 Hello everyone. Last week we were talking about data acquisition from a suspect device and this week we'll be talking about recovering data from the copy that you made. So first, we're just gonna review some things that we talked about last week. First off, whenever we get a suspect or victim device before we start working with it, we want to make sure that we are right blocking the device. So we can't actually make any changes to the suspect or victim's disc. So we need to figure out, do we want to use a hardware right blocker or a software right blocker to be able to protect that data from us making changes to it. Once we actually connect the right blocker, we need to make sure that we create a hash of the original device. So creating a hash value for the suspect or victim's data to ensure that whenever we're working with the data we know what the data, the state of the data was before we access the data and after we access the data. So basically connect your suspect or victim's storage devices to a right blocker, either hardware or software and then make a reference hash value, make a hash of that data so you know whether it changes or not. Next, acquire the disc image of the device. So actually copy the data into a file form or potentially copy it to another hard drive. This is what you will actually use to work with during your investigation. Once you've made a copy of the suspect's data and you either have it in a file format or copied to another hard drive, then we want to create hashes for the copy of the data that we've created and the original again. We make a copy of the data of the, we make a hash of the copy that we created to ensure that our copy is exactly the same as the original. We also make another hash of the original disc to make sure that we didn't make any modifications. Once we've done that, then we have a, usually a disc image and we also have three hashes. Those hash values should be all the same. Once we have that, then we know that we have an original copy or a copy of the original data that has not been modified from when the suspect had access to that data. So we have this clean data that we can prove to court that we have not modified in any way. Once we get all that and all the documentation hashes match, then we need to not work with the suspect's hard drive anymore. We want to disconnect it and put it essentially in a storage locker and it will remain there until the case is over or it has to go back to the suspect or victim. So the result of all of this is an exact copy of the original data and this copy is what we will be storing either on our forensic workstation or a forensic server in our unit or whatever we're working in and the original device should be put in secure storage. We will not use it again unless absolutely necessary. The reason we do not want to access the original hard drive anymore is first off, we might make modifications to it and we do not want to change any of the data that's on that disk. But second, it's a physical device so it could break while we're using it or something could go wrong with it. The more we use it, the more likely it is to break or something will be damaged. So we want to make sure that we are using the physical device, the original physical device as little as possible. Once we make a copy, we securely store it and we're done with it from now on. We have a copy of the acquired disk image and we always want to make a second copy of the acquired disk image. The reason for that is we have this kind of copy that we've made, we have a file that contains all of the suspect or victim data and we need to analyze that copy. But maybe our tools somehow modify this image that we've created. If the tools modified the image that we created, then our image is no longer good. We can no longer use it for court and the only way we can get another good image is by going back to the physical disk and making another copy. So to prevent that from happening, we have the copy that we've made, this forensic disk image that we've created and we have it stored on our forensic workstation or secure server. And then whenever we want to actually do analysis, we make a copy of our file or a copy of the copy and we always work with this second copy. So if we modify any of the data in this second copy, no problem, we can just make another copy again without accessing the original disk. We always wanna work with the copy of the original. If the original image is damaged, we will have to use the disk again. We do not want to access the physical disk again unless we absolutely need to. And we need to create and verify the hashes of all of these copies that we make. Every time we start to do an analysis of the data, we need to make a hash of not only our original file, but also any copies we make. And once we're finished with our analysis, we also make a hash again of the copies we've made and the originals to make sure that we haven't actually modified anything. The reason that's so important is we need to be able to prove to court that all of our actions did not add or remove any data from the suspect's device. We have to prove that. So it's always good practice before you begin an analysis to hash your data and make sure the hash values match the hash values before and then after you're done with your analysis, hash again and document that those hashes are the same. If there is a change, that's not necessarily a problem as long as you can say why there was a change. So court can accept some changes as long as you can say, explain what the changes were, why they were necessary and what caused them essentially. So getting into data recovery. For data recovery, we'll have a lot of practices this week. Data recovery is an attempt to pull out as much information as possible from the system. So now we have a copy of all of this data, but we haven't actually made sense of what the data means yet. We don't have access to all of the information that's on the suspect's system. It's all there, we just need to pull it out into a form that humans can understand. So some data or some tasks that digital investigators almost always do are recovering deleted files, recovering hidden partitions or hidden files, and also recovering file fragments or parts of files that have possibly been deleted or overwritten or intentionally hidden, things like that. These are some common things, and we'll practice that this week. So to recover data, very, very basically, there's a lot of different methods or techniques and tools we can use to recover data, but basically, very basically, to recover data we normally examine known data structures. And we've already talked a little bit about data structures. Essentially, if you have a file, the file probably has a file header and it probably has a file footer. In most cases, a lot of files have file headers and file footers. Partitions also have structures, basically most of the data that we deal with on a daily basis has some sort of structure to it. And if we can understand that structure, then we can look directly at the data and be able to pull out information that's relevant to our case. So a basic example, find where the structure starts, right? Find where the structure ends and then copy everything in between. So imagine that we have an image file and we'll actually practice this today. In the slides, I have an example of a JPEG image and we have a file header for the JPEG image. So we look for where the file header begins. We look for where the file information ends and if we just start copying from the beginning to the end, we copy everything out into another file. We can recover the image that's in this data even if the suspect had deleted that image. We might still be able to recover this. So we'll practice that this week a couple different ways. There are some automated tools or there are a lot of automated tools that try to do this data recovery automatically but we'll also try some fairly straightforward manual data recovery as well. So I just wanna say real quick about fragmentation and file fragments. They're a little bit different or the concepts are a little bit different. So data fragments, sometimes only parts of a file are available. So for example, if I delete a file, then Windows is free to use that space on the hard drive again and another file might be overwritten on part of the file. So I might only actually be able to recover half or maybe even less of a file and we consider that a fragment of the file. These fragments are very interesting for investigations because imagine that somebody wrote an email saying they were going to bomb a school. They might have deleted that email from their sent box but that email might still, the data for the email might still be resident on their hard drive. But if they keep sending more emails maybe part of that email gets overwritten. We could potentially still recover fragments or a fragment of that message and still be able to recover for example, part of the text that says I'm going to blow up the school or whatever they're going to say. So fragments are parts of files that we can still recover and they oftentimes contribute or have some information that are relevant to cases but they're a little bit difficult to work with. And fragmentation is whenever all data is not necessarily located sequentially on the hard drive. So going back to the JPEG image example. If we start at the beginning of a JPEG and we copy everything until the end of the JPEG we can get a JPEG image out. However, if there's fragmentation then parts of the file may be stored in different places on the hard drive. Whenever that's the case, whenever the file is fragmented we won't be able to just start at the beginning and copy until the end because there'll be a lot of extra data in there. We get this fragmentation, we don't recover the image accurately. So fragmentation causes a lot of problems for a lot of different file types. We'll look a little bit about what fragmentation can do in your investigation when we do practice this week. So I'll have a lot of resources and tools available for you for trying data recovery on some of your own devices this week. And that's it for now. Thank you.