CnW Recovery has many useful recovery and processing tools

Search disk for a string

As part of the forensic option the disk may be scanned to find any instance of any number of specified strings.

The scan is part of the Carving function and so can be performed while carving an image of the disk.. Each time a match is found, it is logged in the ‘Search in Files’ log, along with the sector number found.

When the scan is done in cluster mode with NTFS compression enabled, compressed sectors will also be examined - something not possible if a straight disk image is scanned.

How reliable is the search? The answer is that any search of raw sectors is limited for several reasons. These include fragmentation and data structure of files which are expanded on below.

Searching fragmented files
If a file is fragmented then the only completely reliable way to search for a string is to reconstruct the file. However, searching the raw disk is fairly reliable as clusters are typically much longer than the search string. The the search string was “Big elephants in africa” there is about a 0.5% chance that it will be missed as it is over a 4K cluster boundary. The shorter the string and the larger the cluster, then the higher the likely hit rate. At the same time, the shorter the string the more likely to find a match which is not the one required - ie a false positive.

Structure of files
The raw sector search takes no account of file structure. Thus if the string being search for was within a compressed Zip file, a sector search would not find it. Many programs do use internal compression which will give the same problem. A more subtle problem is that some programs such as Word save changes to text as pointers. In this case, the original text will be sequential, but a change in it will be stored elsewhere. If the name Micheal was later corrected, then Michael would not be found as a string, but only a pointer to the ‘ae’.

Searching compressed NTFS
To ensure that strings are found in a disk that has NTFS compression enabled, it is essential to configure the program to read in cluster mode and expand the clusters. This is a standard feature of CnW Recovery software helping to make it a very powerful recovery and investigation program

Forensic Report
The forensic report has a section on keywords. It does a summary for each keyword giving the number of times it has been found, and the number of files it has been found in.