SANS Digital Forensics and Incident Response Blog: Tag - data recovery

Digital Forensics - Automotive Infotainment and Telematics Systems

Paul A. Henry - SeniorSans Instructor - MCP+I, MCSE, CCSA, CCSE, CISSP-ISSAP, CISM, CISA, CIFI, CCE, ACE, GCFE, GCFA, GSEC, GICSP, GCED, GPPA, VCP4/5, VCP-DCV (5.5), vExpert Powerful Features There is a huge range of features now controlled / enabled by current generation automotive infotainment and telematics systems (Figure 1 - Source), including … Continue reading Digital Forensics - Automotive Infotainment and Telematics Systems

Let's Talk About Data Recovery

A recent spate of messages on a list serve triggered this rather verbose article, so my apologies for its length. Even thus, it barely scratches the surface of the technology. Obviously I can't get into every facet of data recovery, but my goal is to hit the main points, explain some of the things that … Continue reading Let's Talk About Data Recovery

Helix 3 Pro: First Impressions

I have used several versions of Helix over the recent years. I enjoy the tool set and recommend it to forensics colleagues, sysadmins, and even family members.

Quite a substantial ruckus was raised this year when e-fense announced that Helix 3 would no longer be free to download. Instead, would-be users must pay to register as a forum user to get access to Helix 3 Pro updates for a year.

I took the plunge and


A big FAT lie

In the last post in our quest to restore the tampered FAT file system to its untainted state, we rebuilt the cluster chain in the File Allocation Table so we could copy out the file from the mounted file system. Let's move on to the next file in our image.fls ouput from usbkey.img

Let's see about "cover page.jpg." For starters, let's copy the file out of the mounted file system:

Data recovery with Hex Editor and RegEx

by Quinn Shamblin

In my previous postabout recovering mp3 data from a corrupted chip, I describe a data recovery challenge that I could not solve using FTK, Foremost or Lazarus. It turned out that Regular Expressionswere my answer. But how best to run regex-based data extractionagainst a forensic image when there might be hundreds of thousands, if not millions, of individual matching frames?

Hex Editor Neowas exactly what I needed. It has a few unique features that really