hellow.
I have a question. hehe
I'm tying
How can I recovery data(files) from that Thumbdrive image file?
I have a EnCase v6. Is that helpful?
the point is that I don't know what I should do first and where I should look for.
please give me some advices.
THANK FOR YOUR HELP! )
There are two possible ways to recover from a FAT disk with no directory, or FAT
The first is to scan the disk for clusters which are directories. This requires analysing the cluster to determine that it is a directory. By determining the cluster size and location of cluster 2 (this can be be done from any 2 .. directory entries) you can work out file names, and for FAT32, possible start locations
The other approach is straight carving looking for file signatures.
With both approaches it will be necessary to handle fragmented files with special routines, or by hand.
This is the classic file carving problem. To learn more about file carving look at the forensicswiki entry http//
Additional tools are listed in the wikipedia entry http//
You can also find papers on techniques that were able to carve all the DFRWS 06 and DFRWS 07 challenges even though the files were significantly fragmented at http//