Hi
Try to find flies like jpg, word and pdf manually via hexedit in FTK Imager
As we know the signature of jpg is:
Header --> FFD8FF and Footer-->FFD9FF
What’s is the signature of Word and pdf?
As I see the header of docx is
header ---> 50 4B
But what is the footer?
@tony75 A docx file is in fact a PKZIP file. Such a file can have any numeric ending. The final bytes are a pointer to the final directory within the zip file. It therefore depends on file size, and the number files in the ZIP.
With carving, one often continues until one finds the start of the next file
Don't forget, an a JPG there may be more than one FF D9 in a complete file
Also, get TriD:
https://mark0.net/soft-trid-e.html
and/or study its deflist, either:
https://mark0.net/download/triddefs.zip
or its .xml version:
https://mark0.net/download/triddefs_xml.7z
The header of docx (as well as that of some types of zip) is:
https://file-extension.net/seeker/file_extension_docx
Header Hexdump: 50 4B 03 04
jaclaz
Carving should be the last thing you should do. File writes to disk are not linear! If there is a way for recovering a docx at filesystem logical level using info from MFT/FAT entries, you should certainly try those first. It's more or less data recovery, not forensics 🙂
