Foremost is a console program to recover files based on their headers, footers, and internal data structures. This process is commonly referred to as data carving. Foremost can work on image files, such as those generated by dd, Safeback, Encase, etc, or directly on a drive.

The headers and footers can be specified by a configuration file or you can use command line switches to specify built-in file types. These built-in types look at the data structures of a given file format allowing for a more reliable and faster recovery.

Originally developed by the United States Air Force Office of Special Investigations and The Center for Information Systems Security Studies and Research , foremost has been opened to the general public.

You can download the latest version here:

foremost-1.5.tar.gz

Or read more here.

Handy Recovery is pretty neat software, there is occasions when I’m using Windows and I need to recover something or I’ve deleted something by mistake (I have a habit of using SHIFT+DEL so it’s not even in the recycle bin.

I usually use Active Undelete and was pretty happy with it, I got a chance to try out this software though and looked pretty cool.

I have to say I do prefer Handy Recovery to Active Undelete, it’s faster, small (Only 876kb including installer) and the best part is it gives an actual probability of data recovery for each file.

Plus it has a pretty neat filter/search system for finding specific files if you don’t know their location. The program supports FAT 12/16/32, NTFS and NTFS 5 + EFS file systems. This tool can recover files from deleted and formatted partitions or create disk images for deferred recovery. It shows probability of successful recovery for each file and features in-depth disk scanning for certain file types. According to Microsoft, Handy Recovery turned out to be among the first 100 applications that have earned the “Certified for Windows Vista” logo.

The Interface is nice and simple and it runs through the analysis stage pretty quickly, it’s very easy to recover files (recommended to recover to a different partition to reduce chances of permanent data loss) and just takes a couple of clicks.

The trial version is limited to recover 1 file per day and can be download here:

Handy Recovery

There is also a freeware ‘lite’ version here:

Handy Recovery Lite

System Requirements

Windows 95/98/NT/2000/ME/XP/Vista
File systems: FAT12/16/32 or NTFS/NTFS 5.

You can purchase Handy Recovery here:

Order Handy Recovery

It’s pretty reasonably priced at $39US for 1-4 copies with discounts if you buy 5 or more.

Data recovery is an important subject and it’s definitely a good thing to have a positive understanding of data recovery and how it could effort you personally or your business.

So someone told me about this Data recovery article which is a decent original reference to data recovery which contains some good original information, links to other similar resources, free data recovery downloads and an explanation of the main parts involved.

Definition: Data recovery is the salvaging of data originally stored on media such as magnetic disks and tapes and which has become corrupt or inaccessible.

The sidebar is pretty useful on the Data recovery article so do check it out, it has software, services and links to more information on industry standard sites like Wikipedia.

It also has related articles and related companies like OnTrack.

The article also covers some basic parts of forensics, like how when an item is deleted it’s not actually gone, just the marker in the file allocation table is removed.

Can erased data be recovered?

Yes, usually. When you delete a file the file is not actually deleted. It’s just the entry in the index pointing to the file’s actual location that is deleted. The file itself is left untouched but subsequent work you do on the PC could overwrite the location where the file was so it’s important to minimise any amateur attempts at data recovery.

This is something we’ve stressed many times at Darknet as any old $29.95 undelete tool can recover these files easily.

The important part of the article is the part about what mistakes you can make, this is crucial if you wish to save your data integrity in case of a failure.

I do find the design of the page a little plain (it looks like something designed in 1997) and the pink and light blue colour scheme jars my eyes a little.

The info is laid out clearly though and the site is easy to navigate, which is a good thing.

You can read more about Data Recovery at Wiki here.

An interesting speculative post on the forensics techniques that would most likely be used by the FBI during the investigation of the recovered Veteran’s Administration laptop.

Most of them are pretty straight forwards if you have any kind of experience with digital forensics and data recovery (disaster recovery, incident response etc.)

As a former Computer Forensic Specialist, I wanted to explain what’s probably going on with this laptop now that the FBI has the system and is forensically examining it. This explanation assumes the data was present on the hard drive (not a CD-Rom or other storage medium).

The two main areas cover physical examination and digital examination, physical would be looking for fingerprints and looking for evidence of tampering (screw heads, case scratches etc.).

A little discussion on MAC times and so on, if anyone is interested in this area, I might elaborate later.

As I said in the previous article, there isn’t much they can do if someone knew what they were doing.

The laptop thieves really know what they are doing. They remove the hard drive from the laptop, and mount it read-only (no modifications to the file system) on another computer, access the sensitive data and re-insert the hard drive into the stolen laptop. This is the same process the forensic examiner would use to prevent the examination from modifying the data contained on the laptop — and this is why I mentioned what the FBI might look for during the physical examination — marks on the screws or finger prints on the internal hard drive casing.

Indeed.

Source: Zonelabs

Ah, so finally they got it back, from a street corner of all places.

Let’s hope they shall be a little more careful in the future yah?

The missing laptop and hard drive that contained veterans’ personal information has been found, Veterans Administration Chief Jim Nicholson announced Thursday.

The announcement came at the beginning of a hearing before the House Veterans’ Affairs Committee hearing.

“It was confirmed to me by the deputy attorney general that law enforcement has in their possession the … laptop and hard drive,” Nicholson said in a statement at the hearing. “The serial numbers match.”

Of course the FBI will roll out it’s forensics experts to testify the data has not been accessed, but let’s face it, how hard is it to mount the drive read only and clone it?

Not very right..

Experts were conducting forensic tests on the laptop and hard drive, Nicholson said. It was not immediately clear if the data on the equipment had been copied or compromised, but Nicholson said “there is reason to be optimistic.”

He did not say how the equipment was recovered, on where it’s been during the past two months. The equipment was found Wednesday; Nicholson said he wasn’t aware of any arrests made in connection with the incident.

An FBI spokesman said the laptop computer was recovered “in the area,” but could not provide more specific information. Forensics tests showed “the sensitive files were not accessed,” according to special agent in charge Bill Chase.

We’ll look at the forensics techniques in more depth later.

Source: MSNBC