Hi Folks

I am after a little help to identify some data, I have performed a number of keyword searches for some files that I am interested in.

The jpg files that I have recovered are in recovered folders, but the keyword searches are in from unallocated clusters.

··········?···?m·m·m?q?u·u·u·u·u·u·File-name-S17-062·C:\Users\UserName\Pictures\New folder\MODELS\RenamedFolder\17\
File-name-S17-062.j? T·%···?¹·øæ·=)··¨ßÓ·Ó ···
··········Ð···············Jç²o˸»@?óúÅð·¢·················åä2 /?tL??·BABRà·?···?··Û·······
···À·?4p?Í·Ê°î·ê?Í··············?···?m·m·m?q?u·u·u·u·u·u·File-name-S17-063·C:\Users\UserName\Pictures\New folder\MOD
ELS\RenamedFolder\17\File-name-S17-063.j@ T·%···?¹·øæ·>)··¨ßÓ·Ó ··I+··········Ð···············Jç²o˸»@?óúÅð·¢········
·········9·Ñ&g·FAì°~ñ¿?,ð1ô··?··Û·······
···°P?4p?Í·zÏò·ê?Í··············?···?m·m·m?q?u·u·u·u·u·u·File-name-S17-064·C:\Users\UserName\Pictures\New folder\MOD
ELS\RenamedFolder\17\File-name-S17-064.jA T·%···?¹·øæ·?)··¨ßÓ·Ó ··ÞP··········Ð···············Jç²o˸»@?óúÅð·¢········
·········ICò·G?ôD³ÌvuQØ··Àë···?··Û·······
···°Á?4p?Í·*îö·ê?Í··············?···?m·m·m?q?u·u·u·u·u·u·File-name-S17-065·C:\Users\UserName\Pictures\New folder\MOD
ELS\RenamedFolder\17\File-name-S17-065.jB T·%···?¹·øæ·@)··¨ßÓ·Ó ··?·······Ð···················Jç²o˸»@?óúÅð·¢········
·········Ñg m?¸LO«x?u¸SÜtoÿñ··?··Û·······
··· ·4p?Í·J·ü·ê?Í··············?···?m·m·m?q?u·u·u·u·u·u·File-name-S17-066·C:\Users\UserName\Pictures\New folder\MOD
ELS\RenamedFolder\17\AL

Paul  

These appear to be simply path statements , perhaps from the recent files list or something like that. Are these hits at regular offsets relative to each other? What exactly are you trying to do with this data?  

Can you post a hex view (as in, how it would look if opened in a hex editor) of this data, or a portion of it?  

And use the [ code ] tag (without the spaces next to the [ and ]) so the text appears as fixed width.


Thanks  

Not had chance to do anymore yet but will as a quick update before each file path are two windows time/date stamps the only one that matches the files are the modified date the other date does not match any of the file stamps.

I will post some hex later I need to edit some of it before I can upload.


Paul  

In a way, this thread illustrates exactly what I was referring to in this blog post:
windowsir.blogspot.com...tures.html  

Thanks Keydet89 good read

Hi Folks

Another update.

Thanks to other sources, I have been pointed to look at CurrentDatabase_372.wmdb files relating to Windows Media Player.

I have examined a couple of .wmdb files and the structure does appear to be the same. What I have found would appear to be fragments within unallocated clusters and the pagefile.sys.

Also found that the simple carver suite will Analyse Windows Media Player Databases.
Simple Carver Suite


Paul