Tuesday, March 20, 2012

From the All's Well That Ends Well department

Hello all, it's me with another drive by blog post.Yes, it really has been 7 months since my last post here. I won't be surprised if no one ever reads this. Time for writing or, for that matter, almost anything else, has been in short supply. Between my regular job and teaching at Lincoln Trail College I really haven't had the time to devote to testing and writing.

I took on a data recovery job recently that allowed me to practice my forensics skills a bit. The end result was rather humorous to me. I was asked to recover two missing Excel spreadsheets from a Windows 7 laptop computer. The owner told me the two spreadsheets had been saved to both the user's desktop, as well as a usb jump drive. These spreadsheets had important data and it would take a very long time to recreate them, so of course the owner was very interested in recovering them. He gave me the laptop, but didn't have the usb drive with him, so he said he would bring it to me the next day. I assumed this was going to be an easy job and it was.....sort of.

I took the laptop to my home office and hooked its hard drive up to my analysis system via a Wiebetech Ultradock v4. I started X-Ways Forensics, created a new case and brought the drive in to the case, followed by creating a forensic image and replacing the drive in the case with the newly created image. I selected Refine Volume Snapshot in X-Ways and set it up to do a particularly thorough file system data structure search and a file header signature search in hopes of carving out the missing files from unallocated space. Upon completion, I found no sign of the missing files.

Upon receipt of the 124 mb Lexar brand usb drive, I imaged it and added it to my X-Ways case. Following the same procedures as above, I expected I would find the missing files. No dice. Nada. Nothing.

The owner of the files had been quite certain the files had been in the two locations previously described. I decided I would look at the volume shadow copies from around the time the files went missing and see if I could locate anything. I used the VHD method of accessing the VSC's as presented by Harlan Carvey in Windows Forensic Analysis 3E and also as he presented in the DFIR Online session back in December. This method worked like a charm, but once again the data failed to be where I expected it.

About to give up, I realized I had failed to do something fairly obvious. I checked the Recent folder in Users\user\appdata\microsoft\windows\ to see if I could determine where the spreadsheets had been accessed from in the first place. I found lnk files for both spreadsheets in the Recent folder and they both had been opened from the "G:" drive, which I at first assumed to be the Lexar usb drive. I looked further into the lnk files and found the volume name of the G: drive had been Cruzer, which I knew to be the name for various SanDisk drives, not Lexar drives. I checked the volume name on the Lexar drive and it was not Cruzer.

I called the owner and asked if there was any chance at all the files had been saved to a different usb drive, possibly a SanDisk Cruzer. He didn't think so at first, but had such a drive in his pocket. He inserted it into a computer at his office and guess what....there were the two files!

This certainly wasn't your traditional data recovery, but in the end it worked out. I never did find any evidence the files had been saved on the laptop hard drive, but at least they got their files "back". Even though the files were never really gone, they were gone as far as the owner knew and a lot of work would have been done to recreate them if not for the use of digital forensic analysis. So, as mentioned in the title of this post, all's well that end's well.

Finally, I wanted to mention two awesome books I got recently. As previously mentioned, Windows Forensic Analsys 3E came out and I have been reading it. This version is a companion to WFA 2E and has lots of great info on volume shadow copies, file analysis, malware detection and much more. Harlan has never written a bad book as far as I'm concerned. Each one has excellent and well researched info of use to the forensics/IR crowd.

Also, another great book I got recently is Practical Malware Analysis. I've only had time to read the first couple chapters, but I love this book. It is so well written and easy to follow. Given the potential difficulty of learning this material, Michael Sikorski and Andrew Honig did a fantastic job writing it in a way that noobs and veterans alike can learn from it.

I'm hoping it won't be another 7 months before I post again. I'm going to try to make time to write now and then, but we'll see.


  1. Great write up. Looking forward to more.

    - PrivateiAlbert

  2. I think everyone always appreciates a good story

  3. "I won't be surprised if no one ever reads this."

    I'm sure lots of ppl read your blog ;-)

    Using statistics page from Blogger you can even see how many visitors you have, where they come from (country & referrer URL) etc.

    Thanks for your cool blog!


  4. Anything useful in the Jump Lists?

  5. Sorry for the delayed reply. I've been on vacation and only online occasionally for the last couple weeks.
    To be honest, once I figured out what happened, I didn't look any further. I do recall the jumplists folder was populated, but since I found the relevant data in the recent docs, I didn't go any farther with it.