Anything related to computer forensics (new section!)
August 26th, 2016, 11:52
Some of the technicians on my team used System Center Configuration Manager (Microsoft software) to do a network PXE install of Windows 8.1. The machines used to have Windows 7 Thin PC and from what I can tell in the settings, a quick format was used to roll out the new OS. Some of the users had some files which they did not save to their network storage and so the files were deleted off of local disk when the quick format and install of the new OS occurred. Now I am trying to see if anything is recoverable. I have tried using Recuva, Remo, and Data Rescube PC3 to do deep scans and recover files but I cannot for the life of me find anything that they say they are missing. So I am assuming one of the following:
1. I have no idea what I'm doing.
2. The data has been overwritten by the new OS and whatever installations occurred after the OS install and are permanently gone.
Does anyone have any ideas how I can confirm that the data is truly lost? What I can say is that when I look at the recovered partitions, I see several (depending on the tool), many of which are small. The only one that seems to have any recoverable data is just the partition upon which the new OS is installed and I can't find any of the actual deleted data. If anyone has been in a similar situation, I would humbly accept any advice or procedures that you normally take for recovery.
Thank you in advance for your time!
August 26th, 2016, 13:01
If cannot find a file with multiple tools, then yes, unrecoverable.
August 26th, 2016, 15:25
Try a raw recovery using a tool such as PhotoRec. It scans the drive looking for file "signatures" rather than partitions or FS fragments.
August 29th, 2016, 11:16
Okay, I am running PhotoRec right now against the "Whole Disk" but it'll be quite a while before it finishes. Unfortunately, I am also looking for files that have proprietary extensions for specific software so I'm not sure how that might affect recovery at this point. So far, it almost seems like the new OS install may have overwritten a lot of the previous data but I'll spend some time sifting through the recovered files once the raw PhotoRec recovery process finishes.
August 29th, 2016, 15:43
Okay, I finished doing a raw recovery with PhotoRec but I don't see any files that match the extension I'm looking for. Part of the problem I'm facing is that I'm looking for a file extension that matches a known file type but it is proprietary to a specific software so it has a different file signature. Is it possible that I need to add the file signature to PhotoRec (or any other program) before the recovery or is the RAW recovery pretty much a catch-all?
August 29th, 2016, 19:06
I just noticed that DMDE 3.1.0.679 Beta has added "Custom file signatures support for Raw scan":
https://dmde.com/download.htmlhttps://dmde.com/changelog.htmlPhotoRec can do this also.
Add your own extension to PhotoRec:
http://www.cgsecurity.org/wiki/Add_your ... o_PhotoRec
August 30th, 2016, 0:11
Does the file have a custom header and footer, or just header?
If you don't understand this, find two or three examples of the file. Open them in a hex editor such as HxD. Look at the first 4-8 bytes or so. Then the last 4-8 bytes. Is there consistency? If so then you could use a number of file carving programs as long as you can add in your own header and footer values.
August 30th, 2016, 13:07
I looked at a sample of 4 different files of this type. They all start with 07 00 00 00 30 30 30 30 30 50 53 4D 04 00 00 and all end with 00's in the last 4-8 bytes. Would this cause other file carvers to skip over these files since it wouldn't be specifically looking for that pattern? I'm also going to start trying DMDE to see if that yields any results. Otherwise, no program I've used so far is finding the files I'm looking for. Thanks for the tips!
Powered by phpBB © phpBB Group.