Client Side Caching...
 
Notifications
Clear all

Client Side Caching -Recovery

7 Posts
5 Users
0 Likes
392 Views
rhall47
(@rhall47)
Posts: 42
Eminent Member
Topic starter
 

Hi Folks,

I'm currently working on a case in which the suspects hard drive has been deliberty overwritten using a hard drive image. We believe that the suspects had been using Offline Folders and that material may exist within the CSC folders that may be important to the investigation.

I have tried conventional methods to image the drive and have examined the drive using WinHex but with no luck in locating any of the original folders. Is there a file signature I can search for that may help us to identify the files?

Has anyone attempted to do this kind of investigation before and have any advice that may help us resolve this issue or is it unlikely that we will be able to recover the data?

Many thanks in advance

Richard

 
Posted : 02/11/2011 2:14 pm
jhup
 jhup
(@jhup)
Posts: 1442
Noble Member
 

When you write "the suspects [sic] hard drive has been deliberty [sic] overwritten using a hard drive image", are you saying that the suspect's HDD was byte-by-byte over-written?

Is the actual suspect's HDD capacity larger than the over-writing image?

 
Posted : 02/11/2011 3:52 pm
rhall47
(@rhall47)
Posts: 42
Eminent Member
Topic starter
 

Hi Jhup,

Thank you for responding so quickly. The suspect is a technician and used a ghost image to overwrite the hard drive. I'm not sure if this is a byte for byte process or not?

I'm also not sure which image was used or the size of the image vs the physical capacity of the hard drive

Richard

 
Posted : 02/11/2011 4:03 pm
(@paul206)
Posts: 70
Trusted Member
 

The old Ghost 2003 would overlay the entire partition with a new one. It was less like a bit for bit and more like a reformat. I have successfully recovered data from a hard drive that was accidentally re-imaged by using Get Data Back by Runtime Software. It is very good at recovering data from earlier partitions. You will not get 100% recovery but on a good day you can get 70-80% which isn't bad for a drive that has been reformatted. I cannot speak to the newer versions of Ghost which I believe use a different method that the old one but it is worth a try if the data is important enough.

 
Posted : 03/11/2011 10:32 pm
Passmark
(@passmark)
Posts: 376
Reputable Member
 

I should be trivial to check if the current disk partitioning fills up the physical drive.

If there is now unpartitioned space on the drive, then this might be an indication that the new disk image was smaller than the original content of the disk, and you might be able to get something back.

Ghost doesn't do a bit for bit copy of the whole drive or partition by default. It only copies the portion of the disk that has files allocated on it.

So after restoring a different (smaller) image there might be some files, or partial files left in the file system.

But Ghost can also do a raw image (e.g. for encrypted drives without a file system). You can use the "IR" switch in Ghost for this.

"IR The Image Raw switch copies the entire disk, ignoring the partition table. This is useful when a disk does not contain a partition table in the standard PC format, or you do not want partitions to be realigned to track boundaries on the destination disk. Some operating systems may not be able to access unaligned partitions. Partitions cannot be resized during restore and you need an identical or larger disk."

So you really need more details of what was done before you can work out what can be recovered (if anything).

 
Posted : 04/11/2011 1:33 am
Bobbynyc
(@bobbynyc)
Posts: 22
Eminent Member
 

Couldn't you just do a few keyword searches for what your looking for to see if you get hits in slack space or unallocated space ?

If the image that over wrote the original was smaller then you might or might not get the files over written depending where on the disk they are placed right.

So if the 2nd image is smaller then the first and your lucky enough it was on outside of the 2nd image you would start getting hits in unallocated space. Once you get the hits in unallocated space, just by looking at the hit you will start to see if the rest of the stuff is around it. Then you can expand your search in that area and start carving out for file signatures within unallocated.

Now if the original image was over written with a 2nd image, files from the 2nd image where dropping in place of the original files your looking for you would be stuck with the common over written file and be stuck with what is left in slack space, assuming the software that did this does not zero out the slack space for some reason. At that point you would have to now jump from sector to sector after a keyword hit to see if the other parts of the file were showing up in slack space of the following sectors.

 
Posted : 04/11/2011 2:11 am
rhall47
(@rhall47)
Posts: 42
Eminent Member
Topic starter
 

Thanks Bobby, that sounds a great idea. Thank you to everyone that contributed to this question, I'm most grateful to you.

Kind regards

Richard

 
Posted : 18/11/2011 6:10 pm
Share: