Notifications
Clear all

Opinion

12 Posts
4 Users
0 Likes
814 Views
(@giamma)
Posts: 16
Active Member
Topic starter
 

In a firm, they want to find and old file. It was created seven years ago.
Actually they don't know in which computer it was created. All of the pc were erased and reinstalled in 2011.
The disk are quite empty. Is it possible to find something?
thanks

 
Posted : 24/06/2014 12:38 pm
(@mscotgrove)
Posts: 938
Prominent Member
 

It might be possible - but possibly with data carving.

What type of file is being looked for? Some files are easier to find than others!

 
Posted : 24/06/2014 3:41 pm
(@giamma)
Posts: 16
Active Member
Topic starter
 

It might be possible - but possibly with data carving.

What type of file is being looked for? Some files are easier to find than others!

Thanks, that what I am thinking. The file is excel xls or xlsx not sure which version
thanks

 
Posted : 24/06/2014 5:55 pm
(@mscotgrove)
Posts: 938
Prominent Member
 

Two ways

1) Assuming that the disks were NTFS - likely but not certain - try and scan all possible MFT entries and search for XLS? files.

2) Do data carving and search for xls or xlsx files. This is slightly more complex.

All .xls files start with the same signature as .doc files (0xd0 0xcf etc)

Search for .XLSX files. These are basically ZIP files (start 'PK') and then can be determined by examining the structure of the file

If the file is XLS and not XLSX then it may be possible to do a complete disk search for an unusual text string that the file may contain.

Your success rate will depend to a very large extent on how the computer has been used since, and luck as to where the original file was stored on the disk.

Always treat the possible disks as read only - never turn the PC on, or load ANY software to the drives.

For a 2007 computer do consider that the disk may of had NTFS compression enabled. It was nt used much, and is even less common now, but when data carving, each cluster can be tested for compression.

 
Posted : 24/06/2014 6:16 pm
(@giamma)
Posts: 16
Active Member
Topic starter
 

OK thanks really clear! Thinking about, they are only xls, not xlsx.
Thanks again

 
Posted : 24/06/2014 6:30 pm
jaclaz
(@jaclaz)
Posts: 5133
Illustrious Member
 

To clear the range of possibilities, it greatly depends on the specific OS that was reinstalled in 2011 AND on the EXACT method that was used to "erase" the disk.
Namely, good ol' XP did NOT wipe *anything* through the FORMAT command (both "quick" and "full") whilst in Vista (and later) the "normal" Format command (i.e. without the "quick" or /q option) will 00 write the whole disk.

So if in 2011 either Vista or 7 were installed and the disk volumes were re-formatted WITHOUT the /q switch you have 0 (zero) chances of finding anything.
If it was a reinstall of XP (or a Vista or 7 and format was used WITH the /q switch) you have some (very little) probabilities, some more if it was XP, see below.

The point is that (from experience) "business" PC's (actually their hard disk volumes, and talking of "workstations") never had an issue with having been filled up to the brim, typically the occupied space is/was

  • the OS files
  • the "typical" MS Office install
  • one or two (at the most) "vertical" softwares, usually taking little amount of space
  • user files, that typically are a bunch of Word and Excel files, maybe a few .ppt's, a number of .pdf's and the "big chunk" that is usually the Outlook or Outlook Express database

Independently from the way the volume has been formatted (if it was formatted) if an upgrade took place, a new OS (let's say 7 over XP) and a new version of Office (let's say 2010 over 2003) are so bigger in themselves when compared to the previously existing versions that it is likely that by themselves they will take more space than the whole space occupied before by the OS+Programs+Data, so that it is very likely that the original file has been overwritten.

In any case (IF a "wiping format" has not taken place) you have not any different choice than carving those volumes, and I don't want to put you down in any way ) , but the chances to find that needle in the haystack are extremely low, you should know about this and tell the firm about it.

jaclaz

 
Posted : 24/06/2014 8:03 pm
(@mscotgrove)
Posts: 938
Prominent Member
 

In any case (IF a "wiping format" has not taken place) you have not any different choice than carving those volumes, and I don't want to put you down in any way ) , but the chances to find that needle in the haystack are extremely low, you should know about this and tell the firm about it.

jaclaz

There is an option, better than carving where you scan the drive for any MFT entries, not part if the present file system. This might also show you where the files were stored, and hence one can find out if they have been overwritten. (I had a vaguely similar job recently and found 2 required .docx files - though many references to files that had been overwritten by new Windows 7).

I agree though, that needle and haystack describe the situation fairly well.

 
Posted : 24/06/2014 11:05 pm
(@giamma)
Posts: 16
Active Member
Topic starter
 

Thanks guy for the interest.
They use windows XP and office 2003.
The job is freezed! They don't know in which PC was stored the file.
The moved the pc across the department. I wrote nere o know your opinion and create a doscussion.
Thanks

 
Posted : 25/06/2014 1:17 am
jaclaz
(@jaclaz)
Posts: 5133
Illustrious Member
 

They use windows XP and office 2003.

These are good news, as - unless they used a third party tool to "wipe" the volume or disk - it will give some probabilities that the sectors occupied by the file have not been overwritten, at least during the re-install phase.

I am not too sure if in this case (XP over XP) the option to look for MFT entries outside current filesystem may apply, though, in any case it is worth a try ).

jaclaz

 
Posted : 25/06/2014 1:57 pm
(@giamma)
Posts: 16
Active Member
Topic starter
 

WIPE??? No jaclaz, they don't know what is wipe!!!
Just format and reinstall!
Thanks

 
Posted : 25/06/2014 6:12 pm
Page 1 / 2
Share: