RAID data saved after fire damage

By: Data Recovery & Computer Forensics Specialists  05/08/2014
Keywords: data recovery, hard drive recovery, Laptop Data Recovery

RAID data saved after fire damage We received a RAID-5 array which had failed following a fire. There were four hard drives in the array and two were showing signs of physical damage to the PCBs. Each fire damaged drive was carefully cleaned to prevent contamination of the platters by soot and smoke particles. Where the hard drive electronics were damaged, it was necessary to completely rebuild the circuitry, which required delicate and precise microcode repair. The next stage was to attempt to read the raw data from the drives. Three of the four were fully recovered, whilst we had to nurse one through the process. The challenge was to reconstruct the missing data and fortunately RAID-5 makes this possible thanks to data redundancy. By creating a virtual RAID, we rebuilt the data and extracted 90% of the files successfully. Breach of copywrite through domain names and metadata On this case we were tasked with establishing the extent of passing off and/or breach of trademark claims in regard to a competitor’s e-marketing campaign. The client had developed a cosmetic procedure, trademarking it to protect the brand. However, the client became aware of a competitor, who was marketing a similar procedure, using domain names and website metadata containing the trademarked name to connect interest to its own website. To undertake this task we used a variety of tools. IBS Standard Edition Version 11.7.9, a powerful search engine optimisation software tool, allowed us to research and analyse keywords and links for a particular website and compare these with nominated competitors. Domain White Pages, an online resource that allows the user to investigate domains and IP addresses, was used to investigate domain records, DNS records, network records and service scans. Recovering data from a Nokia mobile device A client came to us requiring a full mobile phone forensic investigation on a Nokia device. We were tasked with retrieving all available information on the device, including contacts, sent and received SMS messages (including deleted ones), emails and any other data we could find. In addition to this, we had two specific requests; information relating to several phone numbers and key words. The main tool utilised during this case was Oxygen Mobile Forensics Suite 2011, which is a thorough extraction tool used to retrieve data from smart phones in particular. The second tool we used was MOBILedit Forensic Lite, a trusted phone investigation tool that is highly rated by the National Institute of Standards and Technology. These two tools were used to investigate the phone’s internal memory and memory card. Identifying hard drive activity in a specific time window We were asked to establish whether or not there was sufficient evidence to show that activity was performed during a seven day window, and whether the evidence of this activity had been forensically wiped. The main tools used were AccessData Forensic Toolkit FTK and FTK Imager. We were given access to a hard drive. We performed imaging on the hard drive, taking care to maintain the integrity of the evidence and adhering to Association of Police Chief Officers (ACPO) guidelines at all times. The data recovered clearly identifies signatures for forensic wiping programs, namely CCleaner and DiskWipe, which are used to clean hard drives and to destroy data permanently. Due to the health of the files recovered using FTK, however, it is unlikely these forensic wiping programs were ever used successfully, if at all, and almost certainly not in the period in question.

Keywords: Computer Data Recovery, data recovery, disk recovery, File Recovery, hard disk data recovery, hard disk recovery, hard drive data recovery, hard drive recovery, Laptop Data Recovery, RAID data recovery, recover data

Contact Data Recovery & Computer Forensics Specialists

Email

Print this page