Hard drive forensics

This one is quite eye-opening. I recently suffered a hard-drive failure and was unable to boot either operating system in a multi-boot environment. The only item not backed up was a large number of photos and movies that I had accumulated and intended to burn to a CD/DVD. Using a ‘Live’ Ubuntu CD, I was able to use the Foremost program to analyze the drive media and locate all JPG and MPG files and copy them to a ‘safe’ location.

What’s frightening here is that these files are not located by their filenames, but by their contents… largely the first few bytes of the file itself when stored on disk. In my experience, Foremost was easily able to parse NTFS and EXT4 partitions.

Word to the wise… this is only possible if you do not use encryption to obscure the data on the drive itself. I’d personally recommend enabling the options provided by your operating system itself if you store sensitive data. Alternately, software like TrueCrypt can be used to hide specific assets.

Happy Recovery!

Leave a Reply