Foresenic Question
Posted: Fri Nov 05, 2010 7:21 pm
We have a situation that we are looking for advice on.
We have a drive that was "wiped clean" of all data before being returned to us. The good news is that we were able to use Rtools to recover a lot of this data.
The questions that we now have are:
1) Can we utilize any sort of imaging utility to first image the drive and then use rtools on the image to recover data/additional information? We typically use Ghost, but we are not sure if we can image the drive in such a way so that we can recover data from it? The thought here is that we want to leave the original drive "exactly" as it provided to us.
If there is a specific method of using Ghost, or if there is a different utility that we should look into so that we can "clone" the drive so that we can recover data from this clone, that is what we are curious about.
2) Is there anyway that we can determine when (day & time) that the files were deleted that we are able to recover? it appears that files were deleted, the recycle bin emptied, and then the laptop was returned. Identifying the specific time the files were deleted is now in question. Since this was a windows xp box and file auditing was not enabled we are not sure how/if this meta data is available anywhere?
I see mention that there is a Forensic mode (in the technician version) that seems to create an audit log? does this audit log contain this information?
Thank you in advance for any advice that you can provide!
We have a drive that was "wiped clean" of all data before being returned to us. The good news is that we were able to use Rtools to recover a lot of this data.
The questions that we now have are:
1) Can we utilize any sort of imaging utility to first image the drive and then use rtools on the image to recover data/additional information? We typically use Ghost, but we are not sure if we can image the drive in such a way so that we can recover data from it? The thought here is that we want to leave the original drive "exactly" as it provided to us.
If there is a specific method of using Ghost, or if there is a different utility that we should look into so that we can "clone" the drive so that we can recover data from this clone, that is what we are curious about.
2) Is there anyway that we can determine when (day & time) that the files were deleted that we are able to recover? it appears that files were deleted, the recycle bin emptied, and then the laptop was returned. Identifying the specific time the files were deleted is now in question. Since this was a windows xp box and file auditing was not enabled we are not sure how/if this meta data is available anywhere?
I see mention that there is a Forensic mode (in the technician version) that seems to create an audit log? does this audit log contain this information?
Thank you in advance for any advice that you can provide!