What is PBM , PGM , PPM... extensions R Studio Find it

[HddDonorMarket]

I have a Toshiba hdd. Customer have made Windows recover to old laptop hdd.
New windows have made a new D partition. And he lost all data.
I have searched with RStudio.

But there aren't any known files and any old partitions.. Found some kind of big files that has PBM PGM PPM ... extensions. Tried to search with some another programs. Same.
I leave searched in Hex NFTS, EXIF , and some different things. I cannot find anything.

Searched internet. Says PBM PGM PPM are some graphic or picture format. I tried to open it. But not opening. Also guessed it was image files. Searched file by file. . Nothing . Guessed compressed file. WinRAR not opening.

I tried to remove HDD password and unlock with MRT. Nothing changed.
I have some more hdd for my experience. There are Some hdd has some situations.
I have a hdd had bit locker. RStudio finding same extension files .

My guess this hdd encrypted with bit locker.
Anyone has advice . What is that files. And how can I recover them

Last edited by HddDonorMarket on January 4th, 2019, 8:19, edited 1 time in total.

[HaQue]

can you open one each file type with HxD and post screenshot of file from 0x0 ?

[jerovsek]

Probably user restore windows from factory media.
Use another software(ActivePartition recovery, WinHex,) you can try with MRT DE
But if he restore from factory media, then...

[HddDonorMarket]

Probably user restore windows from factory media.
MRT DE
But if he restore from factory media, then...

Yes he made factory restore

I tried MRT DE

[HddDonorMarket]

can you open one each file type with HxD and post screenshot of file from 0x0 ?

PPM

PGM

PBM

[HddDonorMarket]

And Also some known format extension files. Big size. kinda over 1 GB

[HaQue]

Hi, Googling for: PPM PBM PGM format


https://en.wikipedia.org/wiki/Netpbm_format
http://paulbourke.net/dataformats/ppm/


I haven't looked to see if files match these specs or not, but magic number appears to be about right.
if files are intact, the utility at second link may be able to save files in another format to better use them.

what folder were they in, or where were the files found relating to user file saving locations / OS worker files / Application specific folders? An application installed on the PC may provide some insight in what the files are for etc.

[HddDonorMarket]

Ok, here :

- I have a Toshiba hdd.

-Customer have made Windows recover to old laptop hdd.

- New windows have made a new D partition. And he lost all data.

-I tried to remove HDD password and unlock with MRT. Nothing changed.

-I have a hdd had bit locker.

-My guess this hdd encrypted with bit locker.

1 - If a drive is LOCKED with ATA PASSWOR you will NOT HAVE any ACCESS TO LBA. Unlocking the HDD with MRT will do nothing. Drive was already unlocked to start with.

2 - Ask client if bitlocker was used and ask for bitlocker key.

3 - Your sectors are random garbage and not actual pictures. Data IS ENCRYPTED with 3rd party tools like Bitlocker, Truecrypt, etc.

4 - Re-Installing from the recovery CDs, etc did wipe the encryption keys and setting/partitons, etc ... so you are in for PAIN ...

5 - Most likely it's un-recoverable unless you can :

- Do a full clone
- Try to force full decryption with RepairBDE - http://www.hddoracle.com/viewtopic.php?f=94&t=542
- Use logic recovery ....

But most likely keys are gone and data is encrypted forever and un-recoverable ...

Thanks. I will send back this hdd to customer I guess.. But have at least another 2 hdd (garbage ) in my stock. Look like Same case. I will try with them.

[HddDonorMarket]

Hi, Googling for: PPM PBM PGM format


https://en.wikipedia.org/wiki/Netpbm_format
http://paulbourke.net/dataformats/ppm/



what folder were they in, or where were the files found relating to user file saving locations / OS worker files / Application specific folders? An application installed on the PC may provide some insight in what the files are for etc.

Not in a folder. R Studio putting in Graphic parts . Folder names PBM , PGM, PPM.

In order to that link , that files 1st sector information look like PBM PGM PPM file. But data is not belong to that file types.

So my guess look like true. Some kind encryption . And I don't know which !!!!
Like a nightmare )))

Bring it back. And relax )))

I will try to find that kind cases solution. Maybe in future. Not now

Thanks for replies.

[HddDonorMarket]

Today a customer send me a hdd. Windows installed over old data. Searched with Rstudio, Eausus , MRT data recovery.
Same case.
I have another 3 hdd that I have bought for experience ( data not necessary ) same situation.

[abolibibelot]

It reminds me of this weirdness I had (starting from post #9) :
viewtopic.php?f=1&t=36574
Same scenario : Windows supposedly reinstalled over old data, then absolutely nothing could be extracted (using R-Studio and Photorec) beyond the new Windows files, despite the fact that the whole unallocated space was full of “something”. Yet the owner did not set any kind of encryption scheme (at least actively / purposely). I still have no explanation for this.

In R-Studio (and for “raw file carving” in general) it's a good practice to uncheck the file types that are unlikely to be found in a particular drive (Settings => Known file types), since the default list is unnecessary cluttered, so as to avoid getting too many false positives, i.e. “garbage” files which are erroneously detected based on fake “signatures” randomly found in the stream of data, which can be 1) part of valid files (for instance there can be a random JPG signature in the middle of a valid MP4 file – obviously that JPG file won't be readable, and in some cases the valid file may be truncated as a result, even though it was not fragmented and could have been recovered fully – although R-Studio is constantly improving and is pretty good at avoiding this, it still happens {*}), 2) remnants of older files which can no longer be fully recovered, 3) encrypted data. Better stick to the most common and most important file types (JPG, DOC/DOCX, XLS/XLSX, ODT/ODS, PDF...), then only if a client needs a particular uncommon type of files, and if the filesystem is too damaged to recover them based on metadata / file records with their original attributes and directory structure and full cluster list (very important in case of fragmentation), should you check them in the list (and warn the client that files recovered that way have a low probability of being 100% valid, especially large files, if the drive was nearly full and its contents were constantly changing). Or, conversely, if a client doesn't know what PBM / PGM / PPM files are, you probably shouldn't bother about those...

{*} With Photorec it's more frequent in my experience (even though it's still excellent for a freeware, and has even been compared favorably to very expensive file carving softwares); for instance I've seen perfectly valid and non fragmented video files be either truncated when a fake JPG signature was found inside, or missing small chunks of a few KB corresponding to fake MP3 files, and only after unchecking JPG and MP3 in the list of detected file types were those files flawlessly recovered...

[HddDonorMarket]

Try DMDE.

Use FULL scan of the drive from first LBA to last and check option to carve for files / raw recovery. Search for example for JPGs.

Most likely file alocation table is gone and you can't get any old data by searching by file alocation table. If you look in each LBA / sector by sector for file signature you should be able to get some old data even if by file type unless the user did clear the drive or have done a full format while restoring windows ...

I have looked in hex editor. Not deep formatted . Hdd has data inside fully.
And manually searched some file types header signature. Codes. There is no known file types except last windows installed.

[HddDonorMarket]

It reminds me of this weirdness I had (starting from post #9) :
viewtopic.php?f=1&t=36574
Same scenario : Windows supposedly reinstalled over old data, then absolutely nothing could be extracted (using R-Studio and Photorec) beyond the new Windows files, despite the fact that the whole unallocated space was full of “something”. Yet the owner did not set any kind of encryption scheme (at least actively / purposely). I still have no explanation for this.

In R-Studio (and for “raw file carving” in general) it's a good practice to uncheck the file types that are unlikely to be found in a particular drive (Settings => Known file types), since the default list is unnecessary cluttered, so as to avoid getting too many false positives, i.e. “garbage” files which are erroneously detected based on fake “signatures” randomly found in the stream of data, which can be 1) part of valid files (for instance there can be a random JPG signature in the middle of a valid MP4 file – obviously that JPG file won't be readable, and in some cases the valid file may be truncated as a result, even though it was not fragmented and could have been recovered fully – although R-Studio is constantly improving and is pretty good at avoiding this, it still happens {*}), 2) remnants of older files which can no longer be fully recovered, 3) encrypted data. Better stick to the most common and most important file types (JPG, DOC/DOCX, XLS/XLSX, ODT/ODS, PDF...), then only if a client needs a particular uncommon type of files, and if the filesystem is too damaged to recover them based on metadata / file records with their original attributes and directory structure and full cluster list (very important in case of fragmentation), should you check them in the list (and warn the client that files recovered that way have a low probability of being 100% valid, especially large files, if the drive was nearly full and its contents were constantly changing). Or, conversely, if a client doesn't know what PBM / PGM / PPM files are, you probably shouldn't bother about those...

{*} With Photorec it's more frequent in my experience (even though it's still excellent for a freeware, and has even been compared favorably to very expensive file carving softwares); for instance I've seen perfectly valid and non fragmented video files be either truncated when a fake JPG signature was found inside, or missing small chunks of a few KB corresponding to fake MP3 files, and only after unchecking JPG and MP3 in the list of detected file types were those files flawlessly recovered...

Look like same case yes.
Bored me. I will give back hdd to customer. But I want to find solution