When was the last time you accidentally deleted an important computer file? If you’re a digital forensics wiz, you may have been unfazed by the loss, knowing that you could follow a simple procedure to recover the missing information: Simply shut down your computer, remove the hard drive, install it onto another computer, make a 100 GB bit-for-bit image of it and then scan every byte until you find the lost .doc, .jpg or MP3.
If you’re not a digital forensics wiz, then a new tool developed by two Northeastern University graduates — Keith Bertolino, E ’08, ME ’09, and Matthew Kowalski, BA’08 — may be exactly what you need.
FoRCE, or Forensic Recovery Carving and Extraction, allows any user — or, as Bertolino, put it, “your grandmother” — to recover deleted text, images and other data files from their computers, and would be the first program capable of recovering deleted data files from running machines.
The computer wizards, who launched a digital forensics consulting firm in 2006, are attempting to bring the tool to market in the next six months with help from IndieGoGo, the world’s largest global funding platform. Financial contributors have the opportunity to receive a discounted version of FoRCE in about a month.
The tool has mass appeal, Bertolino said, from home users looking to recover their own files to big corporations looking for illicit activity on their complex systems. Other potential users include local law enforcement departments that don’t have the funds to employ trained forensic examiners or purchase the expensive tools currently available.
IndieGoGo will provide both the initial funding for the project and market research that would help identify the most interested users. “The thought is that the backers will be representative of the market space,” Bertolino said.
FoRCE, he said, stands apart from its competition in at least two important ways. For one, the tool would be sold as a stand-alone product, unlike current so-called “carving” tools, which are embedded in larger software packages that provide a variety of forensic tools along with data recovery. FoRCE is also a “live-box” tool, meaning it can operate on running systems, without the need to shut down the computer or take a digital picture of the hard drive.
“If a company gets hacked into, and they have huge data servers, it’s no longer feasible to completely shut down,” Bertolino said. “You need to be able to do forensics on something that’s running.” This live-box approach is now standard practice in most digital forensics applications, except for data recovery.