Disk Drill – Download
Tester – Hiran Rajkumar C7137759
Location – Leeds Beckett University IME JG204
Contents of implementation:
- Capabilities of the tool
- Expected Results
- Testing Environment & Method
- Use of the tool
- Confirming the tools capabilities & accuracy of the findings
- Using another tool to confirm the results
- Left over files and folders
- Critique of the training material.
Capabilities of the tool
Disk drill is a mass market tool that focuses exclusively and claims to do a comprehensive quick,deep scan to recover
- Deleted files in windows which includes documents, music, photos or videos within minutes (Disk Drill, 2016).
- Files or whole missing partitions in your system.
- The tool is able to access any storage device which includes anything from memory cards to hard-drives .
Image to be tested: A forensic test image DFR-01 is obtained from the NIST (National Institute of standards and Technology) website (CFRED, 2016). The image is obtained in FAT, NTFS (Mahant.H, 2012) and EXT Linux kernel format (Atomic Object, 2012). The test image has been successfully tested by NIST and the results are available in the following link (CFRED, 2016). Base Results. The deleted files and the MAC times of the deleted files for each format are shown clearly in the images below. After successful testing of the images, the DFR tool (Disk drill) should successfully recover the deleted files from the images.
Link to the test image: DFR-01
Testing Environment & Method
As seen on figure 1.7 the images are then mounted each separately using the Arsenal image mounter that creates virtual disk that could be used by the disk drill. The physical representation of images are set to ‘read’ only (fig 1.8) and no alterations are made to the test image and thus protecting the test environment. The physical drives can be seen on the test system where the disk drill is installed (fig 1.9). The tool itself can easily access the images as physical drives where the data recovery process can be conducted.
Use of the tool
As seen on figure 2.0 successful mount of the images in the test system is automatically detected by the disk drill as separate drives. Figure 2.1 shows closer examination of the drives shows the partitions in each drive. As the drives are loaded with the test image in different formats (FAT/NTFS/EXT), the results from test can be checked using base results obtained from NIST. (Base results)
As the drives are detected, the tester can start the data recovery by using the recover button located on the right side of the drive which starts the deep scan. The scan searches for any folders present on the drive which includes the deleted and the existing. The deleted/existing files will be showed in tree format in the next screen (Clever Files, 2016).
Confirming the capabilities of the tool & Accuracy of the findings
Disk drill being a mass market tool is used for its simplicity & convenience for the average computer user. The base version (Free ) of the tool finds the deleted files using various data recovery algorithms that provides the tester with the deleted file, last modified date of the deleted file, HEX ‘preview’ of the file. The following piece of images will compare the test results with the previously shown base results.
Test on the ‘Virtual’ drive in FAT format (Fig 2.2). Running a deep scan on the same drive shows the 3 partition present (Fig 2.3). All the deleted files were recovered in the actual size.
Result – Positive.
Test on the ‘Virtual’ drive in NTFS format (Fig 2.4).Running a deep scan on the same drive shows a single partition present (Fig 2.5). All the deleted files were recovered with the actual size.
Result – Positive.
Test on the ‘Virtual’ drive in EXT format (Fig 2.6). Running a deep scan on the same drive shows 3 partition present (Fig 2.7). The file Bunda.rxt was successfully found from the three deleted files. A orphan file found after the test which when recovered successfully was one of the deleted file (Bellatrix.txt). The last file Botein.txt was not recovered by the tool after numerous deep scans.
Result – Negative
More Tests on the EXE Format
As the results for the EXE format image showed negative, three different images all containing the same deleted files but with different fragments were downloaded from the NIST website.
All the images were run through Disk Drill and all the EXE images failed to recover the ‘Botein.txt’. On further search the botein.txt file was found to be a rooted file (UFS Explorer, EASEUS, 2016) in linux OS that could be only read through linux based software. The file could not be read on windows test system.
Using another tool to confirm the results
Tool: FTK Version 22.214.171.124124
The FTK has been tested and certified by National Institute of Standards and Technology. It’s more advanced and clearly shows each partitions (Fig 2.8) with its deleted/modified/accessed times. The deleted files are also clearly detected by FTK as seen on figures 2.9-3.2.
In addition the FTK (Fig 3.2) shows the MAC times of the files in clear detail.
Manual Verification of the results.
The HEX values of the recovered files were compared with the HEX viewer of FTK. As seen on figure 3.4 and 3.5 the FAT/NTFS format of the images HEX values shows clear match with their counterpart in the FTK but the HEX values of the exe (Fig 3.5) shows no match.
Created files and folders in the system
There are no system changes on the computer while the disk drill application is run. The process itself starts and the ends within itself. All the files that are to be ‘recovered’itself can be saved in a folder in the test system.
Critique of the training material
The disk drill tool is aimed at providing deleted file recovery service to customers, with little or less experience in computing (Disk Drill, 2016). The vendor has a separate ‘howto’ centre with different categories in their official website that answers many questions about the tool. It’s service includes Knowledge base options available on the help section (Fig 3.8), Forums (Fig 3.9) and policies of the company (Clever Files, 2016). The vendor offers 24/7 online customer service as seen on figure 4.0.
The vendor website itself has numerous videos on methods of using the tool which can be viewed in the following link. Hot to use disk drill.
All the training material available on the website claims that a ‘successful’ recovery should produce all deleted files. The possibility of a unsuccessful recovery is not mentioned by the vendors or how to correct a fault in a recovery process. The tool’s simplicity to use and the User Interface’s clarity require no training material nor an user guide for a regular computer owner. The questions asked by the current customers are automatically logged in the company’s forums and answered which are useful for other customers who may face the same problems. However the tool disk drill is of little or no use to a forensic tester as there are better tools available for DFR which are capable of a more plausible data recovery.
Atomic Object. 2012. Restoring Deleted Files in Linux from the ext3 . [ONLINE] Available at: https://spin.atomicobject.com/2012/06/29/restoring-deleted-files-from-the-ext3-journal/. [Accessed 29 November 2016].
CFRED . 2016. DFR Test Images. [ONLINE] Available at: http://www.cfreds.nist.gov/dfr-test-images.html. [Accessed 29 November 2016].
Clever Files. 2016. Recover Deleted Files with Disk Drill for Windows. [ONLINE] Available at: http://www.cleverfiles.com/disk-drill-windows.html. [Accessed 25 November 2016].
Disk Drill. 2016. Help Center. [ONLINE] Available at: http://www.cleverfiles.com/help/talk/. [Accessed 28 November 2016]
EASEUS. 2016. How do I recover files from EXT2/EXT3 drive?. [ONLINE] Available at: http://www.easeus.com/datarecoverywizard/recover-ext2-ext3-drive.htm. [Accessed 29 November 2016].
Mahant , Sameer H., 2012. NTFS Deleted Files Recovery: Forensics View. IRACST – International Journal of Computer Science and Information Technology & Security (IJCSITS), [Online]. Volume 2 No 3, 492. Available at: http://www.ijcsits.org/papers/Vol2no32012/1vol2no3.pdf [Accessed 22 November 2016].
UFS Explorer. 2016. Deleted files: chances for recovery. [ONLINE] Available at: http://www.ufsexplorer.com/und_del.php. [Accessed 28 November 2016].