Forensic tools to assist with an investigation
CnW Recovery software has many tools built in to assist with both data recovery, and forensic reports on disks that have become corrupted, deleted, or otherwise changed.
Any forensic investigation has to be done extremely carefully if the evidence extracted will have any use in court. Key elements are
- Continuity of evidence
- No corruption or modification of data
- No possible data missed
- Extraction of unallocated space and slack space
- Repeatable recovery of data
- Jpg file size
- No possible data contamination
- Comprehensive logs
- Use of hashing (MD5 and SHA-256) on files extracted
- Good logs of operations and procedures
- Overwritten sectors should be located
- Slack space recovery
- Locate which file a sector relates to
- File fragment runs
Working on potentially corrupted, or damage disks brings another level of complexity into examination of disks. The notes below give guide lines on how to approach different types of disks, and media, in different states of corruption
Logging is a very important point in any forensic inquiry, and data restoration. It is essential to know where data has been found, on what media, date etc. The basis of this information is stored in the log for CnW Recovery. There is a separate log file generated for each restore, giving media details, as well as details for each file or error detected. The logs may be sorted by clicking on the column header for any column. Logs may also be exported as a .csv file, and so can be processed in many common applications, such as Access - or for shorter logs, in Excel.
Another very important aspect of any forensic investigation, and recovery of files from a disk, is to determine what has not been recovered, such as deleted files, partially overwritten files, or files left behind from a previous formatting of a disk. There are also sections of a hard disk where a cluster has been allocated to a file, but the file does not use the whole cluster. This is called slack space, and can often contain fragments of data from previous files. On NTFS, the situation can be slightly more complex, as short files are stored as part of the MFT, and so slack space can be part of any MFT that is not a full 0124 bytes in length.
Files in most operating systems can be fragmented - the CnW Log will keep a count of the number of fragments in any file. It is even possible to select a sector and determine which file it was part of.
Locating a sector
A very useful feature within a forensic analysis of a disk is to determine which file a certain sector belongs to. In the Log function, the search button can be used. This will indicate the file for a certain sector. This does include files that have been fragmented, though it only checks the first 64 fragments - it should be noted that not many files have typically more than a few fragments
Partially failed disks
When analysing disks there are often problems due the disk having partial failure, or a large number of unreadable sectors. The solution within CnW Recovery software is to create a disk image, but image may be made up in multiple sections. If an area of disk cannot be read, the image may be continued in a different area of the disk. The recovery routines will work with the compiled image and still recover files. There are also tools to assist in imaging just the directory area of a disk, and the failed disk can still be used a shadow drive for areas of the disk not actually imaged.
With raw file recovery, fragmented files are not recovered correctly. To overcome this problem, automatic file carving routines are being built into the program to process fragmented files, and assemble a valid working file. The process works by first extracting all known good files, and working on the unallocated space. Once a file start is found, then the unallocated space is searched for extra fragments
Certain features of the CnW Recovery program are only available when the forensic options package has been purchased.
The features that are only part of the forensic package include the following
- UDF disks, scanning of separate write sessions
- Hash values in the log
- Slack space recovery
- Disk scan - visual image of disk use
- Unerase of CD-RW disks
- Enhanced log of errors detected on recovery
- Reads system files such as $logfile $bitmap $boot $secure $MFT
- Reading Encase compatible EWF files, E01 etc