Overview
Blade is a Windows-based, advanced professional forensic data recovery solution designed and developed by Digital Detective Group. It supports professional module plug-ins which give it advanced data recovery and analysis capabilities. The power and flexibility of the tool can be expanded as new modules become available. Blade supports all of the major forensic image/export formats (EnCase, FTK, Smart, X-Ways, XRY, VHD, VMDK, DD, Segmented DD, IMA, IMG, RAW as well as memory dumps) and is more than just a data recovery tool. The professional modules (and some of the basic Recovery Profiles) have in-built data validation and interpretation routines to assist with accurate data recovery.
The software has been designed for extremely fast/accurate forensic data recovery. Not only is it highly effective in the pre-analysis stage of a forensic examination, it can be quickly configured to recover/carve bespoke data formats. It has specifically been written for the field of Digital Forensics.
It is ideal for the following situations:
- Carve deleted data from forensic image files without using EnCase
- Can be used without knowledge of programming languages and scripting
- Recover data from Mobile Phone Memory dumps
- Recover picture files and then process the output with C4P in a triage capacity
- Creating recovery profiles for bespoke data recovery and sharing the profile with other agencies or colleagues
- Advanced Recovery of deleted Outlook Express / Microsoft Mail email messages
- Advanced Recovery of live and deleted AOL email messages
- Advanced Recovery of live and deleted Link Files and deconstructing the output
Professional Recovery Modules
With the addition of professional modules, Blade can recover data which is not extracted by other forensic tools or traditional simple carvers. Professional Modules add a powerful capability to this product. Blade is also ideal for practitioners (or technicians with limited forensic training) who want to perform quick and easy data recovery without resorting to using scripting programming languages or tying up their main forensic tool.
Sources of Evidence
In addition to the live files on the system, evidence can be found in numerous locations such as:
- Unallocated clusters
- Cluster slack
- Live Memory, memory dumps and crash dumps
- Page files, system files, hibernation files
- System restore points
Blade can recover data from a variety of sources. The source of the evidence can be any of the popular forensic image files such as from EnCase or AccessData FTK, write protected physical and logical devices, flat file monolithic image formats or segmented flat file images.
Getting Started
Blade is very simple and easy to use. First of all, select the data source. This can be done by selecting button number 1 or 2 as shown in Figure 1.
Figure 1
As shown in Figure 1, selecting button number 1 will open the Physical / Logical Devices dialogue (Figure 2). Blade will scan the system for all connected Physical and Logical devices. Blade will not show you mounted network drives as they cannot be opened at low level for data recovery scanning. It is normal practice to have a write blocker protect the source device and prevent any inadvertent writes to your evidence. Select the device you wish to scan and press OK.
Figure 2
As shown in Figure 1, selecting button number 2 will open a normal file dialogue allowing you to select a file based source. This page contains a table of currently supported forensic image and file formats.
Button number 3 will open another dialogue allowing you to select an export folder where Blade will write the recovered data. Please ensure you have write permissions to this folder.
The dropdown list (number 4) allows you to select the block size used during the search phase.
The default block size is 512 sectors (256 KiB) for file and disk based recovery (except for evidence files where the block size is set at the point of acquisition such as with EnCase). In EnCase, the default block size is 64 sectors (32 KiB). This block size is set at the point of acquisition. Blade will use the acquisition block size for these types of forensic images. Using larger block sizes can considerably increase the performance of Blade during the search and recovery phases.
Button number 5 allows you to set how many recovered files will be written to a folder. The default value is 1,000 files. You have the option to select other values from the drop down list.
Button number 6 allows you to set the level of logging. The options are Normal, Verbose and Debug. It is recommended that you leave the logging at Normal. Setting the logging to Verbose or Debug will slow down the search and extraction as more information is written to the log files. Debug is designed to write additional information to the log files if a problem is encountered. Do not use this setting unless advised by Technical Support.
When you are ready to recover data, select the Recovery Profiles (8) for the data types you wish to recover.
You can create your own Recovery Profiles for bespoke data recovery by selecting Personal Profile Database from the Tools menu.
 | Advanced Recovery Profiles can only be run on their own because of the way the searching and recovery process is completed. Multiple Standard Recovery Profiles can be selected for extraction without any problem. |
Recovering Data
To start the recovery process, press the Start button (9).
During the recovery, Blade will write a log to the export folder (and data validation log depending on the type of data recovered) and show important information in the screen log (7). The recovery log below shows recovery from an EnCase image and also contains the image metadata.
Figure 3
Blade searches and recovers data from your source in two different phases:
- During phase 1, the data is identified and logged.
- During phase 2, the data is recovered and validated. It is then written to the Export Folder.
Once the extraction has completed, you can quickly access the Export Folder by selecting CTRL + E or Open Export Folder from the Tools menu.