File recovery in x-...
 
Notifications
Clear all

File recovery in x-ways

6 Posts
6 Users
0 Likes
448 Views
(@lorrie)
Posts: 1
New Member
Topic starter
 

Hi,

I am very new to this area so any help would be greatly appreciated. I have been given a raw image of a usb key and asked to retrieve user files. So far using x-ways file recovery I have found 12 - 3 actual files and 9 headers. The problem is that I dont know what to do next. I need to find information on the 9 headers but dont know where to start. In my case report in xways the offsets and content of the other 3 files were retrieved but nothing on the missing 9 headers. Any hints or tips would be great.

Thanks

 
Posted : 22/11/2012 8:40 pm
Fab4
 Fab4
(@fab4)
Posts: 173
Estimable Member
 

Homework?

What have you discovered from your research about the structure of "headers" or wider structure of the FAT FS?

 
Posted : 22/11/2012 11:14 pm
TuckerHST
(@tuckerhst)
Posts: 175
Estimable Member
 

It's all about "Refine volume snapshot." Read the X-Ways help/manual about what options to select here. This is where the carving occurs.

 
Posted : 23/11/2012 4:38 am
Adam10541
(@adam10541)
Posts: 550
Honorable Member
 

What Tucker said. Xways is a very powerful and flexible tool, however not the easiest tool to just pick up and figure out what to do.

The user manual is very detailed, but again not written with a novice user in mind, but persevere and you will find the answers you need.

 
Posted : 23/11/2012 12:30 pm
jaclaz
(@jaclaz)
Posts: 5133
Illustrious Member
 

I have been given a raw image of a usb key and asked to retrieve user files.

Conceptually is it "forensics" or "data recovery"?
Is it "real life" or a "test/exam/exercise"?

In any case the info you provide is lacking any meaningful detail. things like size of the device, filesystem used, OS under which the files were supposedly written to the stick, what actually was performed to "delete" them, the actual type and size of files, as an example are all data needed to suggest a course of action.

This may be of use as a general reference
http//homepage.ntlworld.com./jonathan.deboynepollard/FGA/problem-report-standard-litany.html

please be aware of the risk of slipping on a chocolate covered banana 😯
http//homepage.ntlworld.com./jonathan.deboynepollard/FGA/put-down-the-chocolate-covered-banana.html

jaclaz

 
Posted : 23/11/2012 3:17 pm
(@belkasoft)
Posts: 169
Estimable Member
 

You may want to consider other data recovery tools that might be easier to use than x-ways. E.g. this one http//www.diskinternals.com/partition-recovery/ or this one http//www.the-undelete.com/windows_partition_recovery.php or any other tool that can work with drive images in addition to physical devices. Then you will need to perform a full scan of the image (PowerSearch, SmartScan and other names for the same procedure, which works similar to file carving).

 
Posted : 26/11/2012 2:43 pm
Share: