, This way is completely free with no new install… whichever you like. Directory Opus is prettier though

Happy file browsing!

I just completed the Internet Crimes Against Children (ICAC) undercover investigations course. It was a very good class. The class was held in Denver, Colorado. I went up to the town of Boulder a couple of times. The town of Boulder really is beautiful.

As far as the class.. other than to say it is a good course.. this is one I really can’t talk about.

I just attended a training by Infosec in Washington, D.C.  The training was specifically on data recovery.

The first two days of the training focused on the physical function/ repair of hard drives.  We learned about how the drive functions internally.  We then began the hands on repair of the drives.  We also learned to evaluate the sounds of a malfunctioning hard drive.

We then moved onto the various software tools that can be used to repair/ read the data that has been salvaged from a crashed drive.  We performed multiple labs with the various pieces of software.   We even did a few RAID repairs.  Not surprisingly to me, or you if you have read my blog.  X-ways Forensics was one of the most highly regarded tools.

The class ended with a sort of seminar on solid state drives.  This provided alot of knowledge on how the dirves function internally.  Without going into alot of technical detail, I can tell you what the opinion I came now.  If you are going to use a solid state drive, beware of a failure.  If a solid state drives fails, your data is basically gone.  Data recovery on those drives, at least for now, is going to be very technical and expensive.  if your data is retrievable at all, you better send it to a fleet of electrical engineers to get it back.

The class ended with an exam to be a Certified Data Recovery Professional.  I passed the exam with a 96% !!  I was happy.  All my studying about drives and data recovery has paid off I guess.

The set of students in my class were a mix of military, IT network admins, forensic examiners, and data recovery business owners.   It was an impressive crowd.  I learned alot from the in and out of class discussions.  Specifically, I learned some great info on the business of running a data recovery shop.

I am very excited to bring all of this information back to the Crystal River, Gainesville, Ocala, and Lake City area of North Florida.

I do have to warn other techs though…. I would think hard about wether to attend the course, unless Infosec reduces the price from the $3,200 to $3,800 dollar mark it is at now.  There really wasn’t much in the way of material that you couldn’t learn yourself with diligent research and study.  Then of course, working on hard drives and playing with software on your own.  The class would be good though if you wanted to skip this study on your own, and just have the material given to you.  The more you know about data recovery walking into the class… the less thrilled you will be with your money being gone.

I was asked recently to find a parental control/ monitoring software for an agency to recommend to parents.  In looking at alot of software that is somewhat expensive for the average family with kids, I found Crawler Parental Control.  This software is FREE.

I installed the software.  I did some initial testing with it.  It looks very good.  The software has computer usage controls.  The program will even save screenshots and email user activity logs.

The usage controls by time are VERY important.  What I have seen time and again in law enforcement.. is kids getting in trouble online after mom and dad are in the bed.  This is especially bad if the computer is in junior’s room.  (Something I consider a safety nightmare for kids.)

If you are going to let junior have a computer in their room, this software allows the administrator to block them from being up secretly in the middle of the night chatting with some stranger.

I have by no means tested this product throughly.  There are ways around it.  I will not go into them.. as to not educate kids trying to get over on mom and dad.

This software is certainly far better than an unprotected unmonitored computer however.

Have you ever had an anti-virus or firewall tell you a file was malware, but you didn’t really think so?  It is a situation I encounter from time to time.  Sometimes, one security program will say one by another company is bad.

Well, there is a free site that helps you get a definitive 2nd, 3rd, 4th… 30th opinion.  It is VirusTotal.com .   A quick upload of the suspicous file to their site then it is scanned by numerous security programs.  This gives you a breadth of opinions on which to base your decision.

Another good way to get additional info, is to search for the file name in Google.  This will usually give some definitive write-ups on the file for anything that has been around for awhile.

Of course if you are in the Gainesville, Florida area… you can always contact me for a second opinion on your trojan, virus, or other malware.