All times are UTC - 5 hours [ DST ]




Post new topic Reply to topic  [ 6 posts ] 
Author Message
 Post subject: File carver for RAW photos?
PostPosted: September 20th, 2017, 7:47 
Offline

Joined: October 20th, 2014, 5:25
Posts: 138
Location: Sweden
We had a customer with a severly damaged 3TB WD-drive (WD30EZRX) where 40GB of the data is unrecoverable. The damaged data is scattered all over the drive, and are not in one continuous piece.

Using photorec we manage to salvage about 15000 of the customer's JPEG-files, but _zero_ RAW-files. The customer used primarily Canon's RAW (.cr2) and Olympus (.orf), and photorec claims to be able to identify both these formats.

The customer claims she has thousands, even tens of thousands, RAW-files, so I find it really confusing that none of these were able to be carved out. The customer does photography for a living, and while all her photos are available in JPEG, she really wants the RAW-files.

Can anyone recommend another carver that we can try?


Top
 Profile  
 
 Post subject: Re: File carver for RAW photos?
PostPosted: September 20th, 2017, 18:09 
Offline

Joined: October 16th, 2013, 13:21
Posts: 713
Location: Brazil
Could you recover the MFTs ? Does the files show up in the list ?


Top
 Profile  
 
 Post subject: Re: File carver for RAW photos?
PostPosted: September 21st, 2017, 7:45 
Offline

Joined: August 18th, 2010, 17:35
Posts: 3636
Location: Massachusetts, USA
If the drive is severely damaged as in with bad sectors or other mechanical problems, then it is best recommended to create a clone first, ideally with an advanced hardware imager, and then scan or carve for files.

May try R-Studio, UFS Explorer as well.

_________________
Hard Disk Drive, SSD, USB Drive and RAID Data Recovery Specialist in Massachusetts


Top
 Profile  
 
 Post subject: Re: File carver for RAW photos?
PostPosted: September 21st, 2017, 18:39 
Offline
User avatar

Joined: September 8th, 2009, 18:21
Posts: 15461
Location: Australia
File Formats Recovered By PhotoRec:
http://www.cgsecurity.org/wiki/File_Formats_Recovered_By_PhotoRec

The following URLs have detailed header information.

.cr2 Canon Raw 2 picture (TIFF image):
https://git.cgsecurity.org/cgit/testdisk/tree/src/file_tiff.c

.orf Olympus Raw Format picture:
https://git.cgsecurity.org/cgit/testdisk/tree/src/file_orf.c

You could use DMDE to scan for raw files by signature. CR2 file types are supported natively, but you could add your own file types and signatures.

https://dmde.com/

    Tools -> Full Scan
    - Raw -> Raw: File Signatures -> Add

_________________
A backup a day keeps DR away.


Top
 Profile  
 
 Post subject: Re: File carver for RAW photos?
PostPosted: September 25th, 2017, 8:36 
Offline

Joined: October 20th, 2014, 5:25
Posts: 138
Location: Sweden
labtech wrote:
If the drive is severely damaged as in with bad sectors or other mechanical problems, then it is best recommended to create a clone first, ideally with an advanced hardware imager, and then scan or carve for files.


Already done, we have a (3TB-40GB) large file containing the cloned drive and that's what we're working against.

Quote:
May try R-Studio, UFS Explorer as well.


Thanks. I will give these a shot.


Top
 Profile  
 
 Post subject: Re: File carver for RAW photos?
PostPosted: November 29th, 2017, 12:01 
Offline

Joined: November 22nd, 2017, 21:47
Posts: 309
Location: France
Of course, it may seem obvious, but those particular file types have to be selected in Photorec's options, I don't think that they are by default... (JPEG is, on the other hand, as it's much more common – and it was Photorec's original target, as its name implies.) As a general rule, it's best to select as few file types as possible, by unchecking those which are definitely not to be found on a given volume, because some legitimate files can be truncated by random false signatures of another file type (for instance, “ÿØÿ” or “FF D8 FF” can appear randomly in the middle of a video file, if it's at a cluster boundary it will be interpreted as the begining of a JPG file, and the video file will be truncated to half its length, even if it's not fragmented and could otherwise have been extracted sequentially). In that regard, Photorec's approach is quite rudimentary, despite the fact that it has been compared positively with very expensive forensic sofwares in professional tests. (Two documents I've found on the subject : “A comparative analysis of file carving software”, Timothy Courrejou & Simson L. Garfinkel, 2011, at www.dtic.mil ; and “Advanced file carving : How much are you ignoring?”, Bas Kloet, Hoffman Investigations, 2010, at digital-forensics.sans.org.)

But, as it has been said already, if the bad areas are scattered all over the surface, it should be / should have been possible to at least partially recover the MFT, hence get a partial directory structure, which is much more convenient than a bunch of folders with 500 files in each of them, sorted by the order in which they were extracted instead of their original location, and named after their first occupied sector (which can be very useful for the recovery process but not so much for the end user !). In a case like this both approaches are complimentary : recover as much files as possible using what can be salvaged of the filesystem, then do a thorough file carving, and then remove the duplicates, or let the client take care of that as it can be a painstaking process. (There are quite a few duplicate files finders, my favorite are DoubleKiller, streamlined and efficient, and AllDup, which has some nice extra features but a rather cluttered and unintuitive interface.) R-Studio recognizes both of those RAW file types, so it can search for them as “Extra found files” while scanning for directory structures, thus making those extra steps unnecessary, as long as the detection accuracy for those files is just as satisfying as Photorec's.

And of course, never do that kind of analisys directly on a problematic HDD, that should be obvious for a professional...


Top
 Profile  
 
Display posts from previous:  Sort by  
Post new topic Reply to topic  [ 6 posts ] 

All times are UTC - 5 hours [ DST ]


Who is online

Users browsing this forum: No registered users and 14 guests


You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot post attachments in this forum

Search for:
Jump to:  
Powered by phpBB © 2000, 2002, 2005, 2007 phpBB Group