Does imaging HDD capture deleted files too?


Dec 31, 2006
3,405
0
#22
Re: took 12 hours total

<r><QUOTE author="cyber101"><s>
cyber101 said:
</s>12hours total including verifying for a 32gb usb stick. Is this normal? So a 500 GH Hard drive would takes much longer I suppose?<e>
</e></QUOTE>It depends on the speed of the source and target drive. USB 1.1 to USB 1.1 would be much slower that SATA III SSD to SATA III SSD. There are also other factors that can impact the speed of imaging including among other things the size of the segments and compression level.</r>
 

cyber101

New Member
Sep 21, 2016
84
0
#23
Re: took 12 hours total

<r><QUOTE author="PreferredUser"><s>
PreferredUser said:
</s><QUOTE author="cyber101"><s>
cyber101 said:
</s>12hours total including verifying for a 32gb usb stick. Is this normal? So a 500 GH Hard drive would takes much longer I suppose?<e>
</e></QUOTE>It depends on the speed of the source and target drive. USB 1.1 to USB 1.1 would be much slower that SATA III SSD to SATA III SSD. There are also other factors that can impact the speed of imaging including among other things the size of the segments and compression level.<e>
</e></QUOTE>

Are the dedicated imaging programs like Acronis True Image 2017 etc faster than this?</r>
 
Dec 31, 2006
3,405
0
#24
Re: took 12 hours total

<r><QUOTE author="cyber101"><s>
cyber101 said:
</s>Are the dedicated imaging programs like Acronis True Image 2017 etc faster than this?<e>
</e></QUOTE>A "backup" program like the one you mentioned will be faster than a forensic "imaging" program because less data is being copied. Their use of the word "Image" in the product name is misleading to those not familiar with the use of the term in forensics, it is better to reference the description of the software in their claim "The #1 Personal <B><s></s>Backup<e></e></B> Software".<br/>
<br/>
In short, creating a backup of the logical folders and files on a drive and storing them as a proprietary "image" file will take less time than creating a bit-for-bit forensic image of a drive.<br/>
<br/>
That said, no software can change the reality of physics, a 5400 RPM drive as a source or target drive will be slower than 15,000 RPM enterprise grade drives which will be slower than SAS or SATA III SSDs.</r>
 

cyber101

New Member
Sep 21, 2016
84
0
#25
How to tell if you have a logical file after FTK imaging?

<r><QUOTE author="PreferredUser"><s>
PreferredUser said:
</s>Are you making a logical copy or a bit-for-bit image?<e>
</e></QUOTE>

Q1: I completed the FTK imaging process; how will I know if I made a logical copy of the usb stick and not a bit-for-bit image (I don't recall if I selected physical or logical)? Is there a way to tell by clicking the FTK image files? I only wanted a logical copy of the usb stick as I didn't require the deleted files from the usb stick.<br/>
Q2: After clicking "Add Evidence File" what should I select based on previous question to access the files? i.e. physical, logical, image, content of folder<br/>
<br/>
Q3: If I have made a bit-to-bit image, is there a way to identify the non-deleted files from that bit-to-bit image within FTK Imager?<br/>
<br/>
Thanks in advance.</r>
 

cyber101

New Member
Sep 21, 2016
84
0
#26
Are you 100% sure GetBackData will work with raw?

<r><QUOTE author="cybercop"><s>
cybercop said:
</s>If the format isnt recognized and all you need is to get the data back, then you don't need forensics. You need data recovery tools such as GetDataBack for windows or even photorec on linux.<e>
</e></QUOTE>
Ok I will take your recommendation. Are you 100% sure that GetBackData<br/>
will do the job (i.e. recover my files in a raw USB stick)? I can't afford to make a mistake; razors edge feeling here; tension abound. Is this a free product all the way through the process?<br/>
<br/>
Thanks in advance.</r>
 

cyber101

New Member
Sep 21, 2016
84
0
#27
after a free product

<r><QUOTE author="PreferredUser"><s>
PreferredUser said:
</s>
"<URL url="http://www.easeus.com/resource/raw-usb-drive-recovery.htm"><LINK_TEXT text="http://www.easeus.com/resource/raw-usb- ... covery.htm">http://www.easeus.com/resource/raw-usb-drive-recovery.htm</LINK_TEXT></URL>"
<e>
</e></QUOTE> I was after a free product though; this is not a free product all the way through; had me stoked though when it 'recovered' the files; was worth the trip; thanks anyway.</r>
 

cybercop

Administrator
Oct 31, 2005
1,660
0
#28
If the data is raw, you are going to have to recover everything and then sort through and keep what you want. There is no way for the software to tell the difference between files that were deleted and files that weren't when the format is gone.
 

cyber101

New Member
Sep 21, 2016
84
0
#29
How to view the recovered files using "Add New Evidence

<r><QUOTE author="cybercop"><s>
cybercop said:
</s>If the data is raw, you are going to have to recover everything and then sort through and keep what you want. There is no way for the software to tell the difference between files that were deleted and files that weren't when the format is gone.<e>
</e></QUOTE>
Thanks.<br/>
<br/>
I have a number of folders that FTK has labelled E01, E02, E03 etc; these are contained in a folder called 'root'; I presume this is where FTK has recovered the files to. As to the next step with regards to accessing;<br/>
<br/>
File>Add Evidence Item><br/>
which one should I choose?<br/>
physcial, logical, image, or contents of folder?<br/>
<br/>
Q2: there's another folder called unallocated space; what's that about?<br/>
<br/>
Note: The recovered files are sitting in another new USB not in the HDD.<br/>
In other words:<br/>
USB 1 (raw format USB)<br/>
USB 2 (is where I told FTK to recover the files to from USB 1)</r>
 

cybercop

Administrator
Oct 31, 2005
1,660
0
#30
If all you are trying to do is recover files from a messed up drive, you don't need to go through all that. There are much better tools that are designed just for data recovery. A forensics tool is an over complicated way to do it.
 

cyber101

New Member
Sep 21, 2016
84
0
#31
A 100% free recovery program recomendations?

<r><QUOTE author="cybercop"><s>
cybercop said:
</s>If all you are trying to do is recover files from a messed up drive, you don't need to go through all that. There are much better tools that are designed just for data recovery. A forensics tool is an over complicated way to do it.<e>
</e></QUOTE>
Is there a 100% free data recovery program that you recommend? Easeus partly recovered the files from raw usb stick however to complete the recovery i.e. get access to all my files, it wants payment; something similar to it but free would be great; I'm on a tight budget.<br/>
"<URL url="http://www.easeus.com/resource/raw-usb-drive-recovery.htm"><LINK_TEXT text="http://www.easeus.com/resource/raw-usb- ... covery.htm">http://www.easeus.com/resource/raw-usb-drive-recovery.htm</LINK_TEXT></URL>"<br/>
<br/>
Thanks in advance.<br/>
<br/>
Moderator Note: Direct links are not allowed.</r>
 
Dec 31, 2006
3,405
0
#33
Re: A 100% free recovery program recomendations?

<r><QUOTE author="cyber101"><s>
cyber101 said:
</s>Is there a 100% free data recovery program that you recommend?<e>
</e></QUOTE>There are many programs that can be used for data recovery that are free if you have the proper skills. FTK Imager is one of those programs.<br/>

<QUOTE author="cyber101"><s>
cyber101 said:
</s>Easeus partly recovered the files from raw usb stick however to complete the recovery i.e. get access to all my files, it wants payment; something similar to it but free would be great; I'm on a tight budget.<e>
</e></QUOTE>If you want to recover the data you will either need to pay for a program that automagically recovers the data or learn the skills to use the free tools.<br/>
<br/>
At this point you have spent two months posting about this problem, it would seem the data is not that important so take some time to learn about data carving it will likely be helpful in the future. Maybe you can rescue lost data for a friend some day. Here is a link to a primer at SANS: "<URL url="https://www.sans.org/reading-room/whitepapers/forensics/data-carving-concepts-32969"><LINK_TEXT text="https://www.sans.org/reading-room/white ... epts-32969">https://www.sans.org/reading-room/whitepapers/forensics/data-carving-concepts-32969</LINK_TEXT></URL>"<br/>
<br/>
If you have Linux skills check out this article that describes some carving tools: "<URL url="https://help.ubuntu.com/community/DataRecovery">https://help.ubuntu.com/community/DataRecovery</URL>"<br/>
<br/>
Handy hint: You should use the forensic image (the E01, E02, etc.) files you created with Imager to work from.</r>
 

cyber101

New Member
Sep 21, 2016
84
0
#34
making an iso of the usb

<r><QUOTE author="cybercop"><s>
cybercop said:
</s>If the data is raw, you are going to have to recover everything and then sort through and keep what you want. There is no way for the software to tell the difference between files that were deleted and files that weren't when the format is gone.<e>
</e></QUOTE>
Can I make an iso of the usb instead of using other imaging methods?</r>
 

cybercop

Administrator
Oct 31, 2005
1,660
0
#35
You could, IF you could see the data which you can't. Raw basically means it has lost its file allocation table. That means there are no pointers to where the files start and stop. You need to just use a data recovery tool and then sort through the files. If you would just use a tool and do it, you would be done by now.
 

cyber101

New Member
Sep 21, 2016
84
0
#36
What to do after you imaged the usb with FTK?

<r><QUOTE author="cybercop"><s>
cybercop said:
</s>. You need to just use a data recovery tool and then sort through the files. If you would just use a tool and do it, you would be done by now.<e>
</e></QUOTE>
I made an image of the raw usb thanks to FTK imager. There is about 20 recovered items inside the File List of AcessData FTK 3.4.3.3 . The recovered files are sitting inside FTK File List and are named as usb recovery.E01 (E02, E03 etc). What should I do next? I'm stuck.</r>
 

cybercop

Administrator
Oct 31, 2005
1,660
0
#37
At this point, with you obvious lack of ability to do any research on your own, you should just pay someone that does data recovery to recover the files.
 

SgtJackie

New Member
Nov 30, 2015
58
0
#38
Re: What to do after you imaged the usb with FTK?

<r><QUOTE author="cyber101"><s>
cyber101 said:
</s><QUOTE author="cybercop"><s>
cybercop said:
</s>. You need to just use a data recovery tool and then sort through the files. If you would just use a tool and do it, you would be done by now.<e>
</e></QUOTE>
I made an image of the raw usb thanks to FTK imager. There is about 20 recovered items inside the File List of AcessData FTK 3.4.3.3 . The recovered files are sitting inside FTK File List and are named as usb recovery.E01 (E02, E03 etc). What should I do next? I'm stuck.<e>
</e></QUOTE>

Download a free copy of OS Forensics and open up the E01 file, you should then be able to see the deleted files and just highlight them and download them.</r>
 

cyber101

New Member
Sep 21, 2016
84
0
#39
Re: What to do after you imaged the usb with FTK?

<r><QUOTE author="SgtJackie"><s>
SgtJackie said:
</s><QUOTE author="cyber101"><s>
cyber101 said:
</s><QUOTE author="cybercop"><s>
cybercop said:
</s>. You need to just use a data recovery tool and then sort through the files. If you would just use a tool and do it, you would be done by now.<e>
</e></QUOTE>
I made an image of the raw usb thanks to FTK imager. There is about 20 recovered items inside the File List of AcessData FTK 3.4.3.3 . The recovered files are sitting inside FTK File List and are named as usb recovery.E01 (E02, E03 etc). What should I do next? I'm stuck.<e>
</e></QUOTE>

Download a free copy of OS Forensics and open up the E01 file, you should then be able to see the deleted files and just highlight them and download them.<e>
</e></QUOTE>

The 'E' in say E01 stands for Encase or something else or nothing in particular?</r>
 
Dec 31, 2006
3,405
0
#40
Re: What to do after you imaged the usb with FTK?

<r><QUOTE author="cyber101"><s>
cyber101 said:
</s>The 'E' in say E01 stands for Encase or something else or nothing in particular?<e>
</e></QUOTE>Since you are apparently incapable of searching for the most basic information on your own: "<URL url="https://lmgtfy.com/?q=forensic+file+formats">https://lmgtfy.com/?q=forensic+file+formats</URL>"</r>
 

About us

  • Our community began in 2004. Since this time, we have grown to have over 29,000+ members within the DFIR & Cyber Security community.

    We are happy to announce that this forum is now under new ownership with the goal to once again become the main Digital Forensics Forum on the internet for DFIR, OSINT and Cyber Security.

    If you can think of ways to help us improve, please let us know.

    We pride ourselves on offering unbiased, critical discussion among people of all different backgrounds.

    We are working every day to make sure our community is one of the best.

Quick Navigation

User Menu