Data Loss Prevention

  • Private Community
 View Only

  • 1.  Recovery of deleted files

    Posted Aug 08, 2012 03:53 AM

    Hi everyone!

    Does Symantec has a solution to recover deleted files from removable devices for security incedent investigation?

    e.g. someone has copied to external HDD some prohibited files from corporate notebook, then deleted these files on HDD but didn't overwrite it or format it - the goal is to recover these files somehow from this HDD (USB flash, whatever).



  • 2.  RE: Recovery of deleted files

    Posted Aug 08, 2012 08:46 AM

    Something like this isn't baked into DLP. I guess the closest you could get to this within DLP is to use the Prevent functionality and move sensitive data off the device. However, that doesn't help if someone is allowed to have the data but ends up deleting it.

    I think your best bet would be to utilize something like NetBackup or BackupExec. I'm not familiar with these products enough to give a good overview, but having the files backed up to start with would make recovery easier.

    Aaron



  • 3.  RE: Recovery of deleted files

    Posted Aug 09, 2012 08:35 AM

    Approach is clear, but task is not easy though. The goal is to find what files were deleted off the removable device and recover them (= undelete) to get evidence on data leak.



  • 4.  RE: Recovery of deleted files

    Posted Aug 09, 2012 08:47 AM

    Understood. Yeah, I don't think DLP is going to help a lot there. I'll think on some approaches to this but just initially it seems like to do this, you would have to make a copy of everything then diff the results of what was backed up and what is currently there.



  • 5.  RE: Recovery of deleted files

    Posted Aug 25, 2012 02:56 AM

    you should try some data recovery tools out there..to recover deleted files from removable devices..i will suggets you  "recover my files" tool which i personaly use.



  • 6.  RE: Recovery of deleted files

    Posted Aug 25, 2012 03:40 PM

    there are some free recovery tools that are ok, what you are basically looing for is meta data. the files are there the pointers are gone or the index was wiped from the store. I use a combination of all of them to get what i need. There are some great paid apps but not sure if you want to spend the $$

     

    Test Disk

    • Fix partition table, recover deleted partition
    • Recover FAT32 boot sector from its backup
    • Rebuild FAT12/FAT16/FAT32 boot sector
    • Fix FAT tables
    • Rebuild NTFS boot sector
    • Recover NTFS boot sector from its backup
    • Fix MFT using MFT mirror
    • Locate ext2/ext3/ext4 Backup SuperBlock
    • Undelete files from FAT, exFAT, NTFS and ext2 filesystem
    • Copy files from deleted FAT, exFAT, NTFS and ext2/ext3/ext4 partitions.

    Recuva

    Photo Rec

    Undelete +

    Restoration