Welcome to new students seminar!! Security is a people problem. forensic proof.com proneer.tistory.com. @pr0neer JK Kim

Similar documents

COMPUTER FORENSICS. DAVORY: : DATA RECOVERY

Open Source Data Recovery

HARD DISK MANAGER 14 / FULL FEATURES LIST. HDM 14 Suite. Features. HDM 14 Pro. Drive Partitioning. Data Backup & Restore

QUICK RECOVERY FOR RAID

Chapter 8. Secondary Storage. McGraw-Hill/Irwin. Copyright 2008 by The McGraw-Hill Companies, Inc. All rights reserved.

Chapter Contents. Operating System Activities. Operating System Basics. Operating System Activities. Operating System Activities 25/03/2014

NSS Volume Data Recovery

McGraw-Hill Technology Education McGraw-Hill Technology Education

The Advanced Way Of Data Recovery

MFR IT Technical Guides

data recovery specialists

PRIVAZER USER GUIDE Version 1.2 Dated 08 June 2013

Introduction to File Carving

Q. If I purchase a product activation key on-line, how long will it take to be sent to me?

by Scott Recover your P0RN from your RAID Array!

File System Management

Discovery of Electronically Stored Information ECBA conference Tallinn October 2012

NCTE Advice Sheet Storage and Backup Advice Sheet 7

Deleted File Recovery Tool Testing Results

Chapter 12 Network Administration and Support

HP Backup and Recovery Manager

MANAGING DISK STORAGE

Today we will learn about:

The Evolution of File Carving [The benefits and problems of forensics recovery]

BACKUP SECURITY GUIDELINE

Just EnCase. Presented By Larry Russell CalCPA State Technology Committee May 18, 2012

LAVASOFT FILE SHREDDER FILE SHREDDER

Computer Forensics: Permanent Erasing

Version: Page 1 of 5

COMPUTER FORENSICS (EFFECTIVE ) ACTIVITY/COURSE CODE: 5374 (COURSE WILL BE LISTED IN THE CATE STUDENT REPORTING PROCEDURES MANUAL)

4 II. Installation. 6 III. Interface specification Partition selection view Partition selection panel

Types Of Storage Device

Data Loss Prevention (DLP) & Recovery Methodologies

How To Store Data On A Computer (For A Computer)

Storage and File Structure

Impact of Digital Forensics Training on Computer Incident Response Techniques

6. Storage and File Structures

Data recovery Data management Electronic Evidence

File System & Device Drive. Overview of Mass Storage Structure. Moving head Disk Mechanism. HDD Pictures 11/13/2014. CS341: Operating System

Dr. Lodovico Marziale Managing Partner 504ENSICS, LLC

Availability Digest. Ace Data Recovery December 2014

Chapter 11 File and Disk Maintenance

Recover Data Like a Forensics Expert Using an Ubuntu Live CD

Here are my slides from lecture, along with my notes about each slide.

CHAPTER 17: File Management

File Recovery: Find Files You Thought Were Lost F 2/1. Clever Tricks to Recover Deleted Files Even if They ve Been Emptied from the Recycle Bin!

Kroll Ontrack Data Recovery. Oracle Data Loss: When the best of plans fail

Computer Forensic Tools. Stefan Hager

SUMMARIES OF VIDEOS GRADE 11 SYSTEMS TECHNOLOGIES

Incident Response and Computer Forensics

Paraben s P2C 4.1. Release Notes

Chapter 12: Mass-Storage Systems

Digital Forensics Tutorials Acquiring an Image with FTK Imager

Zero-Downtime MySQL Backups

AXF Archive exchange Format: Interchange & Interoperability for Operational Storage and Long-Term Preservation

2! Bit-stream copy. Acquisition and Tools. Planning Your Investigation. Understanding Bit-Stream Copies. Bit-stream Copies (contd.

Hard Disk Storage: Firmware Manipulation and Forensic Impact and Current Best Practice

Electronic Crime Scene Investigation: A Guide for First Responders, Second Edition

IT Essentials v4.1 LI Upgrade and configure storage devices and hard drives. IT Essentials v4.1 LI Windows OS directory structures

CSCA0201 FUNDAMENTALS OF COMPUTING. Chapter 5 Storage Devices

UNDELETE Users Guide

A+ Guide to Software: Managing, Maintaining, and Troubleshooting, 5e. Chapter 3 Installing Windows

DIGITAL FORENSIC INVESTIGATION, COLLECTION AND PRESERVATION OF DIGITAL EVIDENCE. Vahidin Đaltur, Kemal Hajdarević,

How to recover a failed Storage Spaces

Defining Digital Forensic Examination and Analysis Tools Using Abstraction Layers

Supported File Systems

NETWORK SERVICES WITH SOME CREDIT UNIONS PROCESSING 800,000 TRANSACTIONS ANNUALLY AND MOVING OVER 500 MILLION, SYSTEM UPTIME IS CRITICAL.

Microsoft Diagnostics and Recovery Toolset 7 Evaluation Guide

Recover My Files v5. Chapter Contents. Published: 18 March 2013 at 12:52:56. Frequently Asked questions Data Recovery Fundamentals...

Learning Objectives. Chapter 1: Networking with Microsoft Windows 2000 Server. Basic Network Concepts. Learning Objectives (continued)

E-Business Technologies

Case Study: Quick data recovery using HOT SWAP trick in Data Compass

Whitepaper - Disaster Recovery with StepWise

UNDELETE Users Guide

FORENSIC ANALYSIS OF USB MEDIA EVIDENCE. Jesús Alexander García. Luis Alejandro Franco. Juan David Urrea. Carlos Alfonso Torres

Lecture 18: Reliable Storage

Recover data from a defective Fujitsu desktop drive

ATOLA INSIGHT A New Standard in Data Recovery Technology

IBM Rapid Restore PC powered by Xpoint - v2.02 (build 6015a)

RecoverIt Frequently Asked Questions

Ans.: You can find your activation key for a Recover My Files by logging on to your account.

Tech Application Chapter 3 STUDY GUIDE

System Requirements of ActiveImage Protector

Towards facilitating reliable recovery of JPEG pictures? P. De Smet

Module 10: Maintaining Active Directory

With respect to the way of data access we can classify memories as:

Acronis Disk Director 11 Home. User's Guide

Protect SQL Server 2012 AlwaysOn Availability Group with Hitachi Application Protector

How File Recovery Works

Acronis True Image 2015 REVIEWERS GUIDE

How To Recover A Hard Drive From A Damaged Hard Drive

Lukas Limacher Department of Computer Science, ETH. Computer Forensics. September 25, 2014

Lab V: File Recovery: Data Layer Revisited

Chapter 7 Types of Storage. Discovering Computers Your Interactive Guide to the Digital World

Transcription:

Welcome to new students seminar!! Data Recovery Security is a people problem proneer.tistory.com proneer@gmail.com @pr0neer JK Kim

Outline Data & Recording Method Definition & Classification Recovering data after physical damage Recovering data after logical damage Recovering data after deletion Studies : the trends in the field

Data Data is information that can be stored and used by a computer program. In computer science, data is anything in a form suitable for use with a computer. Data is often distinguished from programs. Wikipedia

Recording Method Magnetic Recording Hard drive, Recoding tape, credit cards Optical Recording Compact Disk or Digital Versatile Disc Electronic Recording Memory type

Definition Data recovery is theprocess ofsalvaging datafromdamaged damaged, failed, corrupted, or inaccessible secondary storage media when it cannot be accessed normally. Primary Storage? Often the data are being salvaged from storage media such as hard disk drives, storage tapes, CDs, DVDs, RAID, and other electronics.

Classification Recovering dataafter after physical damage Recovering data after logical damage Recovering data after deletion

Recovering data after physical damage A wide variety of failures can cause physical damage to storage media. Physical damage always causes at least some data loss. Most physical damage cannot be repaired by end users.

Recovering data after physical damage Recovery techniques Hardware repair Removing a damaged PCB (printed circuit board) and replacing it with a matching PCB from a healthy drive. Removing the hard disk platters from the original damaged drive and installing them into a healthy drive.

Recovering data after logical damage Power outages Problems with hardware (especially RAID controllers) System Crashes

Recovering data after logical damage Recover techniques A mechanism to prevent logical damage Journaling function of file systems Battery backup UPS

Recovering data after deletion File System Meta Area Data Area FAT(FAT12, FAT16, FAT32, exfat), NTFS ext2/ext3/ext4, XFS, UFS, HFS/HFS+ HPFS, ISO 9660, Veritas File System(VxFS) ZFS, Embedded File System(EFS)

Recovering data after logical damage Recovery techniques Recovery using File System metadata Data carving Overwritten data Recovery

Recovery using File System metadata Meta Area Data Area

Data carving

Recovering overwritten data When data have been physically overwritten on a hard disk it is generally assumedthat the previousdata are nolonger possibleto recover. In 1996, Peter Gutmann, a respected computer scientist, presented a paper that suggested overwritten data could be recovered through the use of Scanning TransmissionElectron Microscopy (STEM).

Scanning transmission electron microscopy (STEM)

Wiping techniques Fast (1 pass) Russian GOST P50739 95 (2 passes) British HMG IS5 (Enhanced) (3 passes) US Army AR380 19 (3 passes) NAVSO P 5239 26 (RLL) (3 passes) NAVSO P 5239 26 (MFM) (3 passes) DoD 5220.22 M (ECE) (7 passes) Bruce Schneier (7 passes) Peter Gutmann (35passes)

Studies : the trends in this field Foremost Linux based program data for recovering deleted files and first published in 2000. Uses a configuration file to specify headers and footers to search for. Scalpel Open source program for recovering deleted data originally based on foremost. Presented at the DFRWS conference in 2005.

Studies : the trends in this field DFRWS 2006 Challenge 50 MB raw file and has no file system, but it contains file fragments. Extract as many full JPEG, ZIP, HTML, Text, and Office files as possible from it. DFRWS 2007 Challenge 330 MB raw file and has no file system, but it contains many files and file frag (JPEG, ZIP, HTML, Text and Microsoft Office) and multimedia, document, e mail format.

Studies : the trends in this field SL Garfinkel, Carving contiguous and fragmented files with fast object validation, 2007. SJ Veenman, Statistical disk cluster classification for file carving, 2007. G Richard, V Roussev, L Marziale, Ml Cohen, In place File Carving, 2007. Advanced carving techniques, 2007. Effective Carving (reduce false positive), Smart Carving

Question & Answer