Introduction to Blade and the Data Recovery Features

This video is an introduction to the Blade user interface.  It shows how to select your source image or file and how to select an export folder.

The video also gives an introduction to the Global/Personal Signature Databases.  In the demonstration, a simple JPEG header is added to the Personal Database and an Encase image is selected for recovery. 

With multi segment images, you only need to select the first image (i.e. *.e01, *.s01, *.000 or *.001), Blade will automatically identify all the required segments.

Windows Link File Recovery & Deconstruction

This video shows the recovery of Windows Link Files from a disk image.  The process is in two stages.  During stage one, Blade looks for link file headers across the entire image.

During stage two, Blade attempts to extract the link file and validates the data is intact and conforms to the correct structure.  Each field is parsed and the data is output in the various formats selected.  If the user has selected to export the actual files as well, they are also written out.

Currently, there  are options to extract the data in CSV, Excel specific CSV and XML.  We are currently working on viewer which will allow the data to be loaded and analysed.

Converting an E01 Encase Image to a Flat File Image

This video shows how to convert an Encase (Expert Witness Format *.e01 or *.s01)  or Smart Image to a full or segmented flat file image.

Converting an image allows is something an examiner may do on a regular basis.  Especially if he/she wishes to mount the image as a physical device or volume.  This also allows you to run other tools across a forensic image that does not support the expert witness file format. 

The video demonstrated setting the module properties to select whether the image is segmented or single file and to set the segment size.  The e01 Professional Module is FREE with the purchase of any Blade Professional Module.

Recovery of Adobe PDF & Microsoft Word Documents from Logical Volume

This video shows how to recover Adobe PDF and Microsoft Word documents from a logical volume using Blade.

The user simply selects the volume to recover the data from and tick the appropriate files to recover.  Select the export folder and click the Start button.  Just a few clicks of the mouse and Blade will search the volume sector by sector looking for the headers / footers and landmarks. 

One the data has been identified, on stage two, the files will be read from the disk and written to the export folder.

Recovery of AOL PFC Email Messages from a Segmented Disk Image

The research and development that went into recovering AOL email messages from a forensic image took a considerable amount of time. 

AOL email messages contain many different elements such as compressed and non-contiguous data blocks.  Embedded attachments can be split and have to be stitched back together.  When this module was originally designed, the goal was not to recover live and deleted email messages from a Personal Filing Cabinet, but to be able to recover emails from a disk image.  This functionality was originally released to Police Forces all around the world as a tool called EMLXtract. 

Through research and development, the recovery engine has been enhanced further and is now part of Blade.  This video shows the extraction and examination of AOL email messages from a segmented disk image. 

Recovery of Outlook Express Email from an Encase Image

The research and development that went into recovering Outlook Express email was almost as considerable as it was for AOL email. 

To recover Outlook Express messages from a disk image, the software has to ignore the normal structures of the DBX file.  These structures point to the data blocks.  This means a complicated search and validation engine had to be developed to ensure that this was done correctly and efficiently. 

The design goal for this module was to recover live and deleted email messages from a disk image where the file index was missing or corrupt.  This would allow individual email messages to be recovered.  It is impossible for a simple traditional carver to be able to recover this type of file correctly as the data is split into blocks which contain email data and other binary information.  It is also highly likely that the data will not be in contiguous blocks.

This video demonstrates how to recover live and deleted Outlook Express (version 5 and 6) email messages directly from an Encase image.