Encase how to recov...
 
Notifications
Clear all

Encase how to recover broken excel files

13 Posts
9 Users
0 Likes
2,500 Views
(@irfanion)
Posts: 4
New Member
Topic starter
 

Hello Forensic Folks, lets cut to the chase, the suspect's laptop are using SSD. Im using Encase v8. I found all the important data are mark with permanently deleted tick and the is_deleted tab are true. Is there any way to recover this files? Especially excel ones. Encase only give me the names of the file, and when i try to recover excel for instance, it cannot be opened. Files are damaged.

I also try to recover using free online excel recover tools and it does'nt help.

Any inputs are welcome. Thanks

 
Posted : 29/03/2019 11:10 am
kastajamah
(@kastajamah)
Posts: 109
Estimable Member
 

You should scroll over a little further and see if the file is marked as overwritten. If it is overwritten, you will most likely not get it back. If you look in the GPS bar, if the file is overwritten, it will tell you what file is now in its place. You could go into the hex/text view to see what is there. EnCase will mark the file as overwritten if the header is missing, but in the hex view, you might see what you are looking for. You can then highlight it and bookmark it for your report.

 
Posted : 29/03/2019 1:58 pm
keydet89
(@keydet89)
Posts: 3568
Famed Member
 

Volume Shadow Copies?

 
Posted : 29/03/2019 4:56 pm
jhup
 jhup
(@jhup)
Posts: 1442
Noble Member
 

Carve the Excel file as much as possible, then some more, and give it to 7-Zip.

 
Posted : 30/03/2019 2:27 pm
(@irfanion)
Posts: 4
New Member
Topic starter
 

You should scroll over a little further and see if the file is marked as overwritten. If it is overwritten, you will most likely not get it back. If you look in the GPS bar, if the file is overwritten, it will tell you what file is now in its place. You could go into the hex/text view to see what is there. EnCase will mark the file as overwritten if the header is missing, but in the hex view, you might see what you are looking for. You can then highlight it and bookmark it for your report.

some files are overwritten and some are permanently deleted. I know if its overwritten it is impossible to recover. But what i don't understand is all those files have 'is_deleted tab' true. is_deleted mean those files going to recycle bin but not permanently deleted. It means those files can be recovered. But not in this case

Also nothing can i get from the hex view, its just random strings and weird symbols

https://www.forensicfocus.com/Forums/viewtopic/t=3783/

 
Posted : 01/04/2019 5:00 am
jaclaz
(@jaclaz)
Posts: 5133
Illustrious Member
 

Also nothing can i get from the hex view, its just random strings and weird symbols

Hmmm.
What would you have expected, instead? 😯

I mean, create an Excel file.
Have a look at it with a hex viewer.
Can you find *any* pattern or recognizable text?
Or are you seeing anyway "just random strings and weird symbols"?

Recent MS office files (.docx and .xlsx) are nothing but a .zip (PK zip compatible) archive containing a number of .xml files, like *any* zip archive, in a hex view they look essentially as "just random strings and weird symbols".

You need to parse them with a .zip recovery tool or similar.

As a reference, check this seemingly totally unrelated discussion thread
http//reboot.pro/topic/12255-need-help-with-virtual-floppy/

jaclaz

 
Posted : 01/04/2019 9:00 am
(@hommy0)
Posts: 98
Trusted Member
 

If your using EnCase, the following enscript from EnCase App Central could be used for recovery of entries from a zip archive

https://www.guidancesoftware.com/app/zip-index-entry-finder

This will identify the individual entries from a zip archive (using the local file header 0x50 0x4B 0x03 0x04), it will then repair adding the central directory and if required create a LEF to brought back into EnCase.

There is also a condition to restrict your carving based on components of the local file header
Name (within the archive), CRC32, Modified Date, and Uncompressed size

Make an Excel file, change the extension to zip and open using Winrar/7zip - look at the construction of the archive identify what you might need, so for example xl/worksheets/sheet1.xml, and see what can be recovered.

To answer the other point of the "Is Deleted" column.
This does not relate exclusively to an entry in the Windows Recycle Bin since a file in the recycle bin is still allocated and is not deleted until it is emptied from the Recycle Bin.
EnCase will make this value TRUE for a file/folder that has the status of Deleted as indicated for NTFS in $MFT record header

Regards

 
Posted : 01/04/2019 9:35 am
watcher
(@watcher)
Posts: 125
Estimable Member
 

… the suspect's laptop are using SSD. … Encase only give me the names of the file, and when i try to recover excel for instance, it cannot be opened. Files are damaged. …
I also try to recover using free online excel recover tools and it does'nt help.

If the laptop was running a properly functioning TRIM with the SSD (surprisingly many don't), you're unlikely to recover the deleted file contents.

Your best bet was already posted

Volume Shadow Copies?

^^^^^^^^ This ^^^^^^^^^^^^

 
Posted : 01/04/2019 4:06 pm
(@irfanion)
Posts: 4
New Member
Topic starter
 

… the suspect's laptop are using SSD. … Encase only give me the names of the file, and when i try to recover excel for instance, it cannot be opened. Files are damaged. …
I also try to recover using free online excel recover tools and it does'nt help.

If the laptop was running a properly functioning TRIM with the SSD (surprisingly many don't), you're unlikely to recover the deleted file contents.

Your best bet was already posted

Volume Shadow Copies?

^^^^^^^^ This ^^^^^^^^^^^^

I know it's not easy if the medium is SSD, so i try to ask for help here and other forum. Hope i can get some revelation )

Yes, already tried that. Found the files, still can't be opened. File damaged/corrupted. I've tried to open it as zip, and extract the xml. It is broken. Thanks for your input though.

What's bothering me is that the suspect delete those files at 3/21 at midnight, we do the acquisition 3/22 in the evening. I'm quite sure he's not tech savvy doesn't know about anti forensic and so on..

 
Posted : 02/04/2019 2:31 am
jaclaz
(@jaclaz)
Posts: 5133
Illustrious Member
 

Yes, already tried that. Found the files, still can't be opened. File damaged/corrupted. I've tried to open it as zip, and extract the xml. It is broken. Thanks for your input though.

And AGAIN "damaged/corrupted" or "failed to open as zip" may still (or it may not) mean that a given file is (totally or partially) recoverable.

How many different zip recovery tools have you run without results on these files?
0, 1 or 5?

jaclaz

 
Posted : 02/04/2019 10:23 am
Page 1 / 2
Share: