Disk Drill – Download
Tester – Hiran Rajkumar C7137759
Location – Leeds Beckett University IME JG204
The Disk drill is a powerful and easy to use data recovery application that uses recovery vault technology with a variety of retrieval methods to recover data from a media source and can also be used as a backup utility. The technology itself runs as a background service and making it possible to restore deleted files with their original file names and their true location. However the casualty and easiness of tools works with all recent version of windows and MAC but does not show a file’s condition/quality before recovery. It’s necessity to be installed in the hard drive and no available portable option would be a hindrance to a professional tester.
During the implementation and through extensive research the disk drill had few problems that were not available in other DFR tools in the market like Puran file recovery, Recuva and FTK. The quality of a file which needs to be undelete is not shown, which leads to many recovered files being corrupted and unable to open on recovery (UFS Explorer, 2016).
Another problem is the installation of the application itself on the system which may over write the data for recovery. The core engine and the responsive UI is well designed, and presented with extras are useful for a moderate user, but 500MB limit on the beta version is of little help and tools like FTK does a better job with free of charge. It is an intuitive handy recovery application for the everyday windows user but not for the forensic tester.
Link to Implementation of Disk Drill – https://hirandfa.wordpress.com/2016/11/08/first-blog-post/.
The implementation was done through using Arsenal image mounter, to load the test ‘Images’ on to the drive. These test images were base images used by the National Institute of standards and technology for Deleted file recovery tools. The results have been repeated and reproduced by NIST approved tools like Encase and FTK. The DISK DRILL being a DFR tool should produce the exact results that have been recorded by NIST.
Three images with different file formats (NTFS, EXE, FAT) were used for testing. The test were carried out three times in each file format for the precision under repeatability conditions. This proves that the test result are obtained with the same method on each format inside the same laboratory by disk drill using the arsenal image mounter within short intervals of time.
The test was also carried out three time separately in each file format for the precision under reproducibility conditions. This proves that the test results are obtained with the same testing method used above with disk drill using the arsenal image mounter in different laboratory using three different computers.
The image obtained from the NIST were mounted in the test system using the third-party tool Arsenal Image Mounter. The image was set to read only option to prevent from the corruption of test images. The testing of the tool was done only in three different file formats each with one fragmented file inside them.
In the future, the test should be carried out on over-written, fragmented, deep files etc. The test should also should be carried out on the partitions of the images, memory devices and external hard-drives. All the files recovered in the implementation were txt files and test images with pictures, audio, video and archives were not tested with disk drill. The Macintosh version of the Disk drill was not tested which should be done in the future. The Disk drill application was initially created for a Macintosh and upgraded to the windows few years later (Hill, 2011). More functionalities are available on the Macintosh which include the ‘Recovery Vault’, ‘Android compatibility’, ‘Disk Health’, ‘Mac Cleanup’ , ‘Duplicate finder’,’Recovery Drive’ and ‘Data protection’ (Hauk, 2016; Schauland, Sande 2011; ). These are different functions exclusively available on the Macintosh version of the Disk Drill which were not tested. The most important lesson for the future would be using one file format for testing the tool on windows instead of testing three file formats but looking at various methods of the tool for the single file format (Easeus, 2016). This would define the tool clearly and could show the DFR capabilities accurately.
The following writing will be clear-cut summarized knowledge about the tool that would help an untrained tester. These will be done by the proceeding questions.
- What is it?
- Where to find it?
- What works with it?
- What Operating system runs on it?
- How to download it?
- How to run it?
- How to obtain evidence?
The reader can jump to the appropriate sections to get more information.
1. What is it?
Disk drill is a data recovery application developed by clever files and is solely designed to recover entire deleted files, or partitions in a system.
2. Where to find it?
The basic version of the tool can be downloaded from the vendors website. The extended version can be downloaded after payment is made to the vendor.
Vendors website: https://www.cleverfiles.com/disk-drill-windows.html
3. What works with it?
The tool is currently capable of reading NTFS, FAT32, EXT, HFS+ and many other file systems. The file systems can be read from systems and memory devices (Sameer, 2012; William, 2016).
4. What Operating system runs on it?
5. How to download it?
The tool is tested on a Windows operating system, the download and testing is similar on a Macintosh.
Visiting the vendor website – Download
Figure 1.0 shows the download from the official website followed by the installation which are shown on the figure 1.2 & 1.3.
6. How to run it?
After the file has been downloaded the tool can be seen on the desktop or in the application folder of the computer (Figure 1.4). As seen on Figure 1.5 double-clicking on the application triggers permission from the user to run it on the system. As the application is run the tool automatically scans the partitions in the system (Fig 1.6). The recover process is ready to begin.
7. How to obtain evidence?
The F: drive is seen on the Disk Drill application (Fig 1.7) . The following drive has a single large file of around 500MB deleted. The recovery process is outset by running all available recovery methods on the disk drill application. The recovered file is shown with its size and the last modified date on figure 1.8. Clicking the recovery button will recover the particular file to a desired folder in your test system (Fig 1.9). The recovered file (Bunda.txt) can be opened as a normal file in the test system. The deleted file can also been seen in FTK with the same modified time and size. Further examples on the above testing on FAT and EXE formats can be found on the implementation page of the site.
The Disk drill is capable of recovering all kinds of files which includes pictures, audio and various documents as seen on Fig 2.0 – 2.2. The recovery process is possible from any storage device that includes anything from desktops, laptops, workstations, internal/external hard drives, memory cards etc. This particular tool boasts with more than 10 million downloads, half a million professional clients and availability in 150 countries. It is a favorable data recovery tool for the mass market.
Chris Hauk. 2016. Disk Drill 3 Offers macOS Sierra Compatibility, New UI, Improved Data Recovery Algorithms.. [ONLINE] Available at: http://www.mactrast.com/2016/08/disk-drill-3-offers-macos-sierra-compatibility-new-ui-improved-data-recovery-algorithms/. [Accessed 10 December 2016].
Derek Schauland. 2011. Cleverfiles Disk Drill file recovery for the Mac. [ONLINE] Available at: http://www.techrepublic.com/blog/apple-in-the-enterprise/cleverfiles-disk-drill-file-recovery-for-the-mac/. [Accessed 1 December 2016].
EASEUS. 2016. How do I recover files from EXT2/EXT3 drive?. [ONLINE] Available at: http://www.easeus.com/datarecoverywizard/recover-ext2-ext3-drive.htm. [Accessed 29 November 2016].
Jerad Hill. 2010. Disk Drill – The First Free Data Recovery Software for Mac OS X. [ONLINE] Available at: http://stateoftech.net/disk-drill-the-first-free-data-recovery-software-for-mac-os-x. [Accessed 9 December 2016].
Mahant , Sameer H., 2012. NTFS Deleted Files Recovery: Forensics View. IRACST – International Journal of Computer Science and Information Technology & Security (IJCSITS), [Online]. Volume 2 No 3, 492. Available at: http://www.ijcsits.org/papers/Vol2no32012/1vol2no3.pdf [Accessed 22 November 2016].
Mike Williams. 2016. Disk Drill 184.108.40.2064. [ONLINE] Available at: http://www.pcadvisor.co.uk/download/system-desktop-tools/disk-drill-200274-3330359/. [Accessed 7 December 2016].
Steven Sande,. 2011. Disk Drill protects your Mac disks, recovers files. [ONLINE] Available at: https://www.engadget.com/2011/03/08/disk-drill-protects-your-mac-disks-recovers-files/. [Accessed 10 December 2016].
UFS Explorer. 2016. Deleted files: chances for recovery. [ONLINE] Available at: http://www.ufsexplorer.com/und_del.php. [Accessed 28 November 2016].