Recover folders vs unallocated clusters

What does the "recover folders " option in encase actually represent, i.e. what is it recovering? And where from? Is it unallocated clusters? Or if not where?

And is "carving" the art of recovering data from unallocated clusters? Or can you "carve" data from other places aside unallocated? Does encase come with any tools to automatically carve any recoverable files from that are of disk? Or does that take manual manipulation? Finally is there any feature in encase to mount an image file as a seemingly local drive so you can view files as though it was the examination machine local disk - or to "mount" does that require a 3rd party tool?
LVL 3
pma111Asked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

ChopOMaticCommented:
EnCase's "recover folders" feature is one that been discussed MUCH within the community and speculation (some of it extremely well reasoned) abounds as to exactly where the data comes from. Unfortunately, Guidance apparently considers it to be a proprietary secret and I've never seen them weigh in much on the issue. Most discussion centers on parsing the MFT and INDEX buffers for deleted entries.

As for carving, you'll find EnCase's built-in carving functionality inside the Case Processor EnScript, labeled as "File Finder." I've attached a screenshot.

 File Finder's location within the Case Processor EnScript
When you double-click File Finder, an options dialog will open for you to choose what to carve for and where to carve from.

 File Finder's options dialog
Carving can take place against any area you want to specify. If you carve in allocated space, you will of course wind up with tons of dupes, since it will carve active files as well.

Personally, I'm not a fan of EnCase's carving. The best I've ever seen is the one built into X-Ways. There are also a number of standalone carvers to be had, including Scalpel (free), Simple Carver, FileExtractor Pro, and more. No matter how good the carver, do remember that it's only as good as the list of signatures you tell it to carve for.

Let me know if this helps.

0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
pma111Author Commented:
Many thanks - good reply.

Re>>
do remember that it's only as good as the list of signatures you tell it to carve for.

Where would you get such a list?

Also - I did some reading and they say to narrow down the search of say an XP machine - you can get hash sets of all good files on an XP machine that havent been amended, and rule them out? Where can these be found? And how can that be acheived in encase?
0
pma111Author Commented:
And with regards to scalpel, this follows on to my other question above:

Finally is there any feature in encase to mount an image file as a seemingly local drive so you can view files as though it was the examination machine local disk - or to "mount" does that require a 3rd party tool?
0
KuppingerCole Reviews AlgoSec in Executive Report

Leading analyst firm, KuppingerCole reviews AlgoSec's Security Policy Management Solution, and the security challenges faced by companies today in their Executive View report.

ChopOMaticCommented:
First, the last:  EnCase's only image-mounting capability comes through a couple of its add-on (at extra cost) modules. One is called PDE (Physical Disk Emulator) and the other is...uh...the name escapes me, sorry. In any event, FTK Imager is a free download from AccessData and does a great job of mounting images. (NOTE:  I think these optional modules may be built into v7; my repeated tests show that v7 is not yet remotely approaching a usable state, so I completely disregard its existence in my answers here.:)

There are a few file-sig tables out there for free. One of the most popular is found at Gary Kessler's site. Just Google "Gary Kessler file signatures" and you'll no doubt find it right away. Gary puts a fair amount of work into maintaining it, so please consider giving him a note of thanks if you find it useful.  I've also attached a pretty good one.


FileSig.xls
0
pma111Author Commented:
Thank you again
0
ChopOMaticCommented:
Mighty welcome, pma. Thx for the points!
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Digital Forensics

From novice to tech pro — start learning today.

Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.