Deleted data showing up as corrupt?
I took a forensic image of a 500 GB PC hard drive using FTK Imager. The image was created successfully. I then processed the image in FTK 6.4 and ran data carving (no custom, just selected from the default file types). My goal with this project is to recover deleted files, so I used the deleted files filter and found all deleted data.
I started going through the deleted data set (about 22,000 files) and realized a massive portion of this data set seems to be corrupted - files with the proper extensions (like jpg, xls, etc) are showing up categorized as ANSI 8, ASCII 7, Unknown, 7 bit text, etc. These files won't display natively and rather show up as bad files or as a page of randomized text.
I am wondering if anyone has seen this issue before where extensions and category do not match, if it is abnormal, and if there is any advice on how to recover the corrupted data? Or is this more likely to be a messy data set and I will only be able to recover a portion of the total set? I considered running additional analysis but figured that would not help.. I know files can be carved by hand using Hex but the sheer mass of this data set deters us from going that route. Thanks for any help/advice.
Could be a number of reasons, you don't need to manually carve out all of them. Pick one and manually verify it.
Could be an issue with the acquisition where it had trouble reading parts of the drive.
Could be an issue with the tool not pulling the data properly from the image.
Could be just an issue where most of the data was overwritten. The $MFT or whatever FS was used could have a record for the file but the data itself has already been overwritten.
You'll need to test and verify either manually or with another tool to be sure.
I would try using (if the idea is to recover data) a data recovery tool, first two I would try would be PhotoRec and DMDE.
Loosely, the approach you took (list all deleted files, and then "filter" them) might be better for recently deleted and fragmented files, but if the files are still there in non-fragmented form, a "not filesystem based assumption" might IMHO give if not more, "better" results, i.e. at least give you the files that are still valid/readable.
If you prefer, the list of all deleted files might be good as a list of filenames, while "direct" file signature based recovery may provide you with (some of) their (nameless) content.