Before You Start
Prior to extracting any data, or in fact, dealing with live evidence, please ensure you have read the following chapters:
- Introduction to HstEx™
- Installing HstEx
- Installing a Licence Key File
- USB Hardware Dongles
- Practice Files
- Deleted Data Recovery
- HstEx: A Guided Tour
We have provided a practice image to allow you to see how HstEx works; it is recommended you become familiar with the software through using the sample image and running HstEx against your own disk before accessing live evidence.
To download the practice image file, please follow the instructions at: Practice Files
Now we have obtained the practice file set, we will use HstEx to process an EnCase® evidence file (e01). This image file is of a formatted volume which belonged to the Victor BUSHELL laptop. It has been formatted to highlight the recovery capabilities of HstEx.
Select the image file ‘2011-10-19-Sample.E01’ as the Data Source.
Select the folder where you want HstEx to recover the data to.
Select ‘Internet Explorer v5-9 Entries’ as the Data Type. BUSHELL was using Microsoft Internet Explorer.
Set the Block Size (Sectors) to 512.
You can confirm the settings by comparing HstEx with Figure 139 below. If you have correctly set all of the required parameters, you are now ready to click start.
When the recovery process is started, HstEx will process the data in two passes. During pass one, the software will identify the location of each possible data fragment. HstEx uses sophisticated data recovery techniques to ensure that records which traverse block boundaries are not missed.
At the end of pass one, HstEx examines the locations for each fragment and removes any duplicates.
During pass two, the data is recovered, validated and then written out to our proprietary HstEx Recovery Files (HSTX). As the output format is proprietary, it cannot be opened in any other software. Figure 2 shows HstEx at the end of the recovery process.
If the Open Export Folder on Completion option has been set (Options » Open Export Folder on Completion), HstEx will open the export folder for review.
Inside the export folder, there will be a folder relating to the evidence item processed. Inside that folder will be a session folder which contains the recovered data (if any) inside a type specific folder and the recovery log.
As each session is written to a different folder, it is possible to run the extraction process multiple times with the same export folder. Figure 3 shows our export folder containing the recovery log and Internet Explorer folder.
The output from HstEx can be imported into NetAnalysis using the Open all History from Folder method (File » Open All History from Folder), or as individual files (File » Open History). When importing as individual files, make sure you select all of the files.
In our scenario, HstEx recovered a potential 10,509 records and exported them to a single HstEx Recovery File (as shown in Figure 4).
When HstEx writes out the recovered data, each file is capped at 5 MiB as each container may contain thousands of individual records.
Figure 5 shows the HstEx Recovery File loaded into NetAnalysis. As the original source for this data was an EnCase® evidence file, we can see highlighted the original file path for the source image as well as the physical sector and sector offset for the recovered record.
The path and source offset for the record are shown in the status bar for convenience; they are also recorded in the corresponding workspace fields shown in the grid.
As mentioned earlier in this chapter, HstEx writes a recovery log file to the session folder during the recovery.
Figure 6 shows the log file for this particular recovery session. The log file is a plain text file in which every entry is time stamped. It contains information such as:
- Software version and build information
- Operating system information
- Licence information
- Data source and export information
HstEx also extracts and logs the metadata information stored within the EnCase® evidence file.
HstEx has a number of options which can be set easily from the Options menu. They are as follows:
Options » Group Digits
This option sets whether the digits are grouped in the logs and user interface. For ease of review, numbers with many digits before the decimal mark are divided into groups using a delimiter, with the counting of groups starting from the decimal mark. This delimiter is usually called a thousands separator, because the digits are usually in groups of three (thousands).
The most general name for this delimiter is “digit group separator”, because thousands are not always the relevant group. For example, in various countries (e.g.,China,India, andJapan), there have been traditional conventions of grouping by 2 or 4 digits. These conventions are still observed in some contexts, although the 3-digit group convention is also well known and often used.
Figure 7 shows the user interface without ‘Group Digits’ activated. Figure 8 shows the user interface with ‘Group Digits’ activated.
Options » Open Export Folder on Completion
This option allows the export folder to be automatically opened at the end of the recovery session. This option is ON by default.
The export folder can also be opened by selecting Tools » Open Export Folder (or by pressing the shortcut key CTRL+E).
Options » Force System Shutdown on Completion
This option, when set, will force a system shutdown at the end of a recovery session. It was added so that the system could be shutdown, when left unattended, when the recovery process had completed. This option is OFF by default. When the shutdown is activated (at the end of the recovery), you have 2 minutes to cancel the shutdown if required. The shutdown can be cancelled by typing the abort command into a command prompt (as shown below).
When the option is activated, a warning message is displayed underneath the progress bar (as shown in Figure 9).
This option will force the operating system to shutdown at the completion of the recovery. You have two minutes to cancel the shutdown via the command line. Only use this option when you are sure that shutting down the system will not cause any issues.