Data recovery & evidence gathering

avatar
Created by
Chama Mulubwa

Subdecks (1)

Cards (350)

  • The purpose of the data recovery process is to recover as much information from the device as possible.
  • Data recovery may be applied to
    • Password recovery
    • File corruption
    • Data Loss(DELETED DATA/Damaged harddrive)
  • These incidences may result in some form of data loss
  • Password
    Something that we may forget
  • Password recovery
    1. Recovery software recovers a password by continuously performing a brute force: thus continuously trying different combinations of passwords
    2. Looking into where passwords are stored and attempting to read it
    3. Resetting the password
  • File corruption
    When a file is corrupted, many times the file cannot be opened or information in the file cannot be accessed due to corruption
  • What happens to data deleted
    1. The computer only deletes the index or the pointer to the file, it does not delete the actual data or content
    2. The computer never worries about saving the file
    3. If it requires more space on the hard drive, it simply overwrites the file
  • Reasons for data recovery
    • Data loss is something that can happen to any of us for as long as we have stored something electronically
    • Data maybe deleted accidentally/intentionally
    • The hard drive may crash or damaged
    • Someone may empty your recycle bin
  • Data recovery techniques and evidence gathering
    • Used to gather and protect evidence from a computer that can be presented as admissible evidence in the courts of law
    • Cyber criminals in trying to hide their tracks may intentionally delete the data from the hard drive or digital device, hence hiding evidence which may be crucial in the courts of law
  • Forensic techniques help to solve cyber crimes and crimes not necessarily compute related
  • The process of recovering data is infact evidence gathering
  • What happens to data deleted
    1. It is just marked as free space until something overwrites it
    2. Open source software such as testdesk can attempt to repair underlaying problems with the drive
    3. Data specialists may use a clean room or special machines to rebuild the bad sectors from which data was lost
  • It is not however possible to recover the data in all cases
  • Overwritten data cannot be recovered
  • Data curving
    The process of recovering damaged data using by engineers using special techniques and knowledge of data structures
  • Each data loss scenario is different and thus the time taken to recover the data can vary greatly
  • Time taken to recover depend on
    • Hardware
    • Type of failure
    • The volume of data
  • Main causes of data loss
    • Viruses (7%)
    • Natural disasters (3%)
    • Software Malfunction (14%)
    • Human error (32%)
    • Hardware failure (44%)
  • Types of hard drives
    • Hard disk hard drives (HDD)
    • Solid state hard drives (SSD)
  • Physical damage to HDD
    • Head crashes, failed motors
    • Indicators: clicking, beeping or scratching noises
    • Recovery technique: Replace damaged parts in a class 100 cleanroom (Dust free environment)
  • Logical damage to HDD
    • MFT corruption, corrupted partitions, file system or media errors, overwritten data
    • Indicators: damaged logical structures
    • Recovery technique: Repair logical structures via data recovery software
  • Four phases of data recovery
    • Repair the hard drive
    • Image the drive
    • Logical recovery of files
    • Repair damaged files
  • Repair the hard drive

    Assess what part of the drive is damaged if any, then attempt to image the drive
  • Image the drive
    This can take 30min, a day or more. Once the image has been taken the engineers can work on the data without further damage to the data
  • Time taken to image the drive depends on damage, capacity of the drive and device type
  • Logical recovery of files
    Engineers work with the image to do a logical recovery of the files, MBR (Master boot record) and the MFT (the master file table). Sometimes they use specialized software to recover damaged data
  • Repair damaged files that were retrieved
    Once the data has been recovered using all means possible, it is then repaired to its original format, the data is then transferred to a storage device
  • Each data recovery scenario is different and thus recovery time may vary accordingly
  • SSD vs HDD recovery

    Recovering data from solid state drive is more difficult than hard disk drive
  • SSD
    Made from electronic components, doesn't contain any mechanical components, doesn't give much warning before it fails, data stored location is always changing, comes with TRIM feature that automatically clears deleted data
  • There is still less systematic knowledge about data recovery on SSD than HDD
  • Data recovery may be applied to
    • Password recovery
    • File corruption
    • Data Loss(DELETED DATA/Damaged harddrive)
  • These incidences may result in some form of data loss
  • Password
    Something that we may forget
  • Password recovery
    1. Recovery software recovers a password by continuously performing a brute force: thus continuously trying different combinations of passwords
    2. Looking into where passwords are stored and attempting to read it
    3. Resetting the password
  • File corruption
    When a file is corrupted, many times the file cannot be opened or information in the file cannot be accessed due to corruption
  • What happens to data deleted
    1. The computer only deletes the index or the pointer to the file, it does not delete the actual data or content
    2. The computer never worries about saving the file
    3. If it requires more space on the hard drive, it simply overwrites the file
  • Reasons for data recovery
    • Data loss is something that can happen to any of us for as long as we have stored something electronically
    • Data maybe deleted accidentally/intentionally
    • The hard drive may crash or damaged
    • Someone may empty your recycle bin
  • Data recovery techniques and evidence gathering
    • Used to gather and protect evidence from a computer that can be presented as admissible evidence in the courts of law
    • Cyber criminals in trying to hide their tracks may intentionally delete the data from the hard drive or digital device, hence hiding evidence which may be crucial in the courts of law
  • Forensic techniques help to solve cyber crimes and crimes not necessarily compute related