NOTES ON DATA RECOVERY PROGRAMS

This section doesn't have any step-by-step instructions. It doesn't even decide on a recommended product. It's here for experienced computer people to suggest some approaches.

The purpose of this is that, once you have cleaned your media, you still can't be sure that there's nothing remaining. All deleted files should be gone, so these are likely to be temporary files created by applications, or images embedded in files of other formats. The process replicates some of the actions of a police forensic investigation. If those steps don't turn up anything risky for you, they shouldn't do for them either.

the process

This process is usually known as data carving, and involves going through a disk as a single logical stream of data blocks, without reference to the filesystem. It looks for matches with byte sequences that correspond to the file signatures of certain file types. If it finds them, it assumes that a file of that type starts there, and copies what it thinks are the right length of bytes. It relies on the files not being fragmented but in a single sequence, but often, even if only the start, maybe the first disk block, is correct, enough is recovered to give a viewable image. Images are typically named with the numerical byte offset in the partition plus the file extension.

It will be obvious that any files it recovers can't be written back to the partition you're reading. You need to have a different partition and you'll need to wipe the recovered files or the whole partition afterwards.

Product comparison

The police are likely to use the expensive Windows program EnCase. This has extra features but the data carving features of many programs are very similar. There are a few freeware programs for Linux and Windows.

These applications are written with two purposes. One is to help individuals recover files they've accidentally lost. The other is for use in forensic investigation. Forensic programs are likely to have much more in the way of audit files, and may only work on a disk image file - a huge file containing the entire byte sequence of a disk. Apart from this, they are very similar, and as we don't need to audit our results we can choose based on other factors.

I've tried two free Linux products, MagicRescue, a standard recovery program, and foremost, a forensic one. Both do much the same job. Although these pages are aimed at Windows users, it's well worth while considering Linux apps, as you can burn a Linux boot disk containing the software you need and read Windows partitions and disks from there.

Scalpel is a forensic data carver based on foremost, which also will run on Windows. However it currently will not work directly on a disk or storage medium, but only on an image file. (Linux users don't have this problem as every device can be accessed as if it is a file).

Of the free Windows products, PhotoRec looks good. It knows about a huge range of file types, so it will cover most image and video files you might have. It comes with good documentation and is available here

back to the main forensics page

britannia amid burning media

Shooting the Messenger

The internet is a convenient scapegoat for society's ills.

The UK government is to legislate how best to imprison potentially many people for viewing content on the internet.

How should governments regulate the details of our personal lives and control individual expression ?

Preserve Individual Freedoms

Backlash campaigns to ensure the right remedies are applied to the right problems.

Whilst doing so we preserve hard won individual rights and liberties.

See no evil.

The government doesn't want you to view certain images. And will send you to prison if you possess them. Even in the privacy of your own home.