Create an account Home  ·  Topics  ·  Downloads  ·  Your Account  ·  Submit News  ·  Top 10  
Modules
· Home
· Content
· FAQ
· Forensic Downloads
· Forensics Feedback
· Forums
· Members List
· Statistics
· Surveys
· Top 10
· Topics
· Training Reviews
· Web Links
· Your Account

Our Membership

Latest: WhqUr3s577
New Today: 1
New Yesterday: 2
Overall: 29415

Computer Forensics
This is a free and open peer to peer medium for digital and computer forensics professionals and students. Please help us maintain it by contributing and perhaps linking to us from your own website.

Recent Posts

 Hostile work enviornment
 Can anyone suggest me a topic under printers forensics
 Unallocated clustered as court evidence
 Encryption
 I know how to recover ost file 2016

Computer Forensics World Forums


Pages Served
We received
52996351
page views since August 2004

Security Sources

FTC
OnGuard Online
ISO 17799 ISO 27001
ISO 27000 Toolkit
ISO 27001 & 27000
Cryptography
Security Policies

Computer Forensics World: Forums

Computer Forensics World :: View topic - Computer Evidence Search
 Forum FAQForum FAQ   SearchSearch   UsergroupsUsergroups   ProfileProfile   Log in to check your private messagesLog in to check your private messages   Log inLog in 

Computer Evidence Search
Goto page Previous  1, 2, 3, 4
 
Post new topic   Reply to topic    Computer Forensics World Forum Index -> Legal Issues
View previous topic :: View next topic  
Author Message
ComputerLearner
Newbie
Newbie


Joined: Jul 31, 2013
Posts: 29

PostPosted: Tue Aug 20, 2013 7:45 am    Post subject: Reply with quote

LOL.... not really.... Just trying to understand the myth of recovery.... especially that experts do not seem to be giving straight forward answers to questions and scenarios....
Back to top
View user's profile
PreferredUser
Newbie
Newbie


Joined: Jan 01, 2007
Posts: 1130
Location: USA

PostPosted: Tue Aug 20, 2013 8:19 am    Post subject: Reply with quote

cybercop wrote:
Yep, Homework.
Answering these questions is like starting over in school without any reward for being right.
Back to top
View user's profile
PreferredUser
Newbie
Newbie


Joined: Jan 01, 2007
Posts: 1130
Location: USA

PostPosted: Tue Aug 20, 2013 8:23 am    Post subject: Reply with quote

ComputerLearner wrote:
OK.... Lets exhaust the DOCX issue first.

A personal assistant to a CEO has a template in Microsoft Word for communicating with a Bank. The information that changes on the template is DATE and AMOUNT.

The template is called Bank Transfer.docx. This file name is maintained.
DOCX is not a template. A template is either DOTX or DOCM. The way a document is modified and saved is different than how a template is saved.

ComputerLearner wrote:
Every month end, Bank Transfer.docx is modified - date is amended, amount is amended too. But filename is maintained.

So, when Bank Transfer.docx is deleted, how many deleted copies are most likely to be recovered?
Among other things it depends on the setting I mentioned in my earlier post.

If you would stop playing games and being evasive you would likely end up with better answers. Stop making up scenarios and just ask questions relevant to your "friend" who likes to download kiddie porn.

If you are trying to learn how file deletion and recovery works, why confuse the situation by making up scenarios? If someone gives you an answer that does not apply to the case at hand, how do you expect to extrapolate the answer to the kiddie porn case?


Last edited by PreferredUser on Tue Aug 20, 2013 8:30 am; edited 1 time in total
Back to top
View user's profile
ComputerLearner
Newbie
Newbie


Joined: Jul 31, 2013
Posts: 29

PostPosted: Tue Aug 20, 2013 8:26 am    Post subject: Reply with quote

One of these fine days.... when we are done and dusted.... you will both be handsomely rewarded. It is not in me to forget where I come from...

Your comments have been very valuable.... no doubt.
Back to top
View user's profile
PreferredUser
Newbie
Newbie


Joined: Jan 01, 2007
Posts: 1130
Location: USA

PostPosted: Tue Aug 20, 2013 8:36 am    Post subject: Reply with quote

ComputerLearner wrote:
Your comments have been very valuable.... no doubt.
Then I would think your questions should be more pointed to the case.
Back to top
View user's profile
ComputerLearner
Newbie
Newbie


Joined: Jul 31, 2013
Posts: 29

PostPosted: Tue Aug 20, 2013 8:44 am    Post subject: Reply with quote

PreferredUser,

I have moved away from 'kiddie porn'. I have drawn up valuable lessons from that topic. The legal counsel to the accused is already in the process of getting an IT Expert to help the defense. There is no extrapolation intended.


I am now trying to understand different areas of the art of data recovery and reverse-engineering.

The 'template' am referring to is not actually a template in the strictest sense. What I meant is the Personal Assistant regularly sends this letter / memo / advisory to a bank. She has this document she reuses.... She just amends DATE and AMOUNT on this document.... and saves it using the same file name.... And then sends the new document to the bank.

So, when the document is finally deleted, how many copies can possibly be recovered?
Back to top
View user's profile
PreferredUser
Newbie
Newbie


Joined: Jan 01, 2007
Posts: 1130
Location: USA

PostPosted: Tue Aug 20, 2013 9:34 am    Post subject: Reply with quote

ComputerLearner wrote:
I have moved away from 'kiddie porn'. I have drawn up valuable lessons from that topic. The legal counsel to the accused is already in the process of getting an IT Expert to help the defense. There is no extrapolation intended.
OK. Homework.

ComputerLearner wrote:
So, when the document is finally deleted, how many copies can possibly be recovered?
And again, the answer depends on some save and tracking settings in Word. It also depends on the OS involved. It depends on settings in the OS. Etc.

Also there are a number of options to recover the file from her computer, from the server where the file is stored, from the mail server used to send the file to the bank, from the mail server at the bank, from the server where the file is stored at the bank, from the computer of the recipient at the bank, and last but not least from any of the backups or snapshots of any of those machines.

Your thinking is too narrow if you only focus on the one instance.
Back to top
View user's profile
ComputerLearner
Newbie
Newbie


Joined: Jul 31, 2013
Posts: 29

PostPosted: Tue Aug 20, 2013 3:17 pm    Post subject: Reply with quote

Let me add clarity to the scenario - the document is NOT sent through email, but rather thru ordinary postal services. When the document is updated for a particular month by the Personal Assistant (PA), it is copied onto a Flash and the Flash handed over to the Manager for printing, sign off and sending to the Bank thru postal service.

So, the document is only saved on the PA's desktop computer. the PA's desktop computer runs on Windows 7 Professional OS.

For the purpose of me getting a proper answer.... lets assume that the only AVAILABLE computer or device through which the document passed at the time recovery is attempted is the PA's desktop computer. [i.e., the Flash, the Manager's computer and the Printer are not available]
Back to top
View user's profile
PreferredUser
Newbie
Newbie


Joined: Jan 01, 2007
Posts: 1130
Location: USA

PostPosted: Tue Aug 20, 2013 9:32 pm    Post subject: Reply with quote

ComputerLearner wrote:
So, when the document is finally deleted, how many copies can possibly be recovered?
And again, the answer depends on some save and tracking settings in Word. It also depends on the OS involved. It depends on settings in the OS. Etc.
Back to top
View user's profile
ComputerLearner
Newbie
Newbie


Joined: Jul 31, 2013
Posts: 29

PostPosted: Wed Aug 21, 2013 7:47 pm    Post subject: Reply with quote

Am a bit lost with .... "depends on some save and tracking settings in Word". Kindly mention any of the tracking settings... As stated, the OS is Windows 7 Professional. Mention any of the OS settings you have in mind. I will be able to research more on that.


Then perhaps we can go to the other scenario:


If a computer program executable with MAC times of say 1st January 2013 is deleted on 1st June 2013. The program executable is recovered on 1st August 2013 and de-compiled.

What will be the MAC times of:

1. the recovered program executable

2. the de-compiled file
Back to top
View user's profile
PreferredUser
Newbie
Newbie


Joined: Jan 01, 2007
Posts: 1130
Location: USA

PostPosted: Wed Aug 21, 2013 9:36 pm    Post subject: Reply with quote

ComputerLearner wrote:
Am a bit lost with .... "depends on some save and tracking settings in Word". Kindly mention any of the tracking settings... As stated, the OS is Windows 7 Professional. Mention any of the OS settings you have in mind. I will be able to research more on that.
Seriously? How hard is it to "research" track changes?
h t t p :// office . microsoft . com/en-us/word-help/turn-track-changes-on-or-off-HA010370561.aspx

As for Windows 7 try some research on system protection and volume shadow copy.
Back to top
View user's profile
ComputerLearner
Newbie
Newbie


Joined: Jul 31, 2013
Posts: 29

PostPosted: Mon Aug 26, 2013 5:22 pm    Post subject: Reply with quote

Well, the Track Changes option looks like it really does a good job. I think that will effectively keep track of any changes made to the Word doc.

However, what I am not sure is whether all those changes will still be tracked even after the document is deleted and then recovered?... Will the recovered document still maintain all those changes? But, perhaps let me not take you this far.... I think I can create a lab environment and check this out myself.



In conclusion, can we now discuss the last scenario:


If a computer program executable with MAC times of say 1st January 2013 is deleted on 1st June 2013. The program executable is recovered on 1st August 2013 and de-compiled.

What will be the MAC times of:

1. the recovered program executable

2. the de-compiled file
Back to top
View user's profile
Display posts from previous:   
Post new topic   Reply to topic    Computer Forensics World Forum Index -> Legal Issues All times are GMT + 10 Hours
Goto page Previous  1, 2, 3, 4
Page 4 of 4

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum

Powered by phpBB 2.0.10 © 2001 phpBB Group
phpBB port v2.1 based on Tom Nitzschner's phpbb2.0.6 upgraded to phpBB 2.0.4 standalone was developed and tested by:
ArtificialIntel, ChatServ, mikem,
sixonetonoffun and Paul Laudanski (aka Zhen-Xjell).

Version 2.1 by Nuke Cops 2003 http://www.nukecops.com

Forums ©

 

TMs property of their respective owner. Comments property of posters. 2007 Computer Forensics Science World.
Digital forensic computing news syndication: Computer Forensics Training News or UM Text
Software is copyrighted phpnuke.org (c)2003, and is free under licence agreement. All Rights Are Reserved.