This ended up being something they were not even aware of because they were so focused on the code they hadn't really considered its application.
Turns out their "recovery" software only worked if the image files happened to be stored in contiguous sectors, which is rare on well-used computers with fragmented filesystems. I backed up the disk image file as a baseline, then I deleted all the images and made another disk image file for testing.
Finally, I deleted all the even-numbered images and copied the drive full of images. Then I deleted all the odd-numbered files and copied it full of images. I used a tool to fill a thumb drive with empty 4K-sized files numbered sequentially. I opened the image in ProDiscover using the PDS file format, and started my. Sweet Addendum: I have an image that was created using FTK Imager Lite, broken into 2GB chunks. ProDiscover Basic ProDiscover Basic is a simple digital forensic investigation tool that allows you to image, analyse and report on evidence found on a drive. Emails flew back and forth a few times and I finally agreed to make a small test set to demonstrate what I'd determined to be the issue. Many of the tools on the DVD that comes with my book, such as SAMParse, are designed to be run against raw Registry files and are perfect for use with this methodology. SIFT includes tools such as log2timeline for generating a timeline from system logs, Scalpel for data file carving, Rifiuti for examining the recycle bin, and lots more. With their test data, their software worked perfectly, but we couldn't find anything in our "real world" test data sets. We were evaluating a tool to recover deleted images once. Automated image analysis (flesh tone detection, face detection).Some technologies or products that might be worth looking into to look into: Read the FAQ before posting.Ĭreate cool test data? Take a look at some of the Open Source / commercial digital forensic tools and find ways to defeat them in the spirit to improve them. PDServer PDServer is the menu available only in ProDiscover Incident Response. Click on Compressed files as folders prodiscover general. Click on Office X files as folders this setting is for MS-Office files which are based on 2007, 2010, 2013 & so on.
Irrelvant submissions will be pruned in an effort towards tidiness. Size of file carving in prodiscover is 2 MB.
Vote based on the quality of the content. Topics include digital forensics, incident response, malware analysis, and more. This subreddit is not limited to just the computers and encompasses all media that may also fall under digital forensics (e.g., cellphones, video, etc.). The field is the application of several information security principles and aims to provide for attribution and event reconstruction following forth from audit processes. A community dedicated towards the branch of forensic science encompassing the recovery and investigation of material found in digital devices, often in relation to computer crime.