Data Recovery Blog

EnCase Forensic is for forensic practitioners who need to conduct efficient, forensically sounds data collection and investigations using a repeatable and defensible process. EnCase Forensic lets examiners acquire data from a wide variety of devices, unearth potential evidence with disk level forensic analysis, and craft comprehensive reports on their findings, all while maintaining the integrity of their evidence.

How EnCase® Forensic Works:

1) Obtain Forensically Sound Acquisitions
EnCase® Forensic produces an exact binary duplicate of the original drive or media, then verifies it by generating MD5 hash values for related image files and assigning CRC values to the data. These checks and balances reveal when evidence has been tampered with or altered, helping to keep all digital evidence forensically sound for use in court proceedings.

2) Save Valuable Time with Advanced Productivity Features
Examiners can preview data while drives or other media are being acquired. Once the image files are created, examiners can search and analyze multiple drives or other media simultaneously. EnCase Forensic also features a case indexer. This powerful tool builds a complete index in multiple languages, allowing for fast and easy queries. Indices can also be chained together to find keywords common to other investigations. This Unicode-supported index contains personal documents, deleted files, file system artifacts, file slack, swap files, unallocated space, emails and web pages. In addition, EnCase has extensive file system support, giving organizations the ability to analyze all types of data.

3) Customize EnCase® Forensic with EnScript® Programming
EnCase forensic features EnScript® programming capabilities. EnScript, an object-oriented
programming language similar to Java or C++, allows users create to custom programs to help
them automate time-consuming investigative tasks, such as searching and analyzing specific
document types or other labor-intensive processes and procedures. This power can be harnessed by any level of investigator by using one of Forensics tools, such as the “Case Developer” or one of the numerous built-in filters and conditions.

4) Provide Actionable Data, Report on it, and Move on to the Next Case
Once investigators have bookmarked relevant data, they can create a report suitable for
presentation in court, to management or to another legal authority. Data can also be exported in multiple file formats for review.

EnCase Forensic is trusted by corporations, law enforcement, and government. EnCase Forensic is fast, powerful, forensically sound, and proven in courts worldwide.

EnCase Forensic Related Links:

Website: http://www.guidancesoftware.com/forensic.htm
Resource: EnCase® Forensic for Law Enforcement (PDF)

Hard Disk Repair

Identifying FAT16, FAT32, and NTFS File Systems and partitions

DATARECOVERYUNION.COM15 years ago4 years ago03 mins

How can I tell what type of file system (FAT16, FAT32, NTFS) my drive is formatted in?

To identify what type of file system the drive is formatted in:

Click on the Start button and select Computer if using Windows Vista, My Computer if using Windows XP or 2000, or Windows Explorer if using Windows Me or 98.
Right-click on the drive letter you want to check.
Click on the Properties option from the pull down menu. A window will appear with the type of file system you have. If you do not see any information regarding FAT16, FAT32, or NTFS in the window that means the drive is formatted in FAT16.

Notes:

Partitions created with the FAT16 file system have a size limitation of 2,048 MB (2.1 GB).
Microsoft first started supporting the FAT32 file system with the release of Windows 95B (a.k.a. OSR2), circa 1997.
When booting from Windows 95A, a Windows 95A startup disk, or any version of MS-DOS, a FAT32 partition will appear as a NON-DOS partition in FDISK.
FAT32 partitions have a theoretical partition size limitation of 2 terabytes (TB). However, new partitions created by either Windows Vista, Windows XP, or Windows 2000 will limit their size to 32 gigabytes (GB). To create partitions greater than 32 GB under Windows Vista, XP, or 2000, you will need to format them using the NTFS file system (or create multiple FAT 32 partitions for drives greater than 32GB).
Windows Vista, Windows XP, Windows 2000, and Windows NT all support the NTFS file system. Windows 2000, XP, and Vista can both support the FAT32 and NTFS file systems, however Windows Vista cannot be installed on a FAT32 partition. Windows NT cannot support FAT32 partitions.
MaxBlast and DiscWizard allow FAT32 partitioning of a drive larger than 32GB.

Hard Disk PCB Boards

Seagate 100720903 PCB FAQs and Solutions

DATARECOVERYUNION.COM3 years ago3 years ago02 mins

We first look at the following two pictures. Picture 1 is the “BIOS CHIP” of the circuit board. When we replace the PCB, we need to replace the “BIOS CHIP” with your original PCB. Picture 2 shows the “Board Number” of the board, and the “Board Number” must be the same! FAQs of100720903 PCB Seagate…

Data Recovery Cases

.sql file recovery database success case

DATARECOVERYUNION.COM2 years ago01 mins

Case:A factory user uses the Windows2003 system+SQL2000 database. On the day of the incident, the ledger could not log in. The technician opened the corporate manager to check and found that the database was suspicious.Copy to report an error in the middle and prompt data redundancy errors.So call the data recovery center to apply for…

Computer FAQs

Windows 7 – Easy way to switch default sound output device

DATARECOVERYUNION.COM3 years ago01 mins

I want an easier way to change my default sound device from my sound card to my usb headset. Currently it takes a very precise right click, a left click, another right click, and two more left clicks. Ideally i could just have it swap with a shortcut key. (it was a little easier in…

Hard Disk PCB Boards

2060-771824-005 WD PCB Circuit Board

DATARECOVERYUNION.COM6 years ago4 years ago012 mins

HDD Printed circuit board (PCB) with board number 2060-771824-005 is usually used on these Western Digital hard disk drives: WD5000AZRX-00A8LB0, DCM HBNNHVJMHB, Western Digital 500GB SATA 3.5 Hard Drive; WD5000AZRX-00A8LB0, DCM HHRCKVJMG, Western Digital 500GB SATA 3.5 Hard Drive; WD10EURX-63FH1Y0, DCM HHRNNT2AGB, Western Digital 1TB SATA 3.5 Hard Drive; WD10EURX-73FH1Y0, DCM EGRNHT2AHB, Western Digital 1TB…

Hard Disk Repair

What Makes a Good Hard Disk Drive?

DATARECOVERYUNION.COM14 years ago4 years ago011 mins

When looking to buy a hard drive there is a quick checklist of things to look for:

Interface (PATA, SATA, SCSI or other more exotic setups)
Capacity (how much space do you need/want)
Spindle speed (i.e., 5400rpm, 10,000rpm, 15,000rpm etc)
Cache (2MB, 8MB, 16MB)
Brand (Western Digital, Seagate, Maxtor etc)

HDD Interface:

PATA drives are arguably the most universally compatible, are the cheapest and offer a respectable degree of performance however there is a potential inconvenience of having to set/adjust jumpers on the drive.
SATA (and SATA-II) drives are the next-generation drives and outperform similarly priced PATA drives (the price delta is usually no more than $10). Since there is only one drive per cable, no jumpers need to be set however the potential downside is that the destination motherboard/controller may not offer native boot-time support of the SATA drive (thus requiring a floppy/CD with the drivers in order to install an OS). Another consideration is if the drive only accepts SATA-power connectors than either the PSU needs these special connectors in order to power the drive (or adaptors must be purchased)
SCSI drives have the inconvenience of lack-of-boot-time support as well as the potential hassle of assigning SCSI id’s and performing termination. The upside is that many RAID options are available (much more so than with IDE drives) as well as significantly improved performance. Of the three common interfaces, SCSI is the most expensive.

HDD Capacity:
The old rule for determining how much drive space is requires is to “estimate how much you think you will need, double it and round-up to the nearest drive size”. With dropping drive prices as well as decreasing price deltas (i.e., going from a 120GB to 160GB drive is usually $10 — why? Because a 120GB drive is just a 160GB drive with a half-a-platter disabled).

HDD Spindle Speed & Cache:
Naturally, the faster the platters spin the better the overall performance however it is not always as simple as that. With SCSI drives, it’s fairly clean-cut as they tend to fall into distinct categories (10k and 15k rpm drives) with very distinct performance and price brackets. For IDE drives the three most common speeds are 5400, 7200 and 10000 rpm however the element of cache makes things interesting.

The argument for 5400rpm drives used to be “get a massive 5400rpm drive for archive — you’re not gonna be accessing it all the time so access-time performance isn’t critical” however with the advent of affordable (and massive) 7200rpm drives there isn’t much of a case for 5400rpm drives from a performance/functionality perspective (i.e., you won’t be able to get a 500GB DeskStar drive in a 5400rpm flavour). The only case really for 5400rpm (or slower) drives is for people looking to build uber-quiet systems. All 5400rpm IDE drives come with 2MB of cache.

Mainstream 7200rpm drives come in several flavours, 2MB, 8MB and 16MB of cache and with the wide variety of capacities. Buying a 2MB cache drive isn’t really a smart move anymore as the price delta to go from a 2MB to 8MB cached drive is usually ~$10. In the case of 16MB drives (currently only the Maxtor DiamondMax 10) which also offer NCQ support as well as being one of the few native SATA drives (Seagate’s barracuda 7200. 7 is another), it is obvious that the 16MB cache allow the DiamondMax10 to be the best performer for a 7200rpm drive and the NCQ and drive capacity allows for the drive to be immediately implemented in a server environment. Realistically the only competition in terms of performance for these drives are the 10k rpm drives.

Currently, two IDE drives support 10k rpm spindle speed (with 8MB of cache) and the advantages are obvious: significantly reduced access times. The downside is that (a) the drives are exceptionally expensive, (b) the highly competitive Maxtor 16MB cache drives represent a significantly improved value hands-down.

So will it be 10k@8MB ot 7.2k@16MB?
Ok let’s have a look at some numbers,

AVG Transfer rate
Maxtor DiamondMax 10 (NCQ on) — 54.5MB/s
Maxtor DiamondMax 10 (NCQ off) — 54.6MB/s
WD Raptor II — 64.9MB/s
with HDTach 3.0, it’s fairly evident that the Raptor is superior by a significant margin.

Burst Transfer
Maxtor DiamondMax 10 (NCQ on) — 131.7MB/s
Maxtor DiamondMax 10 (NCQ off) — 136.3MB/s
WD Raptor II — 118.7MB/s
here the tables are reversed however burst transfers are not as significant as average throughput.

Random Access Time
Maxtor DiamondMax 10 (NCQ on) — 13.9ms
Maxtor DiamondMax 10 (NCQ off) — 13.8ms
WD Raptor II — 7.9ms
The Raptor has a significantly reduced access time (42% advantage) however we don’t see anywhere near a 42% advantage in terms of benchmarked throughput performance … This is due to the larger cache count on the DiamondMax10: with the larger cache, the performance of the drive depends less and less on the mechanics of the drive (i.e., it reduces the effect of the rpm advantage the Raptors have)

Diskbench 2.3 – 250mb file
Maxtor DiamondMax 10 (NCQ on) — 16.2MB/s (30.7sec)
Maxtor DiamondMax 10 (NCQ off) — 15.3MB/s (33.6sec)
WD Raptor II — 13. 0MB/s (38. 2sec)
Here we can see the cache-advantage flex it’s muscles: a 17%-25% advantage in real-world performance (impressive if we consider the access-time disadvantage the Maxtors are operating with).

anandtech offers similar results with the Maxtor and wd trading spots back and forth with the 16MB Maxtor generally keeping up with or beating the 8MB Raptors (albeit by non-massive margins). Here is the 8MB Raptor pulling ahead by a non-insignificant margin

Summarizing the SYSmark scores, the Raptor comes out on top but with a very small lead

the Raptor pulls ahead with a small lead in UT2004 load times,

however the Raptor comes in last when multitasked heavy-disk access is thrown at it:

From a value perspective, there is almost no reason to recommend the WD 10k drives: one can get a 300GB Maxtor 16MB cache drive for the same price as a 74gb Raptor II. Now if the Raptor swept the floor it would probably be justifiable to purchase it however that was not the case. Perhaps if/when a 10k 16MB cache drive is released, the high-end drive market can be a bit more clear-cut.

HDD Brand:
Brand doesn’t matter all that much: people can tell you nightmare stores about Company X and recommend Company Y, however it’s probably equally possible to find nightmare stories about Company Y. While there may be bad drives (for instance the IBM/Hitatchi GXP75), it doesn’t mean that the entire product line will be bad.

Data Recovery Cases

1TST hard drive opens slowly and scratches the surface_Data Recovery

DATARECOVERYUNION.COM2 years ago02 mins

Case:The desktop filling of a advertising company uses a 1T ST hard disk, Windows operating system. A few days ago, the customer found that the system started very slowly. After entering the system, the partition was also very slow.On the other computer, the machine was also very slow, and the files could not be copied….

Hard Disk Repair

How do I know if my PC supports USB?

DATARECOVERYUNION.COM15 years ago4 years ago01 mins

To help determine your system’s USB capabilities you can download a free USB evaluation utility from the following site: www.usb.org

This program will examine your system and inform you of your computer’s USB capabilities.

For a general rule, if your PC was manufactured before 1996, it probably does not include USB. If the machine was manufactured in 1997 or later, it may support USB 1.0 . Most computers manufactured after 1998 support USB 1.0. Systems available since 2001 probably support USB 2.0.

With some PCs, you may need to connect an adapter (PCI or CardBus) to connect USB peripherals. Read your system documentation if you’re not sure there is a USB port.

Hard Disk Repair

USB devices not detected in Windows ME

DATARECOVERYUNION.COM15 years ago4 years ago04 mins

My computer has a USB1.1 port or I have just installed a USB2.0 host adapter. The host adapter shows correctly without conflicts in Windows’ Device Manager but the USB2 Personal Storage device does not appear. I’ve tried many things: disconnecting and reconnecting the data cable to make the drive appear, deleted then refreshed the USB host adapter from Device Manager. The ‘unplug or eject hardware’ icon appears (or is not seen) in the System Tray (located at the bottom right corner of your screen). The USB controller is shown in Device Manager but not the USB2 Personal Storage Device!

There are many reasons an external storage device does not appear connected to the USB controller. Missing or corrupted drivers can sometimes be at fault. The Windows ME operating system typically supplies all needed drivers for Maxtor Personal Storage drives. Sometimes drivers do not load correctly or have never been installed. Some computer manufacturers choose not to load these drivers to the operating system to avoid possible conflicts with other devices. Confirm that these files are loading from the correct directory if your 3000LE is not detected by the operating system.

From Windows Explorer drill down to the directory: C:\WINDOWS/OPTIONS/INSTALL Open the BASE2 folder and scroll to the bottom.

Highlight these files. Drag and drop them to the directory

C:\WINDOWS/SYSTEM32/DRIVERS

LIUSBAUTH.SYS
USBCCGP.SYS
USBHUB.SYS
USBNTMAP.SYS
USBPRINT.SYS
USBSTOR.SYS
USBMPHLP.PDR
USBD.SYS
USBUI.DLL

Windows may note an error message that these files are already loaded. Choose the option to replace the files anyway. Perform a full system restart. The ‘unplug or eject‘ icon should appear in the system tray. Double click this icon and the Personal Storage device should appear correctly.

This procedure is effective in most cases. All OEM (original equipment manufacturers) make specific changes to hardware and software to ensure error free operation of their systems. Adding any after-market peripheral device places a burden of responsibility on you the end user. Maxtor performs extensive compatibility and regression testing with all commonly available computers but ultimately you are responsible for compatibility and error free operation of your particular computer system.