When manually examining hex data on a HDD, what does a pointer to another cluster look like. In my case, fragmented files. I found the header of an mpg file I need to retrieve. However, the file is fragmented. What does the end of a file segment that points to the address where the file continues look like?
I know there is software out there that does this, but I want to gain an understanding of what to look if searching manually.
When manually examining hex data on a HDD, what does a pointer to another cluster look like. In my case, fragmented files. I found the header of an mpg file I need to retrieve. However, the file is fragmented. What does the end of a file segment that points to the address where the file continues look like?
I know there is software out there that does this, but I want to gain an understanding of what to look if searching manually.
You are still a tad bit too "vague" or you have a "mental map" of how files are stored that is flawed.
Different filesystems have different methods of listing/addressing the extents composing a given file, but there is nothing in an actual file that "points" to the next extent, these indexing stuctures are outside the files and part of the filesystem.
jaclaz
When manually examining hex data on a HDD, what does a pointer to another cluster look like. In my case, fragmented files. I found the header of an mpg file I need to retrieve. However, the file is fragmented. What does the end of a file segment that points to the address where the file continues look like?
I know there is software out there that does this, but I want to gain an understanding of what to look if searching manually.
You are still a tad bit too "vague" or you have a "mental map" of how files are stored that is flawed.
Different filesystems have different methods of listing/addressing the extents composing a given file, but there is nothing in an actual file that "points" to the next extent, these indexing stuctures are outside the files and part of the filesystem.
jaclaz
It was an NTFS partition. Files returning as "file<xxxx>.mpg". As far as I know, that indicates no MFT data. Obviously the software is able to move to the beginning location of each fragment of the file it is recovering. I'd like to know how it knows where to go.
Which software?
There is more than one way a specific file format might be recovered (or not recovered) by a specific recovery program, it is not as simple as you seem to believe.
Compare with
https://www.forensicfocus.com/Forums/viewtopic/p=6579915/#6579915
And
https://
Check these tools by Joakim Schicht for "general" NTFS filesystem analysis and recovery
https://
jaclaz
It sounds as if you are data carving, rather than trying to restore/recover the files
Data carving works typically with no knowledge of the file system, but also with no knowledge of fragmented files. Often this works, but large files can be fragmented.
A specific file, such as MP4 have no internal pointers to clusters, and can be saved on any system with clusters ranging from maybe 1K to 256K in size.
The first port of call for NTFS fragmentation is the MFT entry which saves the lengths of fragments and the location.
Try data recovery propgrams and you may have more success