In law enforcement we would periodically have “Computer Forensic Training Days.” This was a quarterly meeting where examiners got together and trained each other. Examiners with a special interest/ expertise in a block would train the others. The only cost to go was small to cover hosting, as the trainers were paid by their agencies.

I think a similar thing would work very well for data recovery. In data recovery though, there would probably be a little higher cost to cover paying the speakers a lesson prep fee, conference room costs, and refreshments. I am thinking it could probably be done for a few hundred dollars for each attendee. ( I may even be able to work my law enforcement contacts to get us free rooms for the training in exchange for letting some of them come.)

I already run allceus.com with my wife. We (mainly she) puts on seminars already. So, I have some experience at it.

I think with the speed that knowledge grows in data recovery and it being so hands on that this would be extremely valuable to everyone. I know I would be willing to contribute training on file systems, X-Ways Forensics, or whatever else that DR folks were interested in.

Not to mention I am in Florida, just north of Orlando. Nice place to come annually for a winter conference maybe?

Let me know your thoughts. The big thing I would like to know is, would you ACTUALLY come. Keep in mind that with your flight, room, and enrollment fee that it will probably cost $1,000 dollars to attend a 2 or three day conference. (If the group is small I can actually host at my in-office training room. But, that would just be like 20 people… ) I will put a survey below for for everyone who is interested to take. I will publish the results later.

Well I knew my friends from England, CNW recovery, had been working hard on their DVD data recovery routines. I decided to give CNW a try. It has a very user friendly menu that guides your through each step of the process. It recommends at each step the next step in the recovery. I watched as it imaged the disk, carved the MPEGs, then did its best guess at reassembly. The process was very easy to understand and smooth for a low-level data recovery tool.

The resulting MPEGs were much cleaner than the VOB’s produced by ISObuster. There were segments, that by manual review, I could tell needed to be reassembled. There were none that were incorrectly put together though. (A much harder thing to deal with.)

I manually re-assembled the MPEGs together that were really part of one continuous shoot. The resulting product was very good.

I am very impressed with the progress of CNW recovery in this area!!

I am able to announce big changes at DataTriangle. I have been employed by the Alachua Sheriff’s Office as a Deputy Sheriff for the last 14 years. Most recently I was assigned to the FBI CyberCrime Task Force, Internet Crimes Against Children, and the computer forensic examiner. Yes, this has been as busy and stressful job as it sounds!

I am leaving the Sheriff’s Office to devote myself full-time to DataTriangle. I will be doing work in the areas of computer forensics, data recovery, and website administration. I will supervise staff members working on general computer repair services in the Gainesville, Florida area.

My recent computer forensics experience translates most closely to work in criminal defense cases. As I have always done though, my goal is to expand my experience. I have already worked civil cases involving digital evidence. I anticipate working a lot more with the increased availability. I have also had Gainesville Attorneys approach me requesting e-discovery services.

There is a great deal of overlap between e-discovery and computer forensic practice. A lot of the difference lies in acquiring a few new software tools and becoming proficient in them. I am in the process now of buying these tools and practicing. I don’t presently see myself trying to get into large scale e-discovery work. I am more interested in supporting law firms with their small to medium size e-discovery matters.

It is with great excitement that I enter into the private practice of computer forensics! The excitement is somewhat tempered by sadness at leaving all the great comrades and professionals that I have worked with through the years in law enforcement. I wish all of them the best of luck and safe patrols!

From their website: “The software helps you to find largest folders and files on your hard drive.  Get hard disk space consumption report grouped by file size, file types, ownership, file date and attributes.   Quickly drill down to folders consuming most of your hard disk space.”

As soon as the program launches, it asks you which drive you would like to analyze.  Once you pick the drive it quickly analyzes it.  It did my 500GB drive I chose in about 20 seconds.  The program then presents its main work interface.  The primary area is a row of tabs that lets you sort the files by different criteria.

DiskAnalyzer Pro Tabs

You can click any of those tabs to quickly sort/ group files by that criteria.    For instance, you can click file types to quickly see how much storage is being taken up by every file type on your drive (by extension).  Wondering why you have so many rich text files?  Just double click the “rtf” extension folder.  A new window opens called the “File Viewer and Explorer.”  This view list all the rtf files on the drive with the associated metadata.  To the left is a window to quickly sort further by any of the file attributes.  Date searching even has a handy pop-up calendar to assist in choosing the dates you need.  (Very useful when you are lost in programming, and lost your orientation to time and place!!)

File Explorer View

Double-Clicking any of the files in the file viewer will launch the associated program to view the file.  For some of the simpler file types there is the option to launch and internal pre-view within the application.

A very nice feature if you need to report to someone else what is where, is the ability to export an HTML or CSV report of files located.  This is very useful for quick inventories after a data recovery or computer forensics job.  The same can be done with computer forensics software, but it is more time consuming to set up.

I can also see it be very useful for network IT professionals trying to find out what or who is taking up all the space on the server!

Overall, I find this to be a very easy to use and cost-effective utility.

I was happy to learn that the case agents, attorney, and jury were very happy with my testimony.  Everyone told me that I was very clear and did an excellent job of making highly technical material understandable.  Being technically accurate and at the same time understandable, I believe, is one of the greatest challenges to anyone testifying as a computer forensics expert.  Throughout my training I have always tried to ask myself, “How would I explain this to a jury?”

The entire case was a great experience from working with the U.S. Attorney, investigators, criminal defense attorney, and everyone else involved in this case.

I am proud and happy to have accomplished my goal of being recognized as an expert in state and federal court.  I look forward to continuing to learn in this field, and hope I have a long and successful career in it!

Yesterday, in the Rhoden v Rhoden in the 8th Judicial Circuit of Florida I testified as an expert witness in “Computer Forensics and Cybercrime!” 

Since there is not a universally accepted gold standard in computer forensics certifications, testifying as an expert in court is about the only standard that indicates you have entered the top tier of the field. 

I very pleased to have accomplished a goal I set for myself in 2006.  Hopefully this is just the mid-point of great career in computer forensics.

The wonderful thing about this product is that it will support data recovery for the home user that only has one computer and their operating system will no longer boot.  The disk boots a computer into a easy to use interface based on a Microsoft Windows File System.  The file system automatically mounts the file systems of attached drives as different pieces of software are launched.  Great for ease of use, bad for any forensics applications.

As for mounting external drives, to dump data or disk images to, the software performed very well with internal drives and external USB drives.  On my test machine with an e-sata drive attached, the e-sata drive was not detected.

There are actually several different useful utilities that come with the product.  I will go through each.

Active Disk Image:

This is a disk imager utility.  A disk image is just a copy of all the data contained on a drive.  This utility has the ability to copy off and restore the data in a cloning style for the average user.  It also has the ability to produce a dd style image of the drive.  Their is no option for segmenting or hashing.  I did test the validity of the image produced with X-Ways forensics.  It did produce an image whose hash checked.  (This was one test run, not extensive “forensic” testing.)

Active Data CD/DVD Burner:

This utility allows the user to burn data onto CDs or DVDs.

Active Partition Recovery:

Recovering a damaged partition is probably an area that would be pretty confusing for the average user.  Not because the programs interface is bad at all.  Just the subject of what you are doing is pretty technical.  I did go into a test drive and intentionally damage the partition structure to make the drive un-mountable.  I used the partition recovery utility to repair the partition successfully.  The utility basically provides you template partition data and the information from the partition backup.  If these items are in sync, then it recommends to write this partition information onto the primary partition information.

Active File Recovery:

This is probably the bread and butter application of the whole product.  This allows the user to mount and browse an NTFS or a FAT file system.  The application has “quick scan” and “super scan” function.

The “Quick Scan” appears to just read the file systems of any mountable partition displaying existing and deleted files.  These files can then be selected and exported to another attached device.  I tested this functionality in NTFS with existing and deleted files. The application functioned properly.  The interface is intuitive and easy to use.

The “Super Scan” function looks for lost partitions and optionally scans for file signatures.  What this means is that if you have no readable file system at all, the software will look for files based on well known file headers.  The built in file signatures support what most users request in a data recovery job.  If the file type is specialized/ unusual, the user will probably need professional help.

Active Hex Editor:

This is a basic hex editor.  It allows the user to see the raw data on the computer.  This has some use for a data recovery professional.  For the average user, the major use is probably to look and see if the software is seeing data on a drive.

Active Password Changer:

This is for the Windows user who has forgot their password.  This allows the user to clear the password.  Meaning that no password will be required to log into the account after the change.  The software doesn’t warn you though that if the Windows Encrypted File System is in use, this will destroy access to those encrypted files.  I successfully used the utility to change the password on a Windows Vista 64-bit system.

Active Kill Disk:

This application allows the user to wipe free space or to “Kill” and entire disk.  The utility will overwrite the selected areas or the entire drive.  I tested and verified its ability to successfully wipe an entire drive.

Active Partition Manager:

This application allows the user to initialize and format a drive in either NTFS or the FAT file system. The disk offers support for networking and includes a basic web browser.   There is a check box on one of the initial screens on whether you want to enable networking.   I was able to use the the browser to connect to the internet during two machine boot ups.  On other boots I could not. I have no explanation for why.  (Normally this shouldn’t matter.  In data recovery you don’t usually need to access the internet.)

I tried a couple of additional “tricks” using this bootable disk as my Windows system.  I was able to use it as the OS for my X-Ways Foresics software to run from a USB flash drive.  X-Ways gave a couple errors during different operations, but most of the primary features seemed to be working.

I also tried running a few diffrent virus clean-up tools from USB.  I was able to successfully run these.  Running application from this “known” windows enviroment will provide a great computer clean-up platform.

I have to say that I found the software to be extremly user friendly.  It performed as advertised in almost every instance.  The manual is understandable, detailed, and well written.

At $80 dollars, the product is a bit pricey.  CNW Recovery is a much better value for deleted file recovery, if you have a functional computer to use.  If you must have a bootable environment and don’t want to learn Linux, this is the way to go right now!

The class is broken up into two segments, which you can purchase seperately.  The first three days is disigned specifically to teach the student how to use X-Ways Forensics.  The last two days is a file systems course.  Since the segments are very different, I will cover them individually.

X-Ways Forensics Course:

If you have read my previous blogs you know I was already a fan of X-Ways Forensics prior to attending the course.  I knew though that there had to be functionality I was missing out on having not attended the training.  I was right!  lol   I of course had learned a lot of the features through use and reading the manual.  There were areas that I had not really explored that I will probably use in every investigation. 

All students are provided with printed training material, digital copy of training material, a computer, and a copy of X-Ways to use during the course.

The class starts out with an overall tour of the user interface and how to navigate in X-Ways Forensics.  Mr. Fleischmann regularly demonstrates that there is multiple ways to do almost everything in X-Ways.  I gained an appreciation for the phrase: How many ways are there to  _______? “X-Ways”  You have to use the “X” to denote the number of ways to do a task because you can’t easily count them all! That is a bit of joke, but whether you prefer context menus, main menus, or keyboard shortcuts there is probably the choice of doing it your preferred way in X-Ways Forensics.  Additionally, along with all those normal ways there are often sorta hidden short-cuts built in to make common tasks faster.  Once you see theses, there location makes great sense.   But they are one on the kinda of things that are hard to pick up on in a manual, but easy to learn when you see someone do it.

While teaching, Mr. Fleischmann shows students through the tasks that he is performing.  After learning a series of features, Mr. Fleischmann has very well planned out exercises that the students execute on their own.  These are very good at reinforcing what you just learned.  After giving you time to practice, Mr. Fleischmann then leads you through the ideal solution to the exercise.

Mr. Fleischmann starts off each day of class with a review of what was learned the day before.  This is another great adult learning teaching method that reinforces learning. 

There were a wide variety of computer examiners in the course.  Everything from private to the biggest name federal LE agencies.  I did not hear one examiner that was not impressed with the software, Mr. Fleischmann, or the training.

File Systems:

The last two days of the five day course, are a class on file systems.  These two days are very fast paced.  If you don’t come into the class with some knowledge of file systems it is probably to fast to comprehend a lot.  That said, if you come in with some knowledge;  you will leave with a lot more.  Mr. Fleischmann has an amazing knowledge of file systems.  He moves through the MFT in NTFS very fluidly.  He explains all the ends and out.  I don’t mean the usual, “this is a journaling file system that maintain individual entries of each file and their location..”  Mr. Fleishman dives into the actual binary code in example after example, breaking down file entries.   Mr. Fleishman also breaks down and explains other important system files like the $logfile.  I have already used information in this portion of the class to find evidence in a couple cases I would have otherwise missed.

Mr. Fleischmann is nothing short of amazing as an instructor.  He is extremely punctual and efficient throughout the class.  There is not a moment of the course that is not well organized.  He is able to intelligently answer almost any computer question that comes up, no matter how trivial it may be. The course is definitely fast paced, though.  Get your rest, because you will need all your focus. 

This was certainly one of the best computer courses I have had the opportunity to attend.  I would highly recommend it to any computer examiner or data recovery technician!

I was recently introduced to a program called Directory Opus. This is a very of Windows Explorer to view files. The awsome thing about it for data recovery is that it shows file metadata. If you don’t know, Microsoft Word documents and other have things like their title and author embedded in the document. Well, with Directory Opus you can see all this data in the file tree. It will also show the EXIF data associated with photos. The user can drill down into zip archives to see what they contain.

It also has a nice dual pane interface to allow files to be moved about onto the new locations the client needs them. It has advanced ways to automate the process for the client that wants to put in some more time learning how to operate the program.

The software comes with a free 30 day trial. That should be plenty of time to get your recovered files straightened out.

Before someone writes in and tells me… I know you can view these same file properties in Windows Explorer…just not in the default view. The view the metadata in Windows Explorer.. just go to the top of the view pane where you see the column titles, right click, and a list of attributes the user can add to the view will show up. Just left click on title, author, or whatever else you would like to add, This way is completely free with no new install… whichever you like. Directory Opus is prettier though

Happy file browsing!