GetFree - Forensic Data Capture Tool
DoD Tested and Certified!
When files are 'deleted' in DOS, Windows, Windows 95 and Windows 98, the data
associated with the file is not actually eliminated. It is simply reassigned
unallocated storage space
where it may eventually be overwritten by the creation of new files over time.
Such data can provide the computer forensics investigator with valuable
leads and evidence. However, the same data can create a significant security
risk when sensitive data has been erased using DOS, Windows, Windows 95 and
Windows 98 file deletion procedures and commands.
GetFree software is used to capture all of the unallocated file space on
DOS, Windows, Windows 95 and Windows 98-based computer systems. The program
can be used to identify leads and evidence. It is also effectively used to
validate the secure scrubbing of
unallocated storage space
with programs like NTI's
M-Sweep ambient data deletion software.
When GetFree software is used as an investigative tool, it eliminates the need
to restore potentially hundreds or thousands of files on computer hard disk
drives and floppy diskettes. The software was primarily developed as a computer
forensic tool for use in computer-related investigations and internal audits.
However, GetFree has also proven to be an ideal tool for use in computer
security risk assessments because the software automatically captures the data
associated with unallocated file space. Such data can be reviewed and analyzed
using other NTI forensic tools, e.g.,
NTA Stealth and
Graphics Image File Extractor.
The program and its uses are described in
Computer Forensics, Incident Response
Essentials by Warren G. Kruse II and Jay G. Heiser,
Cyber Crime Investigator's Field
by Bruce Middleton
Handbook by Dr. John W. Rittinghouse and Dr. William M. Hancock.
GetFree Software - Primary Uses:
- Calculates the amount of unallocated storage space on a computer storage
- Automatically captures all logical unallocated storage space on one or more computer hard
disk drives and floppy diskettes.
- Captures the contents of a dynamic Windows swap file for analysis with other
- Used in internal audits, security reviews and computer-related
- Validates the effectiveness of computer security data scrubbers.
- Identifies classified data spills in unallocated data storage areas.
- Identifies violations of company policy through the identification of sensitive data leakage
into unallocated storage space.
- Used very effectively with NTI's
Image File Extractor
in investigations involving computer generated graphic file images, e.g., child pornography
GetFree - Program Features and Benefits:
- DOS-based for speed and ease of use.
- No Software Dongle! - We know that software dongles get in the way and they
restrict your ability to process several computers at the same time. That is why NTI does not
use software dongles and our licensing of this software allows you to process multiple
computers at the same time. NTI's goal is to make your life easier and this software was designed
with ease of use in mind.
- Compact program size easily fits on one floppy diskette with other forensic software
- Non-printable characters (ASCII values 0-31 and non ASCII values 127-255) are skipped,
at the option of the user. This feature is used when the tool is used to validate the results
when a security scrubber has been used to eliminate data associated with "erased
- Does not alter any data on the target computer and can therefore be operated
- Captures unallocated clusters marked as bad (by a user or the operating system) in the
event that sensitive data is stored in sectors associated with such clusters.
- Compatible with DOS, Windows 3.x, Windows 95 and Windows 98.
- Estimates the output storage space needed for the data capture prior to use.
- Processes more than one logical drive in one work session.
- Automatically increments the output file names and prompts the user for additional
removable media in the event additional storage space is needed in achieving the data
- Supports 12-bit, 16-bit and 32-bit FAT types (32-bit FATs).
- If 32-bit FAT (FAT32) file systems are involved, GetFree should be run with a FAT32
aware version of DOS, e.g., DOS 7x.
- Automatically creates output files which are less that 2 gigabytes in capacity. This aids in
the analysis of the output files and avoids the 2 gigabyte DOS file limitations.
The current release is Version 1.7 and the GSA Product Number is GF1.7.
U. S. Government clients should click here
for information about GSA purchases.
Back To NTI's Home Page
Please direct E-Mail to
Copyright © 2004 by New Technologies Armor, Inc. January 18, 2004