Foresenic Question

A forum on data recovery using the professional data recovery software R-STUDIO.
boldt
Posts: 2
Joined: Fri Nov 05, 2010 7:01 pm

Foresenic Question

Post by boldt » Fri Nov 05, 2010 7:21 pm

We have a situation that we are looking for advice on.

We have a drive that was "wiped clean" of all data before being returned to us. The good news is that we were able to use Rtools to recover a lot of this data.

The questions that we now have are:
1) Can we utilize any sort of imaging utility to first image the drive and then use rtools on the image to recover data/additional information? We typically use Ghost, but we are not sure if we can image the drive in such a way so that we can recover data from it? The thought here is that we want to leave the original drive "exactly" as it provided to us.
If there is a specific method of using Ghost, or if there is a different utility that we should look into so that we can "clone" the drive so that we can recover data from this clone, that is what we are curious about.

2) Is there anyway that we can determine when (day & time) that the files were deleted that we are able to recover? it appears that files were deleted, the recycle bin emptied, and then the laptop was returned. Identifying the specific time the files were deleted is now in question. Since this was a windows xp box and file auditing was not enabled we are not sure how/if this meta data is available anywhere?
I see mention that there is a Forensic mode (in the technician version) that seems to create an audit log? does this audit log contain this information?

Thank you in advance for any advice that you can provide!

Alt
Site Moderator
Posts: 3129
Joined: Tue Nov 11, 2008 2:13 pm
Contact:

Re: Foresenic Question

Post by Alt » Mon Nov 08, 2010 10:00 am

boldt wrote: 1) Can we utilize any sort of imaging utility to first image the drive and then use rtools on the image to recover data/additional information? We typically use Ghost, but we are not sure if we can image the drive in such a way so that we can recover data from it? The thought here is that we want to leave the original drive "exactly" as it provided to us.
R-Studio can do that. See its online help, Images.
boldt wrote:2) Is there anyway that we can determine when (day & time) that the files were deleted that we are able to recover? it appears that files were deleted, the recycle bin emptied, and then the laptop was returned. Identifying the specific time the files were deleted is now in question. Since this was a windows xp box and file auditing was not enabled we are not sure how/if this meta data is available anywhere?
No, R-Studio cannot show the time when a file has been deleted. I think, investigating the Registry of that xp box will help in this question.
boldt wrote: I see mention that there is a Forensic mode (in the technician version) that seems to create an audit log? does this audit log contain this information?
No, the log shows the names of recovered files and their hash functions, plus some additional info. You may read more about the audit log in the online help: Forensic Mode.

boldt
Posts: 2
Joined: Fri Nov 05, 2010 7:01 pm

Re: Foresenic Question

Post by boldt » Mon Nov 08, 2010 12:50 pm

Thank you! Do you (or anyone) know how we might be able to determine a time/day when the files were deleted? I am unaware of anything in the registry that account for this?

Is there metadata on the file that was deleted itself that might provide insight? Like a modified date, accessed date, etc?

Thanks again!

Alt
Site Moderator
Posts: 3129
Joined: Tue Nov 11, 2008 2:13 pm
Contact:

Re: Foresenic Question

Post by Alt » Mon Nov 08, 2010 1:34 pm

I think that the "Last accessed" date/time for the RECYCLER folder is the date/time of deletion. You may see this item as "Accessed" in R-Studio.

Post Reply