±Forensic Focus Partners

Become an advertising partner

±Your Account


Forgotten password/username?

Site Members:

New Today: 0 Overall: 36105
New Yesterday: 7 Visitors: 112

±Follow Forensic Focus

Forensic Focus Facebook PageForensic Focus on TwitterForensic Focus LinkedIn GroupForensic Focus YouTube Channel

RSS feeds: News Forums Articles

±Latest Articles

±Latest Videos

±Latest Jobs

Client Side Caching -Recovery

Computer forensics discussion. Please ensure that your post is not better suited to one of the forums below (if it is, please post it there instead!)
Reply to topicReply to topic Printer Friendly Page
Forum FAQSearchView unanswered posts


Client Side Caching -Recovery

Post Posted: Nov 02, 11 15:14

Hi Folks,

I'm currently working on a case in which the suspects hard drive has been deliberty overwritten using a hard drive image. We believe that the suspects had been using Offline Folders and that material may exist within the CSC folders that may be important to the investigation.

I have tried conventional methods to image the drive and have examined the drive using WinHex but with no luck in locating any of the original folders. Is there a file signature I can search for that may help us to identify the files?

Has anyone attempted to do this kind of investigation before and have any advice that may help us resolve this issue or is it unlikely that we will be able to recover the data?

Many thanks in advance


Senior Member

Re: Client Side Caching -Recovery

Post Posted: Nov 02, 11 16:52

When you write "the suspects [sic] hard drive has been deliberty [sic] overwritten using a hard drive image", are you saying that the suspect's HDD was byte-by-byte over-written?

Is the actual suspect's HDD capacity larger than the over-writing image?  


Re: Client Side Caching -Recovery

Post Posted: Nov 02, 11 17:03

Hi Jhup,

Thank you for responding so quickly. The suspect is a technician and used a ghost image to overwrite the hard drive. I'm not sure if this is a byte for byte process or not?

I'm also not sure which image was used or the size of the image vs the physical capacity of the hard drive


Senior Member

Re: Client Side Caching -Recovery

Post Posted: Nov 03, 11 23:32

The old Ghost 2003 would overlay the entire partition with a new one. It was less like a bit for bit and more like a reformat. I have successfully recovered data from a hard drive that was accidentally re-imaged by using Get Data Back by Runtime Software. It is very good at recovering data from earlier partitions. You will not get 100% recovery but on a good day you can get 70-80% which isn't bad for a drive that has been reformatted. I cannot speak to the newer versions of Ghost which I believe use a different method that the old one but it is worth a try if the data is important enough.  

Senior Member

Re: Client Side Caching -Recovery

Post Posted: Nov 04, 11 02:33

I should be trivial to check if the current disk partitioning fills up the physical drive.

If there is now unpartitioned space on the drive, then this might be an indication that the new disk image was smaller than the original content of the disk, and you might be able to get something back.

Ghost doesn't do a bit for bit copy of the whole drive or partition by default. It only copies the portion of the disk that has files allocated on it.

So after restoring a different (smaller) image there might be some files, or partial files left in the file system.

But Ghost can also do a raw image (e.g. for encrypted drives without a file system). You can use the "IR" switch in Ghost for this.

"IR: The Image Raw switch copies the entire disk, ignoring the partition table. This is useful when a disk does not contain a partition table in the standard PC format, or you do not want partitions to be realigned to track boundaries on the destination disk. Some operating systems may not be able to access unaligned partitions. Partitions cannot be resized during restore and you need an identical or larger disk."

So you really need more details of what was done before you can work out what can be recovered (if anything).  


Re: Client Side Caching -Recovery

Post Posted: Nov 04, 11 03:11

Couldn't you just do a few keyword searches for what your looking for to see if you get hits in slack space or unallocated space ?

If the image that over wrote the original was smaller then you might or might not get the files over written depending where on the disk they are placed right.

So if the 2nd image is smaller then the first and your lucky enough it was on outside of the 2nd image you would start getting hits in unallocated space. Once you get the hits in unallocated space, just by looking at the hit you will start to see if the rest of the stuff is around it. Then you can expand your search in that area and start carving out for file signatures within unallocated.

Now if the original image was over written with a 2nd image, files from the 2nd image where dropping in place of the original files your looking for you would be stuck with the common over written file and be stuck with what is left in slack space, assuming the software that did this does not zero out the slack space for some reason. At that point you would have to now jump from sector to sector after a keyword hit to see if the other parts of the file were showing up in slack space of the following sectors.  


Re: Client Side Caching -Recovery

Post Posted: Nov 18, 11 19:10

Thanks Bobby, that sounds a great idea. Thank you to everyone that contributed to this question, I'm most grateful to you.

Kind regards


Page 1 of 1