Being the “Timothy McGee” of the family

As a fan of NCIS, I have often seen how Timothy McGee and Abby Sciuto is doing their forensic work on computers, where they need to find some information to solve a case. Of cause they are in a crises, and have some magical graphical interfaces telling them all sort of information extremely fast. In the real world things is a bit different.

I decided to write this post, while recovering some mails for my uncle. He had an old computer, which started spontaneous shutdowns because of a thermal event. So he bought a new computer and asked me for help with getting the old mails. At that point I thought it was an easy job, just involving getting the hard drive, put it in my disk cradle, copy the outlook data file to the new computer and import it. When I dismantled the computer, I noticed the hard drive was a bit older then first expected. It had an IDE interface instead of a SATA interface, so my disk cradle idea did not work. No problem, I will just put it in a computer with IDE interface and access the files from this computer. Though luck, when I booted in Windows 7 check disk failed, and asked if I wanted to format the hard drive. Not the question I had hoped for.

The task just got bigger than first imagined. So the first thing would be to prevent any more damage to the data and file system on the disk. So I put the hard drive in my trusty Gentoo Linux machine and did a raw copy of the partition using dd.

sudo dd if=/dev/sdi1 of=/home/frosteyes/charlie/Bo/diskImage.img

Now having the disk image, I can work on getting the mails without risking to destroy anything on the physical disc. I am using testdisk and photorec. They can be installed by emerge testdisk on Gentoo Linux.

Using testdisk on the image, it shows that the MFT and MFT mirror are bad. Failed to repair them. This was identical with what chkdsk had reported earlier. So no usable master file table (MFT).

The next task was to run photorec on the disc image as seen below. photorec is a recovery program, which among other file types can detect pst files without having a file sytem on the disk. It resulted in a huge number of folders with files, including a number of pst files.

photorec is running on the disc image

An then finding the pst files I was looking for.

frosteyes@stas ~/charlie/Bo $ find ./ -iname *.pst | xargs ls -l
-rw-r--r-- 1 frosteyes users 81282048  5 maj 17:16 ./recup_dir.133/f9541960.pst
-rw-r--r-- 1 frosteyes users   271360  5 maj 17:19 ./recup_dir.171/f13814104.pst
-rw-r--r-- 1 frosteyes users 24396800  5 maj 18:46 ./recup_dir.374/f47280112.pst
-rw-r--r-- 1 frosteyes users  1033216  5 maj 18:49 ./recup_dir.414/f54353688.pst
-rw-r--r-- 1 frosteyes users   271360  5 maj 18:50 ./recup_dir.416/f55373800.pst

Before handing over the files to my uncle I just tested the files using lspst from libpst. Can be installed with emerge libpst on my Gentoo system. It showed that the pst files contains the needed emails.

So all in all it ended up being more forensic work than expected, but quite fun and I felt a bit like McGee from NCIS.

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.