In message (e-mail address removed),
Does this ENCASE work on the HDD as is, or do you have to take things to
bits to do this sort of data recovery?
Surely the drive firmware(? or whatever it's called) will simply return that
most recent bit values written to the disk??
How do you get it to look at what 'used' to be there?? I've never really
understood the practicalities of data recovery at this level, only that it
could, somehow, be done...
I haven't seen the latest versions since I'm not in law enforcement.
The older versions of ENCASE would totally bypass the OS and just read
any drive sector by sector. Since the main purpose of ENCASE is to
build a air tight case against criminals, it reads a hard drive sector
by sector, bit by bit which gets copied to the trained investigator's
linked computer so they can prove they didn't tamper with the actual
contents and "plant" evidence. The build-in viewers that are a main
part of ENCASE are impressive in what they can dig up and transform
back into human readable form.
The first time I saw all it could dig out I was rather impressed. Even
written over files with so-called wipe utilites, ENCASE still often
found enough of the file and put it back together so you knew what it
was. Probably even better now since 9/11, an amazingly clever bit of
software, if the government don't abuse it. I think it costs about
$1495 now.
Do a Google on 'file slack' and security to learn more on how some of
what ENCASE does works.
In short, file slack is a fruitful and interesting environment to
snoop in. Defined, this is the total number of bytes written to a hard
drive's sectors between the actual end of "real" file data and the
virtual end the cluster used. For example when you write a 600 byte
file, all versions of Windows need to fill out the cluster, who's
common sizes are 512, 1024, 2048 bytes respectively.
File slack can be literally made up on anything, scraps of your files,
something that was in a memory page, just garbage, anything. Worse,
since Windows is a natural blabber mouth it journalizes just about
everything you do and remembers. Applications like ENCASE know where
to look.
Hint: Just because you "delete" a file, even overwrite it, doesn't
meant that was the only time either all or part of that deleted or
overwritten file was ever in a memory buffer in it's prestine pre wipe
form and may have, and often will be used as file slack. If any bit of
any file remains on a hard drive if the hard drive can be read sector
by sector, even if you reformat, delete a partition, wipe files,
whatever you think you do as security measure some applications can
bring back the dead, often very easily. ;-)