Blade® is a Windows-based, advanced professional forensic data recovery solution designed and developed by Digital Detective Group. It supports professional module plug-ins which give it advanced data recovery and analysis capabilities. The power and flexibility of the tool can be expanded as new modules become available. Blade® supports all of the major forensic image/export formats (EnCase® E01/Ex01, FTK, Smart, X-Ways, XRY, VHD, VMDK, DD, Segmented DD, IMA, IMG, RAW as well as memory dumps) and is more than just a data recovery tool. The professional modules (and some of the basic Recovery Profiles) have in-built Intelli-Carve® data validation and interpretation routines to assist with accurate data recovery.
The software has been designed for extremely fast/accurate forensic data recovery. Not only is it highly effective in the pre-analysis stage of a forensic examination, it can be quickly configured to recover/carve bespoke data formats. It has specifically been written for the field of Digital Forensics.
It is ideal for the following situations:
- Carve deleted data from forensic image files without using EnCase
- Can be used without knowledge of programming languages and scripting
- Recover data from Mobile Phone Memory dumps
- Creating recovery profiles for bespoke data recovery and sharing the profile with other agencies or colleagues
- Advanced Recovery of deleted Outlook Express / Microsoft Mail email messages
- Advanced Recovery of live and deleted AOL email messages
- Advanced Recovery of live and deleted Link Files and deconstructing the output
- Conversion of Hyberfil.sys
Professional Recovery Modules
With the addition of professional modules, Blade® can recover data which is not extracted by other forensic tools or traditional simple carvers. Professional Modules add a powerful capability to this product. Blade® is also ideal for practitioners (or technicians with limited forensic training) who want to perform quick and easy data recovery without resorting to using scripting programming languages or tying up their main forensic tool.
Sources of Evidence
In addition to the live files on the system, evidence can be found in numerous locations such as:
- Unallocated clusters
- Cluster slack
- Live memory, memory dumps and crash dumps
- Page files, system files, hibernation files
- System restore points
Blade® can recover data from a variety of sources. The source of the evidence can be any of the popular forensic image files such as from EnCase® or AccessData FTK, write protected physical and logical devices, flat file monolithic image formats or segmented flat file images.
Blade® is very simple and easy to use. First of all, select the data source. This can be done by selecting the Source drop down button. You can either select a Disk Image/Binary File or Physical/Logical Device.
If you select a Physical/Logical device, Blade® will scan the system for all connected accessible devices. Blade® will not show you mounted network drives as they cannot be opened at low level for data recovery scanning. It is normal practice to have a write blocker protect the source device and prevent any inadvertent writes to your source.
Select the device you wish to scan and press OK.
If you select Disk Image/Binary File, Blade® will open a File Selection window as shown below:
The drop down box will list the supported file type filters thereby allowing you to filter a specific file type. Select the file/image you wish to process and select Open. To see the full list of supported source types, please see the following: Forensic Image Formats Supported by Blade.
Selecting the Export Folder
The Export Folder is the location where Blade® will save any recovered data. It will also write its log files to this location. Clicking on the "..." browse button will launch the folder selection window (as shown below). Please ensure you have write permissions for this folder and there is enough space for the recovered data to be saved.
Press the Select Folder to close the window.
Before you start your recovery, you may wish to review some of the options available. The options window can be viewed by selecting Tools » Options.
The block size relates to the size of the buffer used to process the recovery source. The default block size is 512 sectors (256 KiB) for file and disk based recovery. Using larger block sizes can considerably increase the performance of Blade during the search and recovery phases.
The options are Normal, Verbose and Debug. It is recommended that you leave the logging at Normal. Setting the logging to Verbose or Debug will slow down the search and extraction as more information is written to the log files. Debug is designed to write additional information to the log files if a problem is encountered. Do not use this setting unless advised by our Technical Support team.
Files per Folder
This option allows you to set how many recovered files will be written to a single folder. The default value is 4,000 files. You have the option to select other values from the drop down list.
Open Export Folder on Completion
This option sets whether the export folder should automatically open at the completion of the recovery session.
This option allows the user to specify whether numbers are grouped using the group delimiter character as specified by the operating system International settings.
Selecting Recovery Profiles
When you are ready to recover data, select the Recovery Profiles for the data types you wish to recover. You can create your own Recovery Profiles for bespoke data recovery by selecting Personal Profile Database from the Tools menu.
Advanced Recovery Profiles can only be run on their own because of the way the searching and recovery process is completed. Multiple Standard Recovery Profiles can be selected for extraction without any problem.
To start the recovery process, press the Start button. During the recovery, Blade® will write a log to the export folder (and data validation log depending on the type of data recovered) and show important information in the screen log. The recovery log below shows recovery from an EnCase® Ex01 image and also contains the image metadata.
Blade® searches and recovers data from your source in two different phases:
- During phase 1, the data is identified and logged.
- During phase 2, the data is recovered and validated. It is then written to the Export Folder.
Once the extraction has completed, you can quickly access the Export Folder by selecting CTRL + E or Open Export Folder from the Tools menu.