±Forensic Focus Partners

Become an advertising partner

±Your Account


Username
Password

Forgotten password/username?

Site Members:

New Today: 3 Overall: 35628
New Yesterday: 2 Visitors: 152

±Follow Forensic Focus

Forensic Focus Facebook PageForensic Focus on TwitterForensic Focus LinkedIn GroupForensic Focus YouTube Channel

RSS feeds: News Forums Articles

±Latest Articles

±Latest Webinars

Recover data from formatted drive/floppy

Computer forensics discussion. Please ensure that your post is not better suited to one of the forums below (if it is, please post it there instead!)
Reply to topicReply to topic Printer Friendly Page
Forum FAQSearchView unanswered posts
Page Previous  1, 2, 3  Next 
  

hezry79
Newbie
 

Re: Recover data from formatted drive/floppy

Post Posted: Jul 23, 05 10:35

thank you...that help much.
_________________
 
 
  

hezry79
Newbie
 

Re: Recover data from formatted drive/floppy

Post Posted: Jul 23, 05 10:40

i have one little question...

for Encase, at the first time I Acquire the floppy, the message appear like below :

a write lock could not be placed on drive A. The drive contents may change during this process. Continue?

what does this mean?...does this mean I cannot proceed because if I proceed the data will change?..or is this a bad habbit for a forensic guy?...normally for testing I just click Continue...
_________________
 
 
  

andy1500mac
Senior Member
 

Re: Recover data from formatted drive/floppy

Post Posted: Jul 23, 05 11:57

I am not overly familiar with Encase; other members of the forum would be able to help with specific inquiries. However one of the cardinal rules in this field is not to alter the original media if at all possible

You would normally take a checksum or hash value of the source drive (ex: md5) image it and then ensure they the same by checking the hash value of the image against the original. There are hardware write blocking devices available on the market that are attached to the source drives to prevent any writes to them. I know Winhex forensics does not allow data to be written to the source drive by using software blockers but I believe most in the field couple this with a hardware one to be sure..?

In respect to the error you are getting…it is just Encase telling you that it cannot write protect the drive and it MAY be altered during the acquisition. Although I haven’t tested myself on floppies you can just use the write protect notch on the disk itself. I am not 100% sure whether this fully protects it during an acquisition…

Andrew-  

Last edited by andy1500mac on Jul 23, 05 13:18; edited 1 time in total
 
  

andy1500mac
Senior Member
 

Re: Recover data from formatted drive/floppy

Post Posted: Jul 23, 05 12:04

hezry...I should also add that I am pretty new in the field therefore my knowledge is certainly lacking in many respect.

If you are interested in the field this is a good resource and many of the older discussions contain a wealth of info as well.

Andrew-  
 
  

hezry79
Newbie
 

Re: Recover data from formatted drive/floppy

Post Posted: Jul 23, 05 12:30

thank you....you help me a lot
_________________
 
 
  

akaplan0qw9
Senior Member
 

Re: Recover data from formatted drive/floppy

Post Posted: Jul 23, 05 17:12

Dear Hezry,

As a WinHex user, you have a wonderful tool located at TOOLS-> DISK TOOLS-> FILE RECOVERY BY TYPE. You will find about 54 specific headers available for use in data carving. In addition, it is very easy to permanently add more headers to that database if you know of a file type that was missed by X-Ways and know (or can determine) the header. In addition it lets you set the depth and the general location of your data carving. It even gives you the option of sorting your "take" into seperate file folders. All DOC in one folder, all JPG in another, etc.
_________________
Alan M. Kaplan, ACE
Nevada PI License #220
AKaplan @ LasVegasPI.com 
 
  

hezry79
Newbie
 

Re: Recover data from formatted drive/floppy

Post Posted: Jul 23, 05 18:14

thank you...but which one is most forensic used between xways and winhex? for my view both are same i think.
_________________
 
 

Page 2 of 3
Page Previous  1, 2, 3  Next