Implementation

Disk Drill – Download

Tester – Hiran Rajkumar C7137759

Location – Leeds Beckett University IME JG204


Contents of implementation:

  • Capabilities of the tool
  • Expected Results
  • Testing Environment & Method
  • Use of the tool
  • Confirming the tools capabilities & accuracy of the findings
  • Using another tool to confirm the results
  • Left over files and folders
  • Critique of the training material.

Capabilities of the tool

Disk drill is a mass market tool that focuses exclusively and claims to do a comprehensive quick,deep scan to recover

  • Deleted files in windows which includes documents, music, photos or videos within minutes (Disk Drill, 2016).
  • Files or whole missing partitions in your system.
  • The tool is able to access any storage device which includes anything from memory cards to hard-drives .

Expected Results

Image to be tested:  A forensic test image DFR-01 is obtained from the NIST (National Institute of standards and Technology) website (CFRED, 2016). The image is obtained in FAT, NTFS (Mahant.H, 2012) and EXT Linux kernel format (Atomic Object, 2012). The test image has been successfully tested by NIST and the results are available in the following link (CFRED, 2016). Base Results. The deleted files and the MAC times of the deleted files for each format are shown clearly in the images below. After successful testing of the images, the DFR tool (Disk drill) should successfully recover the deleted files from the images.

Link to the test imageDFR-01

FAT Format

  1. XBEID.TXT
  2. BETELEGUSE.TXT
  3. BELLATRIX.TXT

This slideshow requires JavaScript.


NTFS Format

  1. BUNDA.TXT

This slideshow requires JavaScript.


EXE Format

  1. BELLATRIX.TXT
  2. BUNDA.TXT
  3. BOTEIN.TXT

This slideshow requires JavaScript.


Testing Environment & Method

 As seen on figure 1.7 the images are then mounted each separately using the Arsenal image mounter that creates virtual disk that could be used by the disk drill. The physical representation of images are set to ‘read’ only (fig 1.8) and no alterations are made to the test image and thus protecting the test environment. The physical drives can be seen on the test system where the disk drill is installed (fig 1.9). The tool itself can easily access the images as physical drives where the data recovery process can be conducted.

This slideshow requires JavaScript.


Use of the tool

As seen on figure 2.0 successful mount of the images in the test system is automatically detected by the disk drill as separate drives. Figure 2.1 shows closer examination of the drives shows the partitions in each drive.  As the drives are loaded with the test image in different formats (FAT/NTFS/EXT), the results from test can be checked using base results obtained from NIST. (Base results)

As the drives are detected, the tester can start the data recovery by using the recover button located on the right side of the drive which starts the deep scan. The scan searches for any folders present on the drive which includes the deleted and the existing. The deleted/existing files will be showed in tree format in the next screen (Clever Files, 2016).

This slideshow requires JavaScript.


Confirming the capabilities of the tool & Accuracy of the findings

Disk drill being a mass market tool is used for its simplicity & convenience for the average computer user. The base version (Free ) of the tool finds the deleted files using various data recovery algorithms that provides the tester with the deleted file,  last modified date of the deleted file, HEX ‘preview’ of the file. The following piece of images will compare the test results with the previously shown base results.

FAT Format

Test on the ‘Virtual’ drive in FAT format (Fig 2.2). Running a deep scan on the same drive shows the 3 partition present (Fig 2.3). All the deleted files were recovered in the actual size.

Result – Positive.

This slideshow requires JavaScript.

NTFS Format

Test on the ‘Virtual’ drive in NTFS format (Fig 2.4).Running a deep scan on the same drive shows a single partition present (Fig 2.5). All the deleted files were recovered with the actual size.

Result – Positive.

This slideshow requires JavaScript.

EXT Format

Test on the ‘Virtual’ drive in EXT format (Fig 2.6). Running a deep scan on the same drive shows 3 partition present (Fig 2.7). The file Bunda.rxt was successfully found  from the three deleted files. A orphan file found after the test which when  recovered successfully was one of the deleted file (Bellatrix.txt). The last file Botein.txt was not recovered by the tool after numerous deep scans.

Result – Negative

This slideshow requires JavaScript.


More Tests on the EXE Format

As the results for the EXE format image showed negative, three different images all containing the same deleted files but with different fragments were downloaded from the NIST website.

EXE Images.PNG
EXE Images

All the images were run through Disk Drill and all the EXE images failed to recover the ‘Botein.txt’. On further search the botein.txt file was found to be a  rooted file (UFS Explorer, EASEUS, 2016)  in linux OS that could be only read through linux based software. The file could not be read on windows test system.


Using another tool to confirm the results

Tool: FTK Version 3.3.0.33124

The FTK has been tested and certified by National Institute of Standards and Technology. It’s more advanced and clearly shows each partitions (Fig 2.8) with its deleted/modified/accessed times. The deleted files are also clearly detected by FTK as seen on figures 2.9-3.2.

In addition the FTK (Fig 3.2) shows the MAC times of the files in clear detail.

This slideshow requires JavaScript.


Manual Verification of the results.

The HEX values of the recovered files were compared with the HEX viewer of FTK. As seen on figure 3.4 and 3.5 the FAT/NTFS format of the images HEX values shows clear match with their counterpart in the FTK but the HEX values of the exe (Fig 3.5) shows no match.

This slideshow requires JavaScript.


Created files and folders in the system

There are no system changes on the computer while the disk drill application is run. The process itself starts and the ends within itself. All the files that are to be ‘recovered’itself  can be saved in a folder in the test system.

This slideshow requires JavaScript.


Critique of the training material

The disk drill tool is aimed at providing deleted file recovery service to customers, with little or less experience in computing (Disk Drill, 2016). The vendor has a separate ‘howto’ centre with different categories in their official website that answers many questions about the tool. It’s service includes Knowledge base options available on the help section (Fig 3.8), Forums (Fig 3.9) and policies of the company (Clever Files, 2016). The vendor offers 24/7 online customer service as seen on figure 4.0.

This slideshow requires JavaScript.

The vendor website itself has numerous videos on methods of using the tool which can be viewed in the following link. Hot to use disk drill.

All the training material available on the website claims that a ‘successful’ recovery should produce all deleted files. The possibility of a unsuccessful recovery is not mentioned by the vendors or how to correct a fault in a recovery process. The tool’s simplicity to use and the User Interface’s clarity require no training material nor an user guide for a regular computer owner. The questions asked by the current customers are automatically logged in the company’s forums and answered which are useful for other customers who may face the same problems. However the tool disk drill is of little or no use to a forensic tester as there are better tools available for DFR which are capable of a more plausible data recovery.


Bibliography

Atomic Object. 2012. Restoring Deleted Files in Linux from the ext3 . [ONLINE] Available at: https://spin.atomicobject.com/2012/06/29/restoring-deleted-files-from-the-ext3-journal/. [Accessed 29 November 2016].

CFRED . 2016. DFR Test Images. [ONLINE] Available at: http://www.cfreds.nist.gov/dfr-test-images.html. [Accessed 29 November 2016].

Clever Files. 2016. Recover Deleted Files with Disk Drill for Windows. [ONLINE] Available at: http://www.cleverfiles.com/disk-drill-windows.html. [Accessed 25 November 2016].

Disk Drill. 2016. Help Center. [ONLINE] Available at: http://www.cleverfiles.com/help/talk/. [Accessed 28 November 2016]

EASEUS. 2016. How do I recover files from EXT2/EXT3 drive?. [ONLINE] Available at: http://www.easeus.com/datarecoverywizard/recover-ext2-ext3-drive.htm. [Accessed 29 November 2016].

Mahant , Sameer H., 2012. NTFS Deleted Files Recovery: Forensics View. IRACST – International Journal of Computer Science and Information Technology & Security (IJCSITS), [Online]. Volume 2 No 3, 492. Available at: http://www.ijcsits.org/papers/Vol2no32012/1vol2no3.pdf [Accessed 22 November 2016].

UFS Explorer. 2016. Deleted files: chances for recovery. [ONLINE] Available at: http://www.ufsexplorer.com/und_del.php. [Accessed 28 November 2016].

Advertisements

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s