121 Proj X15: Data Carving with ProDiscover (10 pts.)

What you need:

Background

FTK and other forensic tools can recover some files that have been deleted. However, they do it in a very simple way--they just find the file header and footer and assume that the file was not fragmented.

It is possible to do a more detailed analysis of the clusters and reassemble files more accurately. We'll do that here in a simple way.

Install ProDiscover Free Edition

Open a browser and go here:

http://www.techpathways.com/demo.htm

Click the "Click here to download ProDiscover Basic Edition Freeware" link. Install it with the default options. If you are using Windows 7, right-click the installer and run it as Administrator.

Downloading the Data File

Download this file:

RHINOUSB.7z (1.8 MB)

Unzip it with 7-zip. If you don't have 7-Zip, go to http://www.7-zip.org to get it.

Once it is unzipped, you should have a file named RHINOUSB.dd that is 247 MB in size, as shown below:

Starting ProDiscover

Use the desktop icon to start ProDiscover. If you are using Windows 7, run it as Administrator.

In the "Launch Dialog" box, enter a Project Number of X15 and a Project File Name of "X15-YOUR-NAME", as shown below:

Click the Open button.

Opening the Evidence File

From the menu bar, click Action, Add, "Image File...", as shown below:

In the Open box, navigate to the RHINOUSB.dd file and double-click it.

Viewing the Evidence in Content View

In the left pane of ProDiscover, in the "Content View" section, expand Images and click on the item ending with RHINOUSB.dd, as shown below:

On the right side, you see the files ProDiscover found in this image: two small text files with gumbo recipes. Click a filename to see the contents in the lower right pane.

Those two files are only a few kilobytes in size, but the image is 247 MB in size. What's on all that unused space? To find out, We'll use Cluster View.

Viewing the Evidence in Cluster View

In the left pane of ProDiscover, in the "Cluster View" section, expand Images and click on the item ending with RHINOUSB.dd, as shown below:

On the right side, you see the clusters on the disk, shown as little colored files rectangles. If you click on a cluster, the contents of that cluster are shown in the lower right pane, in hexadecimal and ASCII.

The first cluster is the Master Boot Record, and contains readable text saying "This is not a bootable disk.", as you can see in the image above.

Click on some of the other green clusters--they are all empty, containing only zeroes.

Click on the first blue cluster. You should see the gumbo recipe text in the lower right, as shown below:

Saving the Image

Make sure the gumbo recipe is visible.

Save this image with the filename Proj X15a from YOUR NAME

Viewing the SORRY Clusters

Click on a blue cluster in a lower portion of the top right pane. In the lower right pane you can see that the cluster contains the word SORRY over and over, as shown below--all these clusters have been filled with SORRY--there is no useful data in them.

However, there are clusters with useful data mixed in with the SORRY ones. Finding such data is known as "Data Carving".

Data Carving for JPEG Files

First you need to prepare a folder to put the recovered files into.

Click Start, Computer. Double-click the C: drive to open it. In the Windows Explorer window, click the "New Folder" button. Name the new folder CARVE-YOUR-NAME, as shown below. Use your own name, not the literal text "YOUR-NAME".

In ProDiscover, click Tools, "Data Carving".

In the "Data Carving" box, fill in these items:

The hexadecimal value FFD8FF is the File Header for the JPEG files we are looking for, and the footer is FFD9.

Click the OK button. ProDiscover finds seven files, as shown below:

Click Start, Computer. Double-click the C: drive. Double-click the CARVE-YOUR-NAME folder.

You should see the recovered files, as shown below:

Double-click the Report.txt file. You should see detailed information about the recovered files, as shown below:

Saving the Image

Make sure seven RHINO JPEG filenames are visible as shown above.

Save this image with the filename Proj X15b from YOUR NAME

Turning in your Project

Email the images to cnit.121@gmail.com with the subject line: Proj X15 from YOUR NAME

Sources

This is based on a ProDiscover class I took at Bunker Hill Community College in May, 2012.


Last modified 5-9-11 4 pm