Forums
Main Category
General (Technical,...
Dell Diagnostic / R...
 
Notifications
Clear all

Dell Diagnostic / Recovery Partition Identifiers - EnCase 7

 
General (Technical, Procedural, Software, Hardware etc.)
Last Post by minime2k9 10 years ago
5 Posts
4 Users
0 Reactions
1,334 Views
RSS
 thegrandmadness
(@thegrandmadness)
Active Member
Joined: 14 years ago
Posts: 11
Topic starter 02/12/2015 4:54 pm  

I have a dual partitioned SSD from a Latitude E6 or E7 series laptop with a proprietary / bespoke corporate Windows image installed.

I am trying to recover data from lost partition but EnCase 7 isn't playing ball. Case Processor finds the two partitions and I can add these successfully using the usual processes and disk view, 1st (smaller) partition is visibile and I can see the file system but the 2nd primary partition is not recognizing the file and folder structure. I'm confident that the two partition locations are accurate - I can see NTFS in the HEX readout so no dilemma there….

I've been told that Dell drives have a hidden diag / recovery partition that needs to be restored before the file system becomes visible. Anyone heard of this before and any clues as to what to look for in the image to be able to recreate this partition?


   
Quote
 mscotgrove
(@mscotgrove)
Prominent Member
Joined: 17 years ago
Posts: 940
02/12/2015 5:49 pm  

Encase is an analysis program rather than a data recovery program - though there is often a very large overlap between these areas.

To recover files, DO NOT wrote anything to the drive - ie don't touch the recovery partition. This will possibly just reinitialise the drive and potentially overwrite data.

I am concerned that SSD often comes with TRIM that will clear down areas of data if deleted or removed. If this has happened, your data is probably lost.

I would start with some simple data carving to determine if the files you want, eg JPEGs, .DOC(x) still exist. Carving does not depend on the file system partitioning etc. If your files can be seen (as nameless files) then continue with the file system. If the files can not be found because the SSD has erased them, there is no point searching further.


   
ReplyQuote
 thegrandmadness
(@thegrandmadness)
Active Member
Joined: 14 years ago
Posts: 11
Topic starter 02/12/2015 5:59 pm  

Thanks Michael.

I don't have the drive itself, I'm working of an EnCase Image File.

The partition recovery tools in EnCase only go so far and aren't producing the result I was hoping for… If I restore the partiions to the locations the Case Processor identifies, the smaller partition shows up fine but the larger partition remains as a whole heap of unallocated space. I ran the EnCase File Carver over the top of it and while it manages to cache about 35GB of data, EnCase itself doesn't show any results from the carve.

The partition recovery results don't seem right to me so I've played around a little and managed to expand the unallocated space into 2 seperate Volume Slacks, both of which contain heaps of raw data in the unallocated space. I ran file carver over this but again, no results.

A colleague has mentioned that locating and restoring the Dell Recovery or Diagnostic partition would restore both partitions and enable the file system for recovery but I can't see anything anywhere on how to actually do this!

Have you heard of this before and any ideas on how to go about it?

I've gone through this guide here http//www.goodells.net/dellrestore/fixes.shtml but as I'm working with an image and not the drive itself, the bulk of the instructions and the option to use dsrfix.exe to recover are is not really available to me.


   
ReplyQuote
jaclaz
 jaclaz
(@jaclaz)
Illustrious Member
Joined: 18 years ago
Posts: 5133
05/12/2015 12:39 am  

I've gone through this guide here http//www.goodells.net/dellrestore/fixes.shtml but as I'm working with an image and not the drive itself, the bulk of the instructions and the option to use dsrfix.exe to recover are is not really available to me.

… which is a good thing, as that page and the tools in it are related to a rather old "recovery scheme" DELL used.

The good guys at DELL tend to completely change the way they setup the Recovery partition/option every couple years or so, what is in that page (or other pages on Dan Godell's site) may (or may not) apply to what you actually have.

But IMHO you are using the "wrong" (no offence intended) overall approach, as mscotgrove stated before, what you want to do is more recovery than forensics, what I would do (not necessarily a good idea, mind you)

  1. forget about Encase
  2. convert the .e01 image to RAW
  3. throw at the RAW disk image some recovery tools (like TESTDISK or DMDE) and see what they think of the current structure of the MBR data and whether they can find unindexed volumes in the image

    4. [/listo]
    then if the recovery of the partition is successful, think about replicating the procedure inside Encase (or run Encase on the "fixed" RAW image instead).

    jaclaz


   
ReplyQuote
minime2k9
 minime2k9
(@minime2k9)
Honorable Member
Joined: 14 years ago
Posts: 481
06/12/2015 3:01 am  

I can't imagine that the recovery of a hidden dell partition would suddenly make the partition you believe to be there "usable"
Think this is one of those time to go back to basics, you know where the start of the partition is and you say you can see the "NTFS" hex, but have you decoded that sector to make sure there is a valid NTFS boot record?
If not, you could either manually decode it or use something like winhex (you could extract the sector using Encase) which has the template function to decode it for you.
If it turns out it is a valid NTFS boot record then there are a few more things you can look at
Inside the NTFS boot record you will have the cluster of the $MFT file, check it is in that location
Raw hex search through that partition are for $MFT, $Bitmap etc to see if there are any MFT entries for the essential NTFS files.
If you have both a valid boot record and a valid MFT, then its probably an Encase bug, try using X-Ways/FTK/Something else to verify.


   
ReplyQuote
Forum Jump:
  Previous Topic
Next Topic  
Share: