[Nottingham] Forensics problem
Paul Tew
binarybod at gmail.com
Tue Sep 14 18:36:54 UTC 2010
On Tue, 2010-09-14 at 16:50 +0100, James of the Family Moore wrote:
> deep sector forensic recovery tools like stellar phoenix looks like
> the job here - these bypass the partition table and read each sector
> to
> a file on another drive as plain text. You'll end up with a
> fulltext-searchable set consisting several hundred thousand files and
> several GB (approximately 7 times as much space required as the
> original
> drive, and about a week per 100GB to pull the data). Just make sure
> your
> power is stable and the drive is kept at a constant low temperature,
> this is intensive
This is pretty much what I do on a day-to-day basis. I have no problem
accessing the whole disk and carving the files out of there. Experience
tells me that I will only recover a fraction of the active files and
what is worse the hashes in a lot of cases won't match with the
extracted live files because the algorithms used to extract the files
are different. I can't easily reconcile the active files from the
deleted ones. I would much rather extract the unallocated sectors and
carve files from that alone.
> tedious stuff.
Hah! Do you know how many bars I have watched slowly progress from their
origin to that exciting phase of 90%+ ?
At least 20 a day for the last 6 years! I laugh in the face of tedium.
More information about the Nottingham
mailing list