All times are UTC - 5 hours [ DST ]




Post new topic Reply to topic  [ 17 posts ] 
Author Message
 Post subject: What is PBM , PGM , PPM... extensions R Studio Find it
PostPosted: January 4th, 2019, 8:10 
Offline
User avatar

Joined: June 16th, 2018, 12:09
Posts: 199
Location: Turkey
I have a Toshiba hdd. Customer have made Windows recover to old laptop hdd.
New windows have made a new D partition. And he lost all data.
I have searched with RStudio.

But there aren't any known files and any old partitions.. Found some kind of big files that has PBM PGM PPM ... extensions. Tried to search with some another programs. Same.
I leave searched in Hex NFTS, EXIF , and some different things. I cannot find anything.

Searched internet. Says PBM PGM PPM are some graphic or picture format. I tried to open it. But not opening. Also guessed it was image files. Searched file by file. . Nothing . Guessed compressed file. WinRAR not opening.

I tried to remove HDD password and unlock with MRT. Nothing changed.
I have some more hdd for my experience. There are Some hdd has some situations.
I have a hdd had bit locker. RStudio finding same extension files .

My guess this hdd encrypted with bit locker.
Anyone has advice . What is that files. And how can I recover them

_________________
A Recovery Service In Turkey . Veri Kurtarma Türkiye https://www.digitalverikurtarma.com
Donor Drives hdddonormarket.com


Last edited by HddDonorMarket on January 4th, 2019, 8:19, edited 1 time in total.

Top
 Profile  
 
 Post subject: Re: What is PBM , PGM , PBA... extension R Studio Find it
PostPosted: January 4th, 2019, 8:19 
Offline
User avatar

Joined: December 4th, 2012, 1:35
Posts: 3254
Location: Adelaide, Australia
can you open one each file type with HxD and post screenshot of file from 0x0 ?


Top
 Profile  
 
 Post subject: Re: What is PBM , PGM , PPM... extensions R Studio Find it
PostPosted: January 4th, 2019, 8:32 
Offline

Joined: August 3rd, 2012, 7:47
Posts: 339
Location: slovenija
Probably user restore windows from factory media.
Use another software(ActivePartition recovery, WinHex,) you can try with MRT DE
But if he restore from factory media, then...


Top
 Profile  
 
 Post subject: Re: What is PBM , PGM , PPM... extensions R Studio Find it
PostPosted: January 4th, 2019, 16:05 
Offline
User avatar

Joined: June 16th, 2018, 12:09
Posts: 199
Location: Turkey
jerovsek wrote:
Probably user restore windows from factory media.
MRT DE
But if he restore from factory media, then...


Yes he made factory restore

I tried MRT DE

_________________
A Recovery Service In Turkey . Veri Kurtarma Türkiye https://www.digitalverikurtarma.com
Donor Drives hdddonormarket.com


Top
 Profile  
 
 Post subject: Re: What is PBM , PGM , PBA... extension R Studio Find it
PostPosted: January 4th, 2019, 16:19 
Offline
User avatar

Joined: June 16th, 2018, 12:09
Posts: 199
Location: Turkey
HaQue wrote:
can you open one each file type with HxD and post screenshot of file from 0x0 ?


PPM

Attachment:
ppm.jpeg
ppm.jpeg [ 225.42 KiB | Viewed 1285 times ]



PGM

Attachment:
pgm.jpeg
pgm.jpeg [ 225.04 KiB | Viewed 1285 times ]


PBM

Attachment:
pbm.jpeg
pbm.jpeg [ 224.08 KiB | Viewed 1285 times ]

_________________
A Recovery Service In Turkey . Veri Kurtarma Türkiye https://www.digitalverikurtarma.com
Donor Drives hdddonormarket.com


Top
 Profile  
 
 Post subject: Re: What is PBM , PGM , PPM... extensions R Studio Find it
PostPosted: January 4th, 2019, 16:21 
Offline
User avatar

Joined: June 16th, 2018, 12:09
Posts: 199
Location: Turkey
And Also some known format extension files. Big size. kinda over 1 GB

_________________
A Recovery Service In Turkey . Veri Kurtarma Türkiye https://www.digitalverikurtarma.com
Donor Drives hdddonormarket.com


Top
 Profile  
 
 Post subject: Re: What is PBM , PGM , PPM... extensions R Studio Find it
PostPosted: January 4th, 2019, 17:55 
Offline
User avatar

Joined: December 19th, 2006, 8:49
Posts: 10763
Location: Portugal
Ok, here :

HddDonorMarket wrote:

- I have a Toshiba hdd.

-Customer have made Windows recover to old laptop hdd.

- New windows have made a new D partition. And he lost all data.

-I tried to remove HDD password and unlock with MRT. Nothing changed.

-I have a hdd had bit locker.

-My guess this hdd encrypted with bit locker.


1 - If a drive is LOCKED with ATA PASSWOR you will NOT HAVE any ACCESS TO LBA. Unlocking the HDD with MRT will do nothing. Drive was already unlocked to start with.

2 - Ask client if bitlocker was used and ask for bitlocker key.

3 - Your sectors are random garbage and not actual pictures. Data IS ENCRYPTED with 3rd party tools like Bitlocker, Truecrypt, etc.

4 - Re-Installing from the recovery CDs, etc did wipe the encryption keys and setting/partitons, etc ... so you are in for PAIN ...

5 - Most likely it's un-recoverable unless you can :

- Do a full clone
- Try to force full decryption with RepairBDE - http://www.hddoracle.com/viewtopic.php?f=94&t=542
- Use logic recovery ....

But most likely keys are gone and data is encrypted forever and un-recoverable ...

_________________
1Q9xrDTzTddUXeJAFRn37aqh1Yr6buDCdw - (Bitcoin Donations)
paypal.me/Spildit - (PayPal Donations)
The HDD Oracle - Platform for OPEN research on Data Recovery.


Top
 Profile  
 
 Post subject: Re: What is PBM , PGM , PPM... extensions R Studio Find it
PostPosted: January 4th, 2019, 20:50 
Offline
User avatar

Joined: December 4th, 2012, 1:35
Posts: 3254
Location: Adelaide, Australia
Hi, Googling for: PPM PBM PGM format


https://en.wikipedia.org/wiki/Netpbm_format
http://paulbourke.net/dataformats/ppm/


I haven't looked to see if files match these specs or not, but magic number appears to be about right.
if files are intact, the utility at second link may be able to save files in another format to better use them.

what folder were they in, or where were the files found relating to user file saving locations / OS worker files / Application specific folders? An application installed on the PC may provide some insight in what the files are for etc.


Top
 Profile  
 
 Post subject: Re: What is PBM , PGM , PPM... extensions R Studio Find it
PostPosted: January 5th, 2019, 5:25 
Offline
User avatar

Joined: June 16th, 2018, 12:09
Posts: 199
Location: Turkey
Spildit wrote:
Ok, here :

HddDonorMarket wrote:

- I have a Toshiba hdd.

-Customer have made Windows recover to old laptop hdd.

- New windows have made a new D partition. And he lost all data.

-I tried to remove HDD password and unlock with MRT. Nothing changed.

-I have a hdd had bit locker.

-My guess this hdd encrypted with bit locker.


1 - If a drive is LOCKED with ATA PASSWOR you will NOT HAVE any ACCESS TO LBA. Unlocking the HDD with MRT will do nothing. Drive was already unlocked to start with.

2 - Ask client if bitlocker was used and ask for bitlocker key.

3 - Your sectors are random garbage and not actual pictures. Data IS ENCRYPTED with 3rd party tools like Bitlocker, Truecrypt, etc.

4 - Re-Installing from the recovery CDs, etc did wipe the encryption keys and setting/partitons, etc ... so you are in for PAIN ...

5 - Most likely it's un-recoverable unless you can :

- Do a full clone
- Try to force full decryption with RepairBDE - http://www.hddoracle.com/viewtopic.php?f=94&t=542
- Use logic recovery ....

But most likely keys are gone and data is encrypted forever and un-recoverable ...


Thanks. I will send back this hdd to customer I guess.. But have at least another 2 hdd (garbage ) in my stock. Look like Same case. I will try with them.

_________________
A Recovery Service In Turkey . Veri Kurtarma Türkiye https://www.digitalverikurtarma.com
Donor Drives hdddonormarket.com


Top
 Profile  
 
 Post subject: Re: What is PBM , PGM , PPM... extensions R Studio Find it
PostPosted: January 5th, 2019, 5:33 
Offline
User avatar

Joined: June 16th, 2018, 12:09
Posts: 199
Location: Turkey
HaQue wrote:
Hi, Googling for: PPM PBM PGM format


https://en.wikipedia.org/wiki/Netpbm_format
http://paulbourke.net/dataformats/ppm/



what folder were they in, or where were the files found relating to user file saving locations / OS worker files / Application specific folders? An application installed on the PC may provide some insight in what the files are for etc.



Not in a folder. R Studio putting in Graphic parts . Folder names PBM , PGM, PPM.

In order to that link , that files 1st sector information look like PBM PGM PPM file. But data is not belong to that file types.

So my guess look like true. Some kind encryption . And I don't know which !!!!
Like a nightmare )))

Bring it back. And relax )))

I will try to find that kind cases solution. Maybe in future. Not now

Thanks for replies.

_________________
A Recovery Service In Turkey . Veri Kurtarma Türkiye https://www.digitalverikurtarma.com
Donor Drives hdddonormarket.com


Top
 Profile  
 
 Post subject: Re: What is PBM , PGM , PPM... extensions R Studio Find it
PostPosted: January 5th, 2019, 16:38 
Offline
User avatar

Joined: December 19th, 2006, 8:49
Posts: 10763
Location: Portugal
Your welcome ! Too bad that you couldn't solve this one but most likely it's impossible to solve if client isn't going to provide at least what was used for encryption even less a "key" to decrypt ... Assuming of course that the data is indeed encrypted ....

Well better luck next time. We can't allways win...

_________________
1Q9xrDTzTddUXeJAFRn37aqh1Yr6buDCdw - (Bitcoin Donations)
paypal.me/Spildit - (PayPal Donations)
The HDD Oracle - Platform for OPEN research on Data Recovery.


Top
 Profile  
 
 Post subject: Re: What is PBM , PGM , PPM... extensions R Studio Find it
PostPosted: April 12th, 2019, 17:30 
Offline
User avatar

Joined: June 16th, 2018, 12:09
Posts: 199
Location: Turkey
Today a customer send me a hdd. Windows installed over old data. Searched with Rstudio, Eausus , MRT data recovery.
Same case. :oops: :oops:
I have another 3 hdd that I have bought for experience ( data not necessary ) same situation.

_________________
A Recovery Service In Turkey . Veri Kurtarma Türkiye https://www.digitalverikurtarma.com
Donor Drives hdddonormarket.com


Top
 Profile  
 
 Post subject: Re: What is PBM , PGM , PPM... extensions R Studio Find it
PostPosted: April 12th, 2019, 20:04 
Offline
User avatar

Joined: December 19th, 2006, 8:49
Posts: 10763
Location: Portugal
Try DMDE.

Use FULL scan of the drive from first LBA to last and check option to carve for files / raw recovery. Search for example for JPGs.

Most likely file alocation table is gone and you can't get any old data by searching by file alocation table. If you look in each LBA / sector by sector for file signature you should be able to get some old data even if by file type unless the user did clear the drive or have done a full format while restoring windows ...

_________________
1Q9xrDTzTddUXeJAFRn37aqh1Yr6buDCdw - (Bitcoin Donations)
paypal.me/Spildit - (PayPal Donations)
The HDD Oracle - Platform for OPEN research on Data Recovery.


Top
 Profile  
 
 Post subject: Re: What is PBM , PGM , PPM... extensions R Studio Find it
PostPosted: April 13th, 2019, 1:37 
Offline

Joined: November 22nd, 2017, 21:47
Posts: 216
Location: France
It reminds me of this weirdness I had (starting from post #9) :
viewtopic.php?f=1&t=36574
Same scenario : Windows supposedly reinstalled over old data, then absolutely nothing could be extracted (using R-Studio and Photorec) beyond the new Windows files, despite the fact that the whole unallocated space was full of “something”. Yet the owner did not set any kind of encryption scheme (at least actively / purposely). I still have no explanation for this.

In R-Studio (and for “raw file carving” in general) it's a good practice to uncheck the file types that are unlikely to be found in a particular drive (Settings => Known file types), since the default list is unnecessary cluttered, so as to avoid getting too many false positives, i.e. “garbage” files which are erroneously detected based on fake “signatures” randomly found in the stream of data, which can be 1) part of valid files (for instance there can be a random JPG signature in the middle of a valid MP4 file – obviously that JPG file won't be readable, and in some cases the valid file may be truncated as a result, even though it was not fragmented and could have been recovered fully – although R-Studio is constantly improving and is pretty good at avoiding this, it still happens {*}), 2) remnants of older files which can no longer be fully recovered, 3) encrypted data. Better stick to the most common and most important file types (JPG, DOC/DOCX, XLS/XLSX, ODT/ODS, PDF...), then only if a client needs a particular uncommon type of files, and if the filesystem is too damaged to recover them based on metadata / file records with their original attributes and directory structure and full cluster list (very important in case of fragmentation), should you check them in the list (and warn the client that files recovered that way have a low probability of being 100% valid, especially large files, if the drive was nearly full and its contents were constantly changing). Or, conversely, if a client doesn't know what PBM / PGM / PPM files are, you probably shouldn't bother about those...

{*} With Photorec it's more frequent in my experience (even though it's still excellent for a freeware, and has even been compared favorably to very expensive file carving softwares); for instance I've seen perfectly valid and non fragmented video files be either truncated when a fake JPG signature was found inside, or missing small chunks of a few KB corresponding to fake MP3 files, and only after unchecking JPG and MP3 in the list of detected file types were those files flawlessly recovered...


Top
 Profile  
 
 Post subject: Re: What is PBM , PGM , PPM... extensions R Studio Find it
PostPosted: April 13th, 2019, 6:04 
Offline
User avatar

Joined: June 16th, 2018, 12:09
Posts: 199
Location: Turkey
Spildit wrote:
Try DMDE.

Use FULL scan of the drive from first LBA to last and check option to carve for files / raw recovery. Search for example for JPGs.

Most likely file alocation table is gone and you can't get any old data by searching by file alocation table. If you look in each LBA / sector by sector for file signature you should be able to get some old data even if by file type unless the user did clear the drive or have done a full format while restoring windows ...

I have looked in hex editor. Not deep formatted . Hdd has data inside fully.
And manually searched some file types header signature. Codes. There is no known file types except last windows installed.

_________________
A Recovery Service In Turkey . Veri Kurtarma Türkiye https://www.digitalverikurtarma.com
Donor Drives hdddonormarket.com


Top
 Profile  
 
 Post subject: Re: What is PBM , PGM , PPM... extensions R Studio Find it
PostPosted: April 13th, 2019, 8:24 
Offline
User avatar

Joined: June 16th, 2018, 12:09
Posts: 199
Location: Turkey
abolibibelot wrote:
It reminds me of this weirdness I had (starting from post #9) :
viewtopic.php?f=1&t=36574
Same scenario : Windows supposedly reinstalled over old data, then absolutely nothing could be extracted (using R-Studio and Photorec) beyond the new Windows files, despite the fact that the whole unallocated space was full of “something”. Yet the owner did not set any kind of encryption scheme (at least actively / purposely). I still have no explanation for this.

In R-Studio (and for “raw file carving” in general) it's a good practice to uncheck the file types that are unlikely to be found in a particular drive (Settings => Known file types), since the default list is unnecessary cluttered, so as to avoid getting too many false positives, i.e. “garbage” files which are erroneously detected based on fake “signatures” randomly found in the stream of data, which can be 1) part of valid files (for instance there can be a random JPG signature in the middle of a valid MP4 file – obviously that JPG file won't be readable, and in some cases the valid file may be truncated as a result, even though it was not fragmented and could have been recovered fully – although R-Studio is constantly improving and is pretty good at avoiding this, it still happens {*}), 2) remnants of older files which can no longer be fully recovered, 3) encrypted data. Better stick to the most common and most important file types (JPG, DOC/DOCX, XLS/XLSX, ODT/ODS, PDF...), then only if a client needs a particular uncommon type of files, and if the filesystem is too damaged to recover them based on metadata / file records with their original attributes and directory structure and full cluster list (very important in case of fragmentation), should you check them in the list (and warn the client that files recovered that way have a low probability of being 100% valid, especially large files, if the drive was nearly full and its contents were constantly changing). Or, conversely, if a client doesn't know what PBM / PGM / PPM files are, you probably shouldn't bother about those...

{*} With Photorec it's more frequent in my experience (even though it's still excellent for a freeware, and has even been compared favorably to very expensive file carving softwares); for instance I've seen perfectly valid and non fragmented video files be either truncated when a fake JPG signature was found inside, or missing small chunks of a few KB corresponding to fake MP3 files, and only after unchecking JPG and MP3 in the list of detected file types were those files flawlessly recovered...


Look like same case yes.
Bored me. I will give back hdd to customer. But I want to find solution

_________________
A Recovery Service In Turkey . Veri Kurtarma Türkiye https://www.digitalverikurtarma.com
Donor Drives hdddonormarket.com


Top
 Profile  
 
 Post subject: Re: What is PBM , PGM , PPM... extensions R Studio Find it
PostPosted: April 13th, 2019, 9:35 
Offline
User avatar

Joined: December 19th, 2006, 8:49
Posts: 10763
Location: Portugal
Maybe they used something like bitlocker or any other sort of encryption ? Maybe they are using software to do file level/sector level encryption apart from windows ? Maybe they were running windows and using some sort of Virtualization and running other main os on vm ?

_________________
1Q9xrDTzTddUXeJAFRn37aqh1Yr6buDCdw - (Bitcoin Donations)
paypal.me/Spildit - (PayPal Donations)
The HDD Oracle - Platform for OPEN research on Data Recovery.


Top
 Profile  
 
Display posts from previous:  Sort by  
Post new topic Reply to topic  [ 17 posts ] 

All times are UTC - 5 hours [ DST ]


Who is online

Users browsing this forum: No registered users and 23 guests


You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot post attachments in this forum

Search for:
Jump to:  
Powered by phpBB © 2000, 2002, 2005, 2007 phpBB Group