Corrupt or strange file headers.
I am working on a case where the PC has 2 drives, a 250GB SSD (OS) and a 960GB SSD (storage). The 960 SSD is packed full of data. I was trying to work on some virtual machines they had stored on this drive but found ALL the files to be corrupt or not playable. on closer inspection I noted that the file headers were completely wrong. As I examined the entire contents of the drive I noted that MOST of the files had corrupt headers, whatever file type they were. I then noted that there was a recurring error where several/numerous files had the exact same few (incorrect) bytes at the start of the files. examples as follows:
There are about 9 variations on the corrupt bytes and these reoccur across the entire drive.
I have tried a few things myself without success and hit Google with little success so far.
Not sure if this is a drive error, some form of wear levelling, the suspect has an application that does this or the original E01 files are damaged.
but I have run out of ides and forensic talent.... anybody got any ideas please
All the best - Mark Boast - Suffolk DFU
You say the file headers are corrupted. I am not clear if the rest of the file is valid. If the file system has become corrupted, it is possible you may be reading the middle of files.
I would try and run data carving on the disk to see if it finds files that are valid. Carving will ignore the file system. If you find valid files, you can look and see why. No valid files and you can try and see why disk is corrupted.
@mscotgrove Hi Michael, thank you for your reply. All I can say, so far, is that there are about 9 'strange' headers on this drive. They are repeated across all file types on the drive. On the SSD he has an image folder called 'York 2012'. this has 15 images in it. 1 of them plays fine but the other 14 are all 'corrupted' with the same various 9 headers. On a separate 1TB drive he has the same folder. On the 1TB drive ALL the files play fine. comparing the attributes, the files, on both drives, appear identical in all aspects including physical size.
It would appear that if I compare a corrupt 41KB TEXT file with one of the corrupt YORK image files (1.2MB) then the first 41KB of both files match... the only difference highlighted by the comparison app is that the image file is bigger / longer (obviously)... but 'size for size' the corrupt files (of the same dodgy header) all match?!?
The only difference identified by the comparison software is the obvious difference in file size, but whatever length the smaller file is - the 2 files match identically for that length??
I am still stumped?!?
Did you consider if the hard disk is encrypted? Maybe thats the reason