1 / 24

Data Recovery Techniques

Florida State University CIS 4360 – Computer Security Fall 2006 December 6, 2006. Data Recovery Techniques. Matthew Alberti MCA05@fsu.edu. Horacesio Carmichael HMC03c@fsu.edu.

edana
Télécharger la présentation

Data Recovery Techniques

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript


  1. Florida State University CIS 4360 – Computer Security Fall 2006 December 6, 2006 Data Recovery Techniques Matthew Alberti MCA05@fsu.edu Horacesio Carmichael HMC03c@fsu.edu

  2. Data recovery techniques are used to recover information that has been deleted or compromised. End users, companies, and government agencies may use data recovery for different reasons. Data recovery techniques are often a major part of computer forensics. Explanation

  3. Background • Data recovery techniques have been around for a long time • Does not necessarily relate to computer systems • Today, “data recovery” is most often related to computer systems

  4. Common Misconception • When data is removed from a system it is either deleted or overwritten. But there are ways to recover deleted data. • Just because a file is deleted that does not mean the data is gone. The Operating System simply removes the pointer from the file, but the data is still there. • Now new data can be written to this space.

  5. Misconception cont. Data is recorded onto magnetic media by using ones and zeroes. When the data is overwritten, the disk will only detect the new data leaving only remnants of the old data. The time to read the remnants would be very time consuming and all the old data would not be read correctly. This would cause a very problematic and impossible puzzle to solve.

  6. Reasons for End User • Recover files deleted accidentally • Recover files that have been compromised • Hardware failure • Malicious activity

  7. Reasons for Companies • Recover data from an ex-employee's computer • Recover lost files • Lost due to hardware failure • Compromised or lost due to network problem

  8. Reasons for Government Agencies • Similar to companies • Recover files from an ex-employee's computer • Recover data after hardware or network failure • Law Enforcement Agencies • Recover evidence from a suspect's computer • Search for particular information on the hard drive • Establish motive for the crime • Identify any accomplices • Support forensic analysis of computers

  9. Techniques • Perform a forensic analysis of the computer • Search for one file or a single file type • Attack encryption methods • Restore disk using an existing image • Examine data in RAM

  10. More Techniques • Examine disk at the cluster or sector level • Analyze data using hex editor • Create hash of entire disk • Export for use in another tool

  11. Cause of Data Loss Hardware or System Malfunction Human Error Software Program Malfunction Viruses Natural Disasters Frequency of Occurrence 44% 32% 4% 7% 3% Statistics

  12. Types of Damage Physical Damage Logical Damage

  13. Physical Damage • CD’s can suffer scratches • Tapes can simply break • Hard disks can suffer from mechanical problems

  14. Logical Damage Logical damage is primarily caused by power outages that does not allow the file to be completely written to the storage device. Some Results are: • File is left in an inconsistent state • DATA totally lost • Cause the system to crash • Strange behavior • Partial storage

  15. Many different tools exist that make data recovery easier. Some tools are only meant for government or commercial use. Also, the cost of some tools is too high for them to be feasible for an end user. Tools - Explanation

  16. Tools • WinHex • Very popular • Available to End User • Forensic Tool Kit (FTK) • Used by some law enforcement agencies • More oriented towards forensics • Encase • Also used by law enforcement agencies • More oriented towards forensics

  17. More Tools • Many special-purpose tools • Oriented towards End User • Single function • Typically very easy to use • May not be as accurate or powerful • Should not be considered forensically sound

  18. Methods exist than can make data recovery very difficult or impossible. These methods should be used to secure financial information, medical records, or classified data. Most people are generally unaware that deleted data may still be recoverable for a long time. Defeating Data Recovery

  19. Back Up File Back Up refers to the copying of data so that the additional copies may be restored after data is lost. Data Recovery is necessary when you lack the proper back up system.

  20. Techniques to Prevent Recovery • Write over deleted space with random data • 1s and 0s • Make space appear random • Use a unique or uncommon algorithm • Some recovery tools can reverse the algorithm and recover the data • Use a tool to “wipe” data securely • Automates process of covering up deleted data • Tools are available to End User • Sometimes included with security software suites

  21. WinHex Screenshots

  22. WinHex Screenshots

  23. WinHex Screenshots

  24. QUESTIONS?

More Related