Help to Identify Da...
 
Notifications
Clear all

Help to Identify Data

7 Posts
4 Users
0 Likes
475 Views
(@pfenwick)
Posts: 13
Active Member
Topic starter
 

Hi Folks

I am after a little help to identify some data, I have performed a number of keyword searches for some files that I am interested in.

The jpg files that I have recovered are in recovered folders, but the keyword searches are in from unallocated clusters.

··········?···?m·m·m?q?u·u·u·u·u·u·File-name-S17-062·C\Users\UserName\Pictures\New folder\MODELS\RenamedFolder\17\
File-name-S17-062.j? T·%···?¹·øæ·=)··¨ßÓ·Ó ···
··········Ð···············Jç²o˸»@?óúÅð·¢·················åä2 /?tL??·BABRà·?···?··Û·······
···À·?4p?Í·Ê°î·ê?Í··············?···?m·m·m?q?u·u·u·u·u·u·File-name-S17-063·C\Users\UserName\Pictures\New folder\MOD
ELS\RenamedFolder\17\File-name-S17-063.j@ T·%···?¹·øæ·>)··¨ßÓ·Ó ··I+··········Ð···············Jç²o˸»@?óúÅð·¢········
·········9·Ñ&g·FAì°~ñ¿?,ð1ô··?··Û·······
···°P?4p?Í·zÏò·ê?Í··············?···?m·m·m?q?u·u·u·u·u·u·File-name-S17-064·C\Users\UserName\Pictures\New folder\MOD
ELS\RenamedFolder\17\File-name-S17-064.jA T·%···?¹·øæ·?)··¨ßÓ·Ó ··ÞP··········Ð···············Jç²o˸»@?óúÅð·¢········
·········ICò·G?ôD³ÌvuQØ··Àë···?··Û·······
···°Á?4p?Í·*îö·ê?Í··············?···?m·m·m?q?u·u·u·u·u·u·File-name-S17-065·C\Users\UserName\Pictures\New folder\MOD
ELS\RenamedFolder\17\File-name-S17-065.jB T·%···?¹·øæ·@)··¨ßÓ·Ó ··?·······Ð···················Jç²o˸»@?óúÅð·¢········
·········Ñg m?¸LO«x?u¸SÜtoÿñ··?··Û·······
··· ·4p?Í·J·ü·ê?Í··············?···?m·m·m?q?u·u·u·u·u·u·File-name-S17-066·C\Users\UserName\Pictures\New folder\MOD
ELS\RenamedFolder\17\AL

Paul

 
Posted : 27/02/2013 1:26 pm
Beetle
(@beetle)
Posts: 318
Reputable Member
 

These appear to be simply path statements , perhaps from the recent files list or something like that. Are these hits at regular offsets relative to each other? What exactly are you trying to do with this data?

 
Posted : 27/02/2013 6:07 pm
keydet89
(@keydet89)
Posts: 3568
Famed Member
 

Can you post a hex view (as in, how it would look if opened in a hex editor) of this data, or a portion of it?

 
Posted : 27/02/2013 6:11 pm
Bulldawg
(@bulldawg)
Posts: 190
Estimable Member
 

And use the tag (without the spaces next to the [ and ]) so the text appears as fixed width.

[code]
Like this
so the text
lines up in
columns

Thanks

 
Posted : 27/02/2013 6:41 pm
(@pfenwick)
Posts: 13
Active Member
Topic starter
 

Not had chance to do anymore yet but will as a quick update before each file path are two windows time/date stamps the only one that matches the files are the modified date the other date does not match any of the file stamps.

I will post some hex later I need to edit some of it before I can upload.

Paul

 
Posted : 27/02/2013 7:55 pm
keydet89
(@keydet89)
Posts: 3568
Famed Member
 

In a way, this thread illustrates exactly what I was referring to in this blog post
http//windowsir.blogspot.com/2013/02/binmode-understanding-data-structures.html

 
Posted : 27/02/2013 9:05 pm
(@pfenwick)
Posts: 13
Active Member
Topic starter
 

Thanks Keydet89 good read

Hi Folks

Another update.

Thanks to other sources, I have been pointed to look at CurrentDatabase_372.wmdb files relating to Windows Media Player.

I have examined a couple of .wmdb files and the structure does appear to be the same. What I have found would appear to be fragments within unallocated clusters and the pagefile.sys.

Also found that the simple carver suite will Analyse Windows Media Player Databases.
Simple Carver Suite

Paul

 
Posted : 27/02/2013 9:52 pm
Share: