This article covers information regarding ProDiscover Forensic tools to retrieve files from a computer whose data has been destroyed. . The main purpose of this document is for forensic file recovery with ProDiscover. Although this is an older version it may in fact be the same in the newer versions -- if however, it is not we will attempt to get a newer version of ProDiscover in order to demonstrate the use of the software in another article.
The first thing that we will mention is that you will have to download, or order a copy of ProDiscover before you can begin going down this route. In order to obtain a copy of ProDiscover you should visit the following web location: ProDiscover and if you want to follow along to the files that are displayed in explorer and the files that the forensic software sees, you may download PassMark OSFMount. Finally, if you need to procure a forensic image and make sure the image is sound please review this resource: Obtain Disk Image With Linux as it will guide you through the process to forensically obtain a disk image, verify the image and make sure you are not writing to the device itself.
Loading an image into ProDiscover
Once you've downloaded and installed ProDiscover, and of course obtained your disk image through the methods explained simply start ProDiscover and follow the next steps:
ProDiscover start screen.
Once the start screen has been loaded, you can then move onward to pressing on the "Open" button. After this point, you must select "Images" from the tree view, and then right-click the file and click on "Add." Once you do this, an open dialog will appear as shown below. Fill out the options below and press "Open."
ProDiscover Opening a Disk Image.
Once you've selected this option make sure that you select "All Files" for file type and choose the disk image that you've created. The next image displays the settings that you should be utilizing.
ProDiscover Opening up a Disk Image.
Once this process has been completed, the next step that you would want to undertake is to expand the "Images" that has been displayed when you added a disk image in the previous example, and click on the disk that you've mounted. The example below demonstrates this:
ProDiscover Image Selection
Once this segment has been selected, the same as we've discussed with Autopsy will hold true with this software. Any files that have been deleted, or were erased will be shown with a red-x on them. You can see this better in the example below:
ProDiscover Deleted files listing
In order to recover the files, you simply right-click on the file in question and select "Copy file." Once this has been selected ProDiscover will ask you if you would like to save the file. Simply select a location to where the file should be saved and it will be extracted from the image that you are currently working with. The next examples show this:
ProDiscover Extracting a Deleted File
ProDiscover Saving A Deleted File.
From this point forward what I would suggest is that once a file has been removed from the forensics set / image, it shall be validated with an MD5 HASH to make sure that the file within the forensic image has not changed once it has been exported.
Other Factors to Consider
When performing an analysis on a disk, or set of disks, there are signs that it may have touched other computers. In order to determine this, you should carefully look for files with the following names: .Trashes, DStore, .store, spotlight, and of course, the famous windows Desktop.ini files. These all belong to various operating systems and are a dead giveaway to an examiner working a case. The next segment below shows this and will highlight each file to it's respective operating system.
ProDiscover Displaying .Trashes, spotlight, and store all indicative of OS X.
ProDiscover Showing a file that is clearly labeled Snow Leopard. A sure sign of OS X Usage.
From within these examples we will also be posting more articles that will in fact assist with various operating system forensics and what to look for when dealing with this type of work. The next segments of articles will deal with tracking attacks, exposing security logs and where to search with most operating systems.