Hi,
I am very new to this area so any help would be greatly appreciated. I have been given a raw image of a usb key and asked to retrieve user files. So far using x-ways file recovery I have found 12 - 3 actual files and 9 headers. The problem is that I dont know what to do next. I need to find information on the 9 headers but dont know where to start. In my case report in xways the offsets and content of the other 3 files were retrieved but nothing on the missing 9 headers. Any hints or tips would be great.
Thanks
Homework?
What have you discovered from your research about the structure of "headers" or wider structure of the FAT FS?
It's all about "Refine volume snapshot." Read the X-Ways help/manual about what options to select here. This is where the carving occurs.
What Tucker said. Xways is a very powerful and flexible tool, however not the easiest tool to just pick up and figure out what to do.
The user manual is very detailed, but again not written with a novice user in mind, but persevere and you will find the answers you need.
I have been given a raw image of a usb key and asked to retrieve user files.
Conceptually is it "forensics" or "data recovery"?
Is it "real life" or a "test/exam/exercise"?
In any case the info you provide is lacking any meaningful detail. things like size of the device, filesystem used, OS under which the files were supposedly written to the stick, what actually was performed to "delete" them, the actual type and size of files, as an example are all data needed to suggest a course of action.
This may be of use as a general reference
http//homepage.ntlworld.com./jonathan.deboynepollard/FGA/problem-report-standard-litany.html
please be aware of the risk of slipping on a chocolate covered banana 😯
http//homepage.ntlworld.com./jonathan.deboynepollard/FGA/put-down-the-chocolate-covered-banana.html
jaclaz
You may want to consider other data recovery tools that might be easier to use than x-ways. E.g. this one http//