Notifications
Clear all

File Carving

8 Posts
7 Users
0 Likes
808 Views
(@kirby-11)
Posts: 5
Active Member
Topic starter
 

Hi All,

Im new to file carving and to introduce us to the topic, are university gave us some files to try and create some usable files from them.

One of them was in the form of an .exe. So far, I have been able to get a photo out of the exe. After looking through the exe in Frhed, its look to me that there is also an excel spreadsheet- but I'm struggling to make this into a document.

The file can be found here broken2.exe

This file is on my Google Drive.

If there are any tools out there which anyone can recommend to use which would solve this (and help me further down the road, please share!)

Thanks
Connor

 
Posted : 25/02/2014 8:20 pm
(@jtingkir)
Posts: 21
Eminent Member
 

you might wanna try foremost or photorec.

 
Posted : 26/02/2014 6:32 pm
(@belkasoft)
Posts: 169
Estimable Member
 

You could do a full format of a small memory card to make sure it's completely empty. Then save this file onto the card, and use any carving tool (such as made by our company) to see what's available. I think this is the easiest way to do it.

 
Posted : 28/02/2014 9:31 pm
Igor_Michailov
(@igor_michailov)
Posts: 529
Honorable Member
 

This file has damaged header.

replace string "7A 7A 7A 7A" of file broken2.exe to string "FF D8 FF E0"
and rename "broken2.exe" to "broken2.jpg"

 
Posted : 01/03/2014 7:46 am
(@mscotgrove)
Posts: 938
Prominent Member
 

The .XLS document does exist

Nothing complex except that the carving program has to determine that it is a .xls rather than a .doc

The header for the photo has been corrupted

 
Posted : 01/03/2014 9:00 am
Igor_Michailov
(@igor_michailov)
Posts: 529
Honorable Member
 

Nevertheless, it is good exercise. D

 
Posted : 01/03/2014 9:12 am
jaclaz
(@jaclaz)
Posts: 5133
Illustrious Member
 

Nothing complex except that the carving program has to determine that it is a .xls rather than a .doc

Quick test.
Mount the .exe "as is" with IMDISK.
Run Photorec on the drive letter assigned to the mounted "disk image".
Result is f167.xls (perfectly fine when opened in Excel).

jaclaz

 
Posted : 01/03/2014 5:09 pm
(@cults14)
Posts: 367
Reputable Member
 

Quick test.
Mount the .exe "as is" with IMDISK.
Run Photorec on the drive letter assigned to the mounted "disk image".
Result is f167.xls (perfectly fine when opened in Excel).

jaclaz

Thanks jaclaz )

 
Posted : 03/03/2014 7:50 pm
Share: