We help IT Professionals succeed at work.

Recover folders vs unallocated clusters

pma111
pma111 asked
on
What does the "recover folders " option in encase actually represent, i.e. what is it recovering? And where from? Is it unallocated clusters? Or if not where?

And is "carving" the art of recovering data from unallocated clusters? Or can you "carve" data from other places aside unallocated? Does encase come with any tools to automatically carve any recoverable files from that are of disk? Or does that take manual manipulation? Finally is there any feature in encase to mount an image file as a seemingly local drive so you can view files as though it was the examination machine local disk - or to "mount" does that require a 3rd party tool?
Comment
Watch Question

EnCase's "recover folders" feature is one that been discussed MUCH within the community and speculation (some of it extremely well reasoned) abounds as to exactly where the data comes from. Unfortunately, Guidance apparently considers it to be a proprietary secret and I've never seen them weigh in much on the issue. Most discussion centers on parsing the MFT and INDEX buffers for deleted entries.

As for carving, you'll find EnCase's built-in carving functionality inside the Case Processor EnScript, labeled as "File Finder." I've attached a screenshot.

 File Finder's location within the Case Processor EnScript
When you double-click File Finder, an options dialog will open for you to choose what to carve for and where to carve from.

 File Finder's options dialog
Carving can take place against any area you want to specify. If you carve in allocated space, you will of course wind up with tons of dupes, since it will carve active files as well.

Personally, I'm not a fan of EnCase's carving. The best I've ever seen is the one built into X-Ways. There are also a number of standalone carvers to be had, including Scalpel (free), Simple Carver, FileExtractor Pro, and more. No matter how good the carver, do remember that it's only as good as the list of signatures you tell it to carve for.

Let me know if this helps.

Author

Commented:
Many thanks - good reply.

Re>>
do remember that it's only as good as the list of signatures you tell it to carve for.

Where would you get such a list?

Also - I did some reading and they say to narrow down the search of say an XP machine - you can get hash sets of all good files on an XP machine that havent been amended, and rule them out? Where can these be found? And how can that be acheived in encase?

Author

Commented:
And with regards to scalpel, this follows on to my other question above:

Finally is there any feature in encase to mount an image file as a seemingly local drive so you can view files as though it was the examination machine local disk - or to "mount" does that require a 3rd party tool?
First, the last:  EnCase's only image-mounting capability comes through a couple of its add-on (at extra cost) modules. One is called PDE (Physical Disk Emulator) and the other is...uh...the name escapes me, sorry. In any event, FTK Imager is a free download from AccessData and does a great job of mounting images. (NOTE:  I think these optional modules may be built into v7; my repeated tests show that v7 is not yet remotely approaching a usable state, so I completely disregard its existence in my answers here.:)

There are a few file-sig tables out there for free. One of the most popular is found at Gary Kessler's site. Just Google "Gary Kessler file signatures" and you'll no doubt find it right away. Gary puts a fair amount of work into maintaining it, so please consider giving him a note of thanks if you find it useful.  I've also attached a pretty good one.


FileSig.xls

Author

Commented:
Thank you again
Mighty welcome, pma. Thx for the points!