Hello,
I'm trying to learn how to recover deleted .docx documents on windows xp. So far I've tried-
- Searching unallocated clusters for the file signature, which turned up many false positives in WinHex. Probably due to other compressed formats using it too, and docx been compressed xml files.
- Searching the file signature in unallocated clusters using pro discover basic which turned up no hits.
- Using scalpel on a AD image of unallocated clusters made using FTK Imager = nothing.
- Using the deleted files panel under content view in prodiscover, I can see several doc files deleted around the time I cleared them from the recycle bin, however I was only once able to view a document within a minute of deleting it. Tried a minute later and it was blank. Are clusters usually overwritten so quickly? That's what I suspect it is as I believe the clusters are just set to "available" through the MFT/Bitmap somehow. The file was over 1024 kilibytes so won't have been stored in the MFT.
I'm still reading through File System Forensic Analysis so I may be wrong. oops
Many thanks for any help.
As soon as something is deleted it is marked as such in the MFT which effectively means that the data area that was used to store the previous file becomes available to be reused. It is possible that as soon as the file has been deleted that its data area has theoretically been written over again by another file.
How are you doing your experiments? are you performing the deletion function and then forensically imaging? are you doing a full shutdown of the machine or pulling the plug?
What are you searching for?
Header “\x50\x4B\x03\x04\x14\x00\x06\x00”
and a footer of
“\x50\x4B" 17 characters then "\x00\x00\x00”
?
docx files are as you said compressed xml files, zipped xml files to be precise. But then again so are jar files and a whole bunch of other things.
File carving Office files is getting a whole lot harder.
There might be some mileage in stepping back the footer that you're looking for to include the last entry in the zip central directory.
From the files I've looked at (very briefly) they all seem to be referencing the "docprops/app.xml" file
So as a footer you'll need docProps/app.xml then the normal zip file PK footer
To extend what Rich2005 said
"\x64\x6F\x63\x50\x72\x6F\x70\x73\x2F\x61\x70\x70\x2E\x78\x6D\x6C\x50\x4B" 17 characters then "\x00\x00\x00”
b****r, post the comment then find one file that breaks this. oops
if you're using encase however you'll be able to use the file finder and add docprops as a keyword.
As soon as something is deleted it is marked as such in the MFT which effectively means that the data area that was used to store the previous file becomes available to be reused. It is possible that as soon as the file has been deleted that its data area has theoretically been written over again by another file.
How are you doing your experiments? are you performing the deletion function and then forensically imaging? are you doing a full shutdown of the machine or pulling the plug?
I was analysing live which isn't forensically sound, but my hdd's a pain to remove. Then again ftk imager is on Helix 3. Doh!
I was using \x50\x4B\x03\x04\x14\x00\x06\x00 and \x00\x00\x00. I'll have a whirl with the docprops hex too. I believe docProps holds office documents meta data. No Encase as I'm not working in forensics, yet!
Many thanks.