forensics, data recovery

forensics = looking at data on a media device(s), usually in an investigation

data recovery = looking for data on a media device(s), for a customer

links

http://forensics.wikia.com/wiki/

http://www.forensicswiki.org/wiki/

data recovery

For standard Windows-based IT data recovery from NTFS (deleted files, formatted drives), I recommend PC Inspector [FREE]

http://www.pcinspector.de/Sites/file_recovery/info.htm?language=1

For undoing rm *, I haven't found any tools. Many people recommend remapping the rm command to something like "mv file to trashbin" and only su can actually rm

forensics

Forensics can not be done from Windows without cutting the IDE cable to "read only", but even that's not great in a legal sense.

For real forensics, there is only one: dd (and it's updated variants, dcfldd and ddrescue)

http://www.forensicswiki.org/wiki/Dcfldd

http://www.linuxquestions.org/questions/linux-newbie-8/learn-the-dd-command-362506/

http://ubuntuforums.org/archive/index.php/t-1033712.html

Access the media in question from a LiveCD (but NOT Ubuntu since it may mount automatically). Knoppix doesn't automount, and Helix is standard.

http://forensics.wikia.com/wiki/Helix_LiveCD

sudo mount /dev/sda /where/you/want/to/mount -o readonly

data backup

Also useful for backup of copy-protected DVD/CDs. For example, the Microsoft Flight Sim disks have copy protection.

VERY SLOW:

$ dcfldd if=/dev/dvd/ of=fs2004.iso conv=sync,noerror

$ ddrescue -A -b 2048 /dev/dvd1 fs2004.iso

Anti-Forensics

be sure to overwrite your old drives

$ dd if=/dev/zero of=/dev/sda bs=4k conv=notrunc

To eliminate free space deleted files,

$ dd if=/dev/urandom of=/home/usernamehere/filename.data