Join Us!

Encase how to recov...
 
Notifications
Clear all

Encase how to recover broken excel files  

  RSS
irfanion
(@irfanion)
New Member

Hello Forensic Folks, lets cut to the chase, the suspect's laptop are using SSD. Im using Encase v8. I found all the important data are mark with permanently deleted tick and the is_deleted tab are true. Is there any way to recover this files? Especially excel ones. Encase only give me the names of the file, and when i try to recover excel for instance, it cannot be opened. Files are damaged.

I also try to recover using free online excel recover tools and it does'nt help.

Any inputs are welcome. Thanks

Quote
Posted : 29/03/2019 11:10 am
kastajamah
(@kastajamah)
Member

You should scroll over a little further and see if the file is marked as overwritten. If it is overwritten, you will most likely not get it back. If you look in the GPS bar, if the file is overwritten, it will tell you what file is now in its place. You could go into the hex/text view to see what is there. EnCase will mark the file as overwritten if the header is missing, but in the hex view, you might see what you are looking for. You can then highlight it and bookmark it for your report.

ReplyQuote
Posted : 29/03/2019 1:58 pm
keydet89
(@keydet89)
Community Legend

Volume Shadow Copies?

ReplyQuote
Posted : 29/03/2019 4:56 pm
jhup
 jhup
(@jhup)
Community Legend

Carve the Excel file as much as possible, then some more, and give it to 7-Zip.

ReplyQuote
Posted : 30/03/2019 2:27 pm
irfanion
(@irfanion)
New Member

You should scroll over a little further and see if the file is marked as overwritten. If it is overwritten, you will most likely not get it back. If you look in the GPS bar, if the file is overwritten, it will tell you what file is now in its place. You could go into the hex/text view to see what is there. EnCase will mark the file as overwritten if the header is missing, but in the hex view, you might see what you are looking for. You can then highlight it and bookmark it for your report.

some files are overwritten and some are permanently deleted. I know if its overwritten it is impossible to recover. But what i don't understand is all those files have 'is_deleted tab' true. is_deleted mean those files going to recycle bin but not permanently deleted. It means those files can be recovered. But not in this case

Also nothing can i get from the hex view, its just random strings and weird symbols

https://www.forensicfocus.com/Forums/viewtopic/t=3783/

ReplyQuote
Posted : 01/04/2019 6:00 am
jaclaz
(@jaclaz)
Community Legend

Also nothing can i get from the hex view, its just random strings and weird symbols

Hmmm.
What would you have expected, instead? 😯

I mean, create an Excel file.
Have a look at it with a hex viewer.
Can you find *any* pattern or recognizable text?
Or are you seeing anyway "just random strings and weird symbols"?

Recent MS office files (.docx and .xlsx) are nothing but a .zip (PK zip compatible) archive containing a number of .xml files, like *any* zip archive, in a hex view they look essentially as "just random strings and weird symbols".

You need to parse them with a .zip recovery tool or similar.

As a reference, check this seemingly totally unrelated discussion thread
http//reboot.pro/topic/12255-need-help-with-virtual-floppy/

jaclaz

ReplyQuote
Posted : 01/04/2019 10:00 am
hommy0
(@hommy0)
Member

If your using EnCase, the following enscript from EnCase App Central could be used for recovery of entries from a zip archive

https://www.guidancesoftware.com/app/zip-index-entry-finder

This will identify the individual entries from a zip archive (using the local file header 0x50 0x4B 0x03 0x04), it will then repair adding the central directory and if required create a LEF to brought back into EnCase.

There is also a condition to restrict your carving based on components of the local file header
Name (within the archive), CRC32, Modified Date, and Uncompressed size

Make an Excel file, change the extension to zip and open using Winrar/7zip - look at the construction of the archive identify what you might need, so for example xl/worksheets/sheet1.xml, and see what can be recovered.

To answer the other point of the "Is Deleted" column.
This does not relate exclusively to an entry in the Windows Recycle Bin since a file in the recycle bin is still allocated and is not deleted until it is emptied from the Recycle Bin.
EnCase will make this value TRUE for a file/folder that has the status of Deleted as indicated for NTFS in $MFT record header

Regards

ReplyQuote
Posted : 01/04/2019 10:35 am
watcher
(@watcher)
Member

… the suspect's laptop are using SSD. … Encase only give me the names of the file, and when i try to recover excel for instance, it cannot be opened. Files are damaged. …
I also try to recover using free online excel recover tools and it does'nt help.

If the laptop was running a properly functioning TRIM with the SSD (surprisingly many don't), you're unlikely to recover the deleted file contents.

Your best bet was already posted

Volume Shadow Copies?

^^^^^^^^ This ^^^^^^^^^^^^

ReplyQuote
Posted : 01/04/2019 5:06 pm
irfanion
(@irfanion)
New Member

… the suspect's laptop are using SSD. … Encase only give me the names of the file, and when i try to recover excel for instance, it cannot be opened. Files are damaged. …
I also try to recover using free online excel recover tools and it does'nt help.

If the laptop was running a properly functioning TRIM with the SSD (surprisingly many don't), you're unlikely to recover the deleted file contents.

Your best bet was already posted

Volume Shadow Copies?

^^^^^^^^ This ^^^^^^^^^^^^

I know it's not easy if the medium is SSD, so i try to ask for help here and other forum. Hope i can get some revelation )

Yes, already tried that. Found the files, still can't be opened. File damaged/corrupted. I've tried to open it as zip, and extract the xml. It is broken. Thanks for your input though.

What's bothering me is that the suspect delete those files at 3/21 at midnight, we do the acquisition 3/22 in the evening. I'm quite sure he's not tech savvy doesn't know about anti forensic and so on..

ReplyQuote
Posted : 02/04/2019 3:31 am
jaclaz
(@jaclaz)
Community Legend

Yes, already tried that. Found the files, still can't be opened. File damaged/corrupted. I've tried to open it as zip, and extract the xml. It is broken. Thanks for your input though.

And AGAIN "damaged/corrupted" or "failed to open as zip" may still (or it may not) mean that a given file is (totally or partially) recoverable.

How many different zip recovery tools have you run without results on these files?
0, 1 or 5?

jaclaz

ReplyQuote
Posted : 02/04/2019 11:23 am
watcher
(@watcher)
Member

… Yes, already tried that. Found the files, still can't be opened. File damaged/corrupted. I've tried to open it as zip, and extract the xml. It is broken. …

By "that", I assume you mean "Shadow Copies"?

Out of curiosity, how many shadow versions did you find?
What were their associated dates?

Were they all corrupt?

ReplyQuote
Posted : 02/04/2019 3:40 pm
sandra142
(@sandra142)
New Member

Broken Excel file issue generally occurs due to some corruption error encountered in Excel workbook. Well opening of such damaged or corrupt Excel file is possible by making use of Open and Repair, Excel AutoBackup and Excel AutoRecover feature, and through several other options.

Read on to know how to fix “Failed To Parse The Corrupted Excel File” error to resolve broken excel file issue. wink

ReplyQuote
Posted : 05/12/2019 5:25 am
nightworker
(@nightworker)
Active Member

excel is a zip file contains xml data so that use raw recovery zip and expand compound files. inside compunds search xml body for excel

ReplyQuote
Posted : 05/12/2019 6:59 am
Share: