Data Recovery Blog

what is computer forensics?

Computer forensics is a branch of digital forensic science pertaining to legal evidence found in computers and digital storage media. The goal of computer forensics is to examine digital media in a forensically sound manner with the aim of identifying, preserving, recovering, analyzing and presenting facts and opinions about the information. With these useful forensics tools we can finish this work shortly and accurately.

A) List of tools for computer forensics

1. SANS Investigative Forensics Toolkit – SIFT (GPL V2.0)
Multi-purpose forensic operating system
computer-forensics.sans.org

2. EnCase (Windows, commercial, V6.18)
Multi-purpose forensic tool
www.guidancesoftware.com

3. FTK (Windows, commercial, V3.2)
Multi-purpose tool, commonly used to index acquired media.
accessdata.com/products/forensic-investigation/ftk

4. PTK Forensics (LAMP, free/commercial, V2.0)
GUI for The Sleuth Kit
sourceforge.net/projects/ptk-forensics/

5. The Coroner’s Toolkit (Unix-like, IBM Public License, V1.19)
A suite of programs for Unix analysis
www.porcupine.org/forensics/tct.html

6. COFEE (Windows,Proprietary)
A suite of tools for Windows developed by Microsoft, only available to law enforcement
cofee.nw3c.org

7. The Sleuth Kit (Unix-like/Windows, IPL, CPL, GPL, V3.1.1)
A library of tools for both Unix and Windows
www.sleuthkit.org

8. Categoriser 4 Pictures (Windows, Free, V4.0.2)
Image categorisation tool develop, available to law enforcement

9. Paraben P2 Commander (Windows, Commercial)
General purpose forensic tool

10. Open Computer Forensics Architecture (Linux, LGPL/GPL, 2.3.0)
Computer forensics framework for CF-Lab environment

11. SafeBack (commercial, V3.0)
Digital media (evidence) acquisition and backup

12. Forensic Assistant (Windows, commercial, V1.2)
User activity analyzer(E-mail, IM, Docs, Browsers), plus set of forensics tools

B) Tools for Mobile device forensics

Mobile forensics tools tend to consist of both a hardware and software component.

1. Cellebrite Mobile Forensics (Windows, Commercial)
Univarsal Forensics Extraction Device – Hardware and Software

2. Radio Tactics Aceso (Windows, Commercial)
“All-in-one” unit with a touch screen

3. Paraben Device Seizure (Windows, Commercial)
Hardware/Software package

4. MicroSystemation .XRY/.XACT (Windows, Commercial)
Hardware/Software package, specialises in deleted data

5. Oxygen Phone Manager (Commercial)

C) Other computer forensics tools

1. HashKeeper (Windows, free)
Database application for storing file hash signatures

2. Evidence Eliminator (Windows, commercial, V6.03)
Anti-forensics software, claims to delete files securely

3. DECAF (Windows, free)
Tool which automatically executes a set of user defined actions on detecting MS’s COFEE tool

Computer FAQs

Performance – Why are USB flash drives so much slower than ssds?

DATARECOVERYUNION.COM3 years ago3 years ago02 mins

From what I understand, USB flash drives and solid-state drives (SSDs) are based on similar technologies, NAND flash memory. But, USB flash drives are usually quite slow, with a read and write speed of 10-25 MB per second, while SSDs are usually very fast, about 200-600 MB per second. Why are SSDs so much faster…

Hard Disk Repair

Software RAID VS Hardware RAID

DATARECOVERYUNION.COM16 years ago12 years ago010 mins

RAID stands for Redundant Array of Inexpensive Disks which is a technology that employs the simultaneous use of two or more hard disk drives to achieve greater levels of performance, reliability, and/or larger data volume sizes.

There are different levels of RAID. The most popular RAID formats are RAID-1 & RAID-5. However today we will not focus on the various RAID format. Let’s go straight to the differences between software RAID and hardware RAID.

1. Hardware RAID:

A conventional Hardware RAID consists of a RAID controller that is installed into the PC or server, and the array drives are connected to it.

In high end external intelligent RAID controllers, the RAID controller is removed completely from the system to a separate box. Within the box the RAID controller manages the drives in the array, typically using SCSI, and then presents the logical drives of the array over a standard interface (again, typically a variant of SCSI) to the server using the array.

2. Software RAID:

In software RAID the software does the work of RAID controller in place of the hardware. Instead of using dedicated hardware controllers or intelligent boxes, we use particular software that manages and implements RAID array with a system software routine.

3. Comparing Hardware RAID & Software RAID

Portability

OS Portability

Software RAID is not usable across operating systems. So you cannot, for example, use two RAID disks configured in Linux with Windows XP and vice versa. This is big issue for dual booting systems where you will either have to provide a non-RAID disk for data sharing between the two operating system / use hardware RAID instead.

As you know, dual booting is mostly obsolete these days as you can run multiple operating systems on the same machine using virtualization software like VMware & xen.

Hardware Portability

Software RAID
In Linux you can mirror two disks using RAID-1, including the boot partition. If for any reason the hardware goes bad, you can simply take the hard disk to a different machine and it will just run fine on the new hardware. Also with a RAID-1 array, each of the hard disk will have full copy of the operating system and data, effectively providing you with two backups, each of which can be run from a different hardware.Unfortunately in Windows it is not so easy to switch a operating system from one hardware to another, but that is the story of proprietary licenses and we will keep it for another day.

Hardware RAID
Hardware RAID is not so portable. You cannot just swap the hardware to a different machine and hope it will work. You have to find a Motherboard which is compatible with your RAID controller card; otherwise you can kiss your data goodbye. Also there is a bigger issue of problem with the RAID controller itself. If it fails and you cannot get the same controller from the market (and it has probably become obsolete by then), then again you can kiss your data goodbye.

Easy & Speedy Recovery

It may seem trivial but for a busy and loaded server, an easy and speedy recovery, that too inside the operating system without having to reboot is what one can dream of. Imagine if during the peak hours, your RAID system crashes and you are forced to reboot the machine to make changes to it to restore your data! Software RAID’s like in Linux, not only continues working even when the hardware has failed, but also starts restoring the RAID array, should any spare disk be available. All of these happen in the background and without affecting your users. This is where software RAID shines brilliantly.

System Performance

Software RAID uses the CPU to do the work of the RAID controller. This is why high-end hardware RAID controller outperforms software RAID, especially for RAID-5, because it has a high powered dedicated processor. However for low end hardware RAID, the difference may be neglible to non-existent. In fact it is possible for the software RAID perform better than low end hardware RAID controller simply because today’s desktops and workstations are powered by very powerful processors and the task is trivial to them.

Support for RAID Standards

High-end Hardware RAID may be slightly more versatile than Software RAID in support for various RAID levels. Software RAID is normally support levels 0, 1, 5 and 10 (which is a combination of RAID 0 and RAID 1) whereas many Hardware RAID controllers can also support esoteric RAID levels such as RAID 3 or RAID 1+0. But frankly who uses them?

Cost

This is where software RAID again scores over hardware RAID. Software RAID is free. Hardware RAID is moderate to high priced and can put a strain on your budget if deployed widely.

But over the years the cost of hardware RAID has come down exponentially, so it may not be too far when more affordable RAID-5 cards will be built-in on newer motherboards.

Future Proof

Gone are the days when we could associate software RAIDs with bugs and OS problems. Nowadays software RAIDs are almost flawless. We are using software RAID in Linux operating system for several years and haven’t experienced any problem whatsoever. On the contrary, hardware RAID has a single point of failure and that is its hardware controller. If it crashes then your only option is to find another equivalent RAID controller from the market; by this time the model may become obsolete and you may not even find anything compatible. You are as such faced with the haunting prospect of losing all your data, should the RAID controller fail. Software RAID will never become obsolete and will continue to get updated with updated versions of your operating system.

4. In conclusion: Software or Hardware RAID?

In my opinion, software RAID is the way to go for most users, unless you want to extract the very last ounce of performance from your RAID array and budget is not a constraint.

Data Recovery

2T IBM Storage Server Raid Data Recovery

DATARECOVERYUNION.COM2 years ago01 mins

Case:Mr. Xing Xing’s IBM server data is lost. The situation is: IBM stores 10 SAS 2TB hard disks as RAID5. After the machine is restarted, the disk data cannot be accessed. After the user unit is checked, the two hard disks are found. Solution:Hangzhou Data Recovery Center engineers have learned that there are three hard…

Hard Disk Repair

How to Repair Hard Drive PCB Circuit Boards?

DATARECOVERYUNION.COM12 years ago7 years ago06 mins

Many hard drive failures are caused by problems with the PCB(HDD can’t spin; PCB board/chip be burnt; PCB interface broken; etc). If your hard drive does not spin when powered on, PCB replacement may allow you to recover your data. PCB replacement will not fix all hard drive failures, however, and like most other do-it-yourself repairs, it may void any remaining warranty on the drive. This process should be used only as a last resort after all other options have been exhausted. If you are not comfortable performing repairs yourself, many data recovery companies will perform this task — for a fee.

Before Repairing Hard Drive PCB Circuit Boards You Should Know:

Replacement HDD PCBs are almost always sold in limited quantities, so be sure to check auction sites and contact specialty vendors.
Don’t be tempted to use a similar-looking PCB that is not identical to the original; this will almost always cause damage.
Use caution when handling small electronic components. Hard drives are very sensitive to bumps; a small fall could do serious damage.

Instructions of Repairing Hard Drive PCB Printed Circuit Boards:

1. Confirm that the PCB actually needs to be replaced. If your hard drive spins when powered on or makes clicking noises, the fault is mechanical and will require professional data recovery. If the drive does nothing when powered on or shuts off intermittently, the PCB may be at fault.

2. Locate a suitable replacement PCB. To do this, you will need the model number of the PCB, which is usually etched somewhere on the board itself. To remove the PCB, simply remove the screws that fasten it to the drive and carefully disconnect the ribbon cable. Many hard-drive manufacturers use specially shaped star or hex screws, so be sure to use the appropriate screwdriver to prevent stripping. Tearing the ribbon cable will render the drive unrepairable, so be gentle; it should come free with minimal force.

3. Purchase a replacement PCB. These can often be difficult to find, though many online resellers offer a wide variety; be sure to contact as many vendors as you can. You will need an identical board, both in physical shape and size as well as model number; substituting different boards may cause permanent data loss.

HDDZone.com is recommended, they provide all kinds of hard drive PCBs including Seagate, Maxtor, Western Digital, Samsung and others with worldwide free shipping.

4. Connect the replacement PCB. Gently connect the ribbon cable; make sure that it’s fully connected before mounting the PCB to the drive with the screws you removed before. Be sure to mount the PCB exactly as the original was mounted.

5. Test that the new PCB is working by turning off your computer and connecting only the power line to the drive. When you press the power button to turn the computer back on, the drive should spin. If it appears to be spinning properly, turn the computer off again and connect the hard drive as it would normally be configured to recover your data.

6. Cut the power and disconnect the drive if the hard drive fails to spin or makes any unusual noises when powered on. Ensure that you connected the PCB properly and that it is mounted securely. If you have performed these steps as stated and the hard drive still fails to spin, the problem is likely mechanical and will require professional data recovery.

Related Links:

Hard Drive PCB Swap Guide (Seagate, Western Digital, Samsung, Maxtor and others)

Data Recovery Cases

FAT32 formatted as NTFS data recovery case

DATARECOVERYUNION.COM1 year ago02 mins

Case:Customer change file system FAT32 formatting into NTFS, the entire disk data is lost. Solution:After receiving the disk, I looked at it and found that there was nothing inside, because I started to make the hard disk make the image, and after the mirror entered the system into the system, open the D disk with…

Data Recovery Cases

Hard disk partition table lost data recovery successfully

DATARECOVERYUNION.COM1 year ago01 mins

Case:Customer Seagate Hard Disk, the model is ST3500320s, and the hard disk has 3 partitions. Now the E disk disappears, and only two partitions are left. The hard disk is repaired to find the required information.It was tested by engineers as a physical bad sector. Solution:The engineer uses a dedicated equipment to evaluate the damage…

Hard Disk Repair

Maxtor DiamondMax Plus 9 PCB

DATARECOVERYUNION.COM14 years ago2 years ago03 mins

Buy Maxtor DiamondMax Plus PCB on HDDZone.com with low price, fast shipping and top-rated customer service! All kinds of Maxtor hard drive PCB board for Data Recovery and HDD Repair Needs!

Maxtor DiamondMax Plus 9 PCB Swap Guide:

For swapping Maxtor PCB, there are only two steps to find the matching pcb.

Step 1: Find the Main Controller IC. The biggest chip (show above). Make sure the information says ARDENT C8-C1, 040111300 which is the Main Controller IC.

Step 2: Verify the Motor Combo IC. L7250E 1.2

Step 3: Send these info to your PCB seller. Such as HDDZone.com

Note: In most cases, you should exchange the BIOS chip before you swap the PCB. You should have certain technique. Hard drive failures are NOT always caused by circuit board failure. We cannot guarantee your drive to be repaired by replacing the board.

	Maxtor DiamondMax Plus 9 PCB 200 Ardent C5-C1 040110200Main Controller IC: Ardent C5-C1 040110200 HDD Motor Combo IC: L7250E 1.0
	Maxtor DiamondMax Plus 9 PCB 8000 Poker D.5 040108000Main Controller IC: Poker D.5 040108000 HDD Motor Combo IC: L7250E 1.2
	Maxtor DiamondMax Plus 9 PCB 900 Poker D.7 040110900Main Controller IC: Poker D.7 040110900 HDD Motor Combo IC: L7250E 1.2
	Maxtor DiamondMax Plus 9 PCB Ardent C5-C1 040111500Main Controller IC: Ardent C5-C1 040111500 HDD Motor Combo IC: L7250E 1.2
	Maxtor DiamondMax Plus 9 PCB ARDENT C8-C1 040111200Main Controller IC: ARDENT C8-C1 040111200 HDD Motor Combo IC: L7250E 1.2
	Maxtor DiamondMax Plus 9 PCB ARDENT C8-C1 040111300Main Controller IC: ARDENT C8-C1 040111300 HDD Motor Combo IC: L7250E 1.2
	Maxtor DiamondMax Plus 9 SATA PCB Ardent C10-C1 040119500Main Controller IC: Ardent C10-C1 040119500 HDD Motor Combo IC: L7250E 1.2
	Maxtor DiamondMax Plus 9 SATA PCB ARDENT C8-C1 040111300Main Controller IC: ARDENT C8-C1 040111300 HDD Motor Combo IC: L7250E 1.2

Hard Drive PCB Swap Guide: For Seagate, Maxtor, WD, IBM/Hitachi Hard Drives

More Maxtor DiamondMax Plus 9 PCB Circuit Boards on HDDZone.com

Data Recovery Cases

Samsung 80GB mobile hard drive data recovery case

DATARECOVERYUNION.COM1 year ago01 mins

Case:The customer responded that the first logical partition could not be opened and prompted “format”. Solution:After opening it with Winhex, it was found that the first partition DBR was destroyed. The partition of FAT32 was found to be destroyed after viewing and found that the backup DBR was also destroyed.Move to the FAT table and…

Computer FAQs

What is the difference between SETX and SET in environment variables in Windows

DATARECOVERYUNION.COM3 years ago02 mins

What is the difference between SETX and SET? As per my understanding:Both are used to set environment variables SETX is for user variables. SET is for shell variables. Solution: I’m afraid it’s not quite that simple. Environment variables are not limited by scope, as you suggest, but you are right that the lifetime of…