±Partners and Sponsors

±Your Account


Nickname
Password


Forgotten password/username?


Membership:
New Today: 0
New Yesterday: 0
Overall: 27101
Visitors: 58

±Follow Forensic Focus

Join our LinkedIn group

Subscribe to news

Subscribe to forums

Subscribe to blog

Subscribe to tweets

File recovery in x-ways

Computer forensics discussion. Please ensure that your post is not better suited to one of the forums below (if it is, please post it there instead!)
Reply to topicReply to topic Printer Friendly Page
Forum FAQSearchView unanswered posts
 
  

File recovery in x-ways

Post Posted: Thu Nov 22, 2012 10:40 am

Hi,

I am very new to this area so any help would be greatly appreciated. I have been given a raw image of a usb key and asked to retrieve user files. So far using x-ways file recovery I have found 12 - 3 actual files and 9 headers. The problem is that I dont know what to do next. I need to find information on the 9 headers but dont know where to start. In my case report in xways the offsets and content of the other 3 files were retrieved but nothing on the missing 9 headers. Any hints or tips would be great.

Thanks  

lorrie
Newbie
 
 
  

Re: File recovery in x-ways

Post Posted: Thu Nov 22, 2012 1:14 pm

Homework?

What have you discovered from your research about the structure of "headers" or wider structure of the FAT FS?  

Fab4
Senior Member
 
 
  

Re: File recovery in x-ways

Post Posted: Thu Nov 22, 2012 6:38 pm

It's all about "Refine volume snapshot." Read the X-Ways help/manual about what options to select here. This is where the carving occurs.
_________________
Scott Tucker
Aptegra Consulting, LLC
www.aptegra.com 

TuckerHST
Senior Member
 
 
  

Re: File recovery in x-ways

Post Posted: Fri Nov 23, 2012 2:30 am

What Tucker said. Xways is a very powerful and flexible tool, however not the easiest tool to just pick up and figure out what to do.

The user manual is very detailed, but again not written with a novice user in mind, but persevere and you will find the answers you need.  

Adam10541
Senior Member
 
 
  

Re: File recovery in x-ways

Post Posted: Fri Nov 23, 2012 5:17 am

- lorrie
I have been given a raw image of a usb key and asked to retrieve user files.

Conceptually is it "forensics" or "data recovery"?
Is it "real life" or a "test/exam/exercise"?

In any case the info you provide is lacking any meaningful detail. things like size of the device, filesystem used, OS under which the files were supposedly written to the stick, what actually was performed to "delete" them, the actual type and size of files, as an example are all data needed to suggest a course of action.

This may be of use as a general reference:
homepage.ntlworld.com....itany.html

please be aware of the risk of slipping on a chocolate covered banana Shocked :
homepage.ntlworld.com....anana.html

jaclaz
_________________
- In theory there is no difference between theory and practice, but in practice there is. - 

jaclaz
Senior Member
 
 
  

Re: File recovery in x-ways

Post Posted: Mon Nov 26, 2012 4:43 am

You may want to consider other data recovery tools that might be easier to use than x-ways. E.g. this one www.diskinternals.com/...-recovery/ or this one www.the-undelete.com/w...covery.php or any other tool that can work with drive images in addition to physical devices. Then you will need to perform a full scan of the image (PowerSearch, SmartScan and other names for the same procedure, which works similar to file carving).
_________________
Digital Evidence Extraction Software
belkasoft.com 

Belkasoft
Senior Member
 
 
Reply to topicReply to topic

Share this forum topic to encourage more replies



Page 1 of 1