Forensics

buyer
buyer used Ask the Experts™
on
OK, I get a call today about an employee who has been viewing porno during working hours. They wanted me to come down and get some evidence in case it went legal. The guy deleted most everything that he could (left a few log files around but for the most part deleted everything). At that point I broke out a copy of Hex Workshop, installed it, and proceeded to look for the deleted files. My question is 1: How do you go about looking for the deleted files? I think they are the ones with the .lnk extension but I could be wrong. The second quesion is: how do I restore these files? If there is a better hex editor out there (that is as easy to use, that is) then please let me know. I also dont care about the legal issues that are involved with this (I already know about that part), we just want the files. Thanks.
Comment
Watch Question

Do more with

Expert Office
EXPERT OFFICE® is a registered trademark of EXPERTS EXCHANGE®

Author

Commented:
Oh yeah. The system is a Windows NT system with NTFS.

Commented:
Hello,
-Use an undelete utility..  Here is a list of several of them...

http://www.google.ca/search?q=NT+undelete+files&ie=UTF-8&oe=UTF-8&hl=en&meta=

File Rescue seems great because you get a 30day full functional copy to evaluate..

http://www.file-rescue.com/

Commented:
Hello,

first I will try to make an image of that disk and do all the work on the copy that you created. Keep the original in pristine state as much as you can. Even a read of the files will change the last access time.

Then you need some tools that can read the data from disk no matter what's on the disk.
I can think of a program like GetDataBack ( www.runtime.org ) that can go through all the pointers in all the blocks on your disk and reconstitute all the links between them making the files to be ready for recovery.
So use something like this (I'm not saying that this is the only one but I used few times and is working fine) and look for all the files that you can recover from temp folder and cookies.

Also you might cross check the use of his computer and Internet connection in your proxy , In DHCP server .

I also sugest that in the future make a list (or use a proxy , or config your firewall) to block access to specific sites.
Not that this will deter the users to look for porn but it will make it harder for them and will expose less your company to this sort of things.

Mishou
OWASP: Forgery and Phishing

Learn the techniques to avoid forgery and phishing attacks and the types of attacks an application or network may face.

Author

Commented:
The reason Im using Hex Workshop was because its free. The job Im at right now doesnt spend money on a lot of tools. That why I have to know how to do it with an editor. Hence the 2 questions above. All those look like good tools but unfortunatly I cant get the money. You know. I know you can do it from a hex editor because I sat through a forensics demo once. Probably should have stayed awake.

Commented:
I'm not sure if this is exactly what you need, but Restorer2000 has a free download version that recovers deleted files and is supoosed to be really easy to use.

http://www.bitmart.net/download.shtml

Commented:
C'mon buyer GetDataBack is 130$ US.
The other tools mentioned By Housenet cost in the same range (some are free or offered as a trial full features for 14 days maybe). The company want to fire him and be covered from a legal point but doesn't buy a recovery tool ? 1 hours in legal fees cost more than that.

You can do it from the HexWorkshop but unless there is an option (or function on it ) you will have to go through all the block on the disks ,look at the link on each one were is pointing for the next data and so on.

Considering that based on this recovery work the guy will be fired and considering that it will take some time to recover few files I think that the company will end up paying for your time more than what was costing a software to do this.

If they want to be covered for legal actions then they should use a tool (or a recovery service) that can be held liable for what they found/delivered. You want to be held responsable for this ? I'm not advocating to not take responsabilty for your work but be sure that you know the implications.

Mishou

Author

Commented:
Yeah, if it comes down to it Ill use some of that "other" software but I still do want to know how to find the files using a hex editor and how to restore them.
Take a mirror image of his disk as is, and store it somewhere safe.
I wouldn't bother doing anything else with it until any legal action / evidence is required.
You will also need to prove that he was actually using his PC at the time of the alleged offence - only 2 factor authentication would stand up in court (eg SecurID), but single factor (eg domain logon / password) is not sufficient to prove it was actually him using the PC at the time....
Undeletes are all very well, but the police forensics department would need a pristine disk.  Undeletes could be used against you, ie saying the disk had been tampered with by an administrator after the alleged offence, so in effect, a possibility of evidence planting...
All very interesting stuff - be extremely careful with the evidence and let the professionals do the job !

Author

Commented:
Thanks for the info. I do already know about all the legal issues though. All that Im concerned with is how to use a hex editor to find and restore the files.

Commented:
Another option to consider is to do some real-time forensics and catch the person in the actual act. You can use a network traffic analyzer like Iris (www.eeye.com) or even Sniffer Pro to do this and have complete tracking of what happened on the network.

If you want to get real in-depth in terms of your forensics, you can get software called EnCase. Gov't agencies use it and it basically facilitates all the disk mirroring and forensics you'd need. However, it may be overkill (and pricey) for what you need.

Good luck!

Don Lenox, MCSE
Top Expert 2007

Commented:
I think that the Norton Utilities had a hex editor diskfix progam that made the work much easier, as it could identify FAT entries, direcories and files, and would let you piece them together.

 I hope this helps !

Author

Commented:
OK, again, thanks all for the information. I am very familar with Encase but like you said it is very pricy. I am also looking at the TCT and TASK tools. Anyway, my question again is, how do I look for deleted files  and restore them with a hex editor? Keep in mind that this is a NTFS drive.

Author

Commented:
Im also looking at a program WinHex that looks pretty good. Its along the same lines as HexWorkshop but it has tools for recovery. I talked to the powers that be and asked for a budget. I do have a couple hundered dollars to spend so is this tool worth it or are they anymore that are better and have more features? Thanks. If anyone can give me an answer on this (let me know what more the tool that you mention can do though) Ill give them the 200 points.
Commented:
I posted this nice message for you and then the site had a login error on my account.  Lovely...

I have been down this road and successfully sent someone to prison for trying to steal my customer database and erasing his steps.

He obviously didn't cover his tracks well enough.

I used Lost and Found to get the data back (from Powerquest)

Gave it to the cops, and he was convicted.  

At any rate, there's a lot of utilities out there for this, and you can't use that one because of your NTFS situation.

I would check this one out:
http://winternals.com/products/repairandrecovery/filerestore.asp

I use it and it works great.  Only 40 bucks if you choose to buy it.  It tells you every file it sees, and then if you want to restore, you have to pay the price.  40 bucks is no big deal though.

I have recovered securely deleted files with this program.  Works great for me.  I can speak from first-hand experience on this stuff.

I still have to recover data from Windows 2000 servers and XP machines, etc.

I use the registered version of this and I rarely have a problem recovering what I need.

Get back to me on this if you need some direction what what to do or any follow-up questions.  I'd love to see how this works out for you.

When you start the install, you can do it on a separate PC and just copy the EXE file on a floppy to transfer to the PC you want to get the data back on.

Then when the screen loads, do this:

Search for files named *.*
Check the box that says Search for files in deleted directories.

Give it a go and you should see a whole lotta files come up.

I have done data recovery for a lot of people and can help you out with any problems you may have.

Just shoot me an update to see how you're doing on your problem here.

Thanx!

Ghost96

Commented:
Also, don't worry about tampering with the disk or anything.

Using a utility to recover files, any officer of the law who knows anything about computers would see that the files being recovered were when the PC was in his posession.

Conviction is actualy very easy and loose on something like this.

You'd think it would have to be handled so careful and what-not, but it doesn't.

The disk is yours, and by recovering the data with old file dates and such, you can prove to a jury that the data came off that disk, and that the files could be recovered again.  His cookies would be there, as well as his temp internet files and the like.

It depends on how good you are with getting data back and linking the crime to the criminal.  I did it and it sure wasn't that hard.  

Remember, you have the power to convict him.  All he's got going for him (or her) is the hopes that you didn't find anything on the drive from what was deleted.

Looks like the ball's in your court with the advantage to the home team...it's easier for you to prove the files are there than for him to prove that he never looked at anything.

Ghost96

Author

Commented:
What do you mean "I cant use that one". Are you talking about WinHex. Maybe your thinking of another program but WinHex can be used on NTFS systems.

Commented:
Sorry I confused you.  You cannot use PowerQuest's "Lost & Found" (like I did) to get data back from NTFS volumes.  I mentioned it a couple lines on top of that comment.

WinHex works on every version of Windows - I totally agree it will support NTFS volumes  My comment was simply that there were plenty of better tools out there than that to perform the overall goal of your investigation.

Ghost96

Commented:


i hope you guys are logging your access through the server(s) and firewall(s)... otherwise your never gonna be able to hold anyone accountable for illegal web/network activity without solid evidence.
with those logs you should be able to easily trace all network access to a user id.

windows clients keep history of recently viewed pictures, webpages and documents in the registry i believe under the 'RecentRun' key in HKEY-Current-Users.

also, maybe he is unsubscribing from porn spam in email?
i have had the firewall generate alerts from myself doing this, to unsubscribe most will need you to goto the 'unsubscribe' portion of the porn page.

------------------

i do know how to use hex workshop to view deleted information. not very easy or the reccomended thing to do.


im not sure how familiar you are with how FAT works, but a hard disk is basically like a sandy beach... you can put anything you want anywhere on this beach, then we create a index of the exact location of every item on this beach. this index is the FAT.

like i say there are 2 copies of this index... now if you choose to remove something from this beach, what happens is we remove the location of this item from the index ONLY.
so it is actually still on the beach, theres just no real way of knowing where it really is! so you will have to walk over every spot on the entire beach looking for this particular item.

you can use hex workshop to view the entire contents of the partition, look in the binary conversion window and you will see the ascii names of everything on the drive including 8.3 filenames...

now since the location of a file was removed from the FAT, nothing is holding the computer from writing new data to that spot on the hard drive. which means it can be overwritten and permanently lost. a defrag would definatley scramble the contents of the drive making deleted files incomplete or just plain impossible to determine.

there are 2 copies of the FAT table, only one is used, the other is for redundancy and does not delete old file entries, it will however append new files to the 2nd FAT overwriting the file in that specific location on the hard disk..


i would look for a program that compares FAT tables to the actual drive data. sorry i do not have any specific programs to reccomend as ive never actually had to go any farther than using a 'undelete' program.

either way i would track network access through a username, that person in court could claim that since he is not at that computer 24/7 it is possible that someone else used the computer to view porn. for instance, just cause you are caught in posession of stolen property, dosent mean you can be convicted of 'possesion of stolen property' unless you admit you accepted the property knowing it was stolen...

if you were to say "we have detailed logs proving that your userid, logged onto your designated work machine during regular business hours did infact viewed explicit images that are against company policy."  you can trap him.
it HAS to be him, how else could someone log on as him unless he gave his password away wich im sure is also against company policy... and you can track it to which computer he logged in on.
 
hope ive been informative :)
good luck

Author

Commented:
Ghost96, what are some of the tools that are better than WinHex that you mentioned?

I do know how FAT works but we were talking about NTFS. Thanks.

Commented:
I have used the filerecover from Winternals.

And...

Recover4All Professional:
http://www.recover4all.com/

Forensic Utility Suite:
http://www.lc-tech.co.uk/forensicsuite.htm

There's more, but these 2 are what I normally start out with and I never have much of a reason to use more than this.

These are nice because the are stand-alone .exe files that you can use to scan your system with.

I use them hand-in-hand with each other.

If one doesn't find something, the other normally does.

Ghost96
if you are using some form of a proxy server you should easily be able to see where he has been

Author

Commented:
Sorry it took so long for me to accept but it was hard to get an answer out of anyone. Plus the Holidays and all. Thanks and Merry Christmas.
if you are using some form of a proxy server you should easily be able to see where he has been

Do more with

Expert Office
Submit tech questions to Ask the Experts™ at any time to receive solutions, advice, and new ideas from leading industry professionals.

Start 7-Day Free Trial