Brandon,

Another option may be to compare the results from your Encase search and
then run another search using the Unix port of "cat","strings", and
"grep" on that filesystem and see if it produces any hits.

Example:

C:\>cat \\.\PhysicalDrive0 | strings | grep test

Or if you have multiple strings put them in a file and run

C:\>cat \\.\PhysicalDrive0 | strings | fgrep -f file-with-patterns

Or if you do not have the ports of these tools, mount the drive on your
favorite Linux flavor or choice and run the same test.

Just a thought... I would be interested to see if that produces the
hits you are looking for.

--Rob

 -----Original Message-----
From: Ng, Nicholas [mailto:ngnanz.com]
Sent: Wednesday, March 13, 2002 10:24 PM
To: 'forensicssecurityfocus.com'
Subject: RE: Encase and data recovery

I would have thought this would be a generic issue, not particular to a
filesystem. However, after a single over-write, it is not 'never again
accessible' - just to normal utilities such as is available retail.
Data recovery companies can go deep into the recesses of the disk and
retrieve information you even used PGP to wipe 3 times! Of course this does
not work 100% of the time, but it _does_ work.
But now we're straying off topic somewhat... :)

-----Original Message-----
From: Pence, Derek A. [mailto:Derek.PenceHoneywell.com]
Sent: Thursday, 14 March 2002 7:00 AM
To: 'forensicssecurityfocus.com'
Subject: RE: Encase and data recovery

So is this just an NTFS issue, or is it true for other file systems as well.
That is, rather, is overwritten data never
again accessible?

-----Original Message-----
From: Collins, Steve [mailto:Steve.Collinsnrc.ca]
Sent: Tuesday, March 12, 2002 1:45 PM
To: 'forensicssecurityfocus.com'
Subject: Re: Encase and data recovery

Hi Brandon,

After any files like your original logs have been deleted, the space they
once occupied is fair game for any data that comes along. That space was
likely partially overwritten by the modified logs you sent back to the
server.

As for the space occupied by the tools,(I am assuming you deleted them
_after_ uploading the logs) Windows modifies quite a number of files during
the shutdown process and this activity probably overwrote that space.

Cheers,

Steve Collins GIAC NTSA
Information Systems Security Analyst
Information Protection Centre
National Research Council of Canada
Ottawa, Ontario K1A 0R6

-----Original Message-----
From: Young, Brandon [mailto:Brandon.YoungHoneywell.com]
Sent: Tuesday, March 12, 2002 12:54 PM
To: 'forensicssecurityfocus.com'
Subject: Encase and data recovery

All,

        My colleague and I setup a default installation of IIS web server
5.0 on Windows 2000 Server using NTFS. We put
together a mock incident response scenario where one of us broke into the
machine dropped tools on it, edited web server
logs to cover tracks, deleted event logs to cover up auditing tracks and
then deleted all of the tools off.
        During the incident response phase we used Encase to investigate
what actually was done to the box, since from
the investigator's point of view, the logs had obviously been edited and
therefore couldn't be relied upon. When he
looked through the evidence files there was no remnants left of the original
logs, as well as only a partial listing of
the tools that were dropped on during the break in.
        The question we have is why weren't we able to recover the original
logs? What I did when I broke into the
server was stop the w3svc and tftp the IIS logs up and edited them, deleted
the old logs and replaced them with the
edited versions. In addition to this Encase only saw about three of the six
or so tools I used while I was in the
server. Why was Encase only able to recover some of tools used in the
incident?

One answer we came up with was that the OS used the unallocated space where
the tools previous existed and therefore
were overwritten. But this seems unlikely since there wasn't any legitimate
activity on the machine. This box was only
used for this scenario.

Any ideas?

Thanks,

Brandon Young
CISSP, CCSA, CCSE, CCNA, MCSE
Information Security Engineer
Honeywell International
Global IT Security & Systems Assurance
Email: brandon.younghoneywell.com
Voice: 480.592.3988
Intranet: http://itg.honeywell.com/secarch

-----------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management
and tracking system please see: http://aris.securityfocus.com

-----------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management
and tracking system please see: http://aris.securityfocus.com

-----------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management
and tracking system please see: http://aris.securityfocus.com

-----------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management
and tracking system please see: http://aris.securityfocus.com

• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]