Forums
Main Category
General (Technical,...
Locating MS Office ...
 
Notifications
Clear all

Locating MS Office files in UC and Recovering them.

 
Page 1 / 2
General (Technical, Procedural, Software, Hardware etc.)
Last Post by bperk 16 years ago
15 Posts
4 Users
0 Reactions
1,710 Views
RSS
 bperk
(@bperk)
Eminent Member
Joined: 16 years ago
Posts: 24
Topic starter 21/08/2009 8:57 pm  

——————————————————————————–

Hi all. Here is the scenario. A fella had a job pushed to his laptop (software delivery) and part of the job was to clean up after itself. The problem is the clean up deleted C\Temp and then created a new C\Temp. In the Original C\Temp was over 100 MSFT docs (ppt, xls, doc). I have been asked to see if I can recover these files. There was a lot of disk activity due to the job\install.

So far I have done the following with no luck with EnCase.

- Recovered Files
- Recovered Folders
- Case Processor - File Finder using MSFT file headers (this one brings backs hundreds of nonsensical data)
- I dont see any flagged deleted files

Any help will be much apprecieted.

Brian


   
Quote
 kovar
(@kovar)
Prominent Member
Joined: 18 years ago
Posts: 805
21/08/2009 9:05 pm  

Greetings,

Try PhotoRec. EnCase should have recovered some things. If PhotoRec works, I'd love to know why EnCase didn't.

-David


   
ReplyQuote
 bperk
(@bperk)
Eminent Member
Joined: 16 years ago
Posts: 24
Topic starter 21/08/2009 9:29 pm  

Greetings,

Try PhotoRec. EnCase should have recovered some things. If PhotoRec works, I'd love to know why EnCase didn't.

-David

David, Thank you for the suggestion. I tried PhotoRec and it recovered many files but all the encoding in the .doc is whacky. I can't read the files. Im using the same version of Office to open the files as the user has!

Any ideas why the encoding would be off?


   
ReplyQuote
 mscotgrove
(@mscotgrove)
Prominent Member
Joined: 17 years ago
Posts: 940
21/08/2009 10:06 pm  

Did the laptop have NTFS compression enabled?

Does your recovery search allow for that?


   
ReplyQuote
 kovar
(@kovar)
Prominent Member
Joined: 18 years ago
Posts: 805
21/08/2009 10:11 pm  

Greetings,

If you open the files up in something else, do they even look like an intact document? Both EnCase and PhotoRec will have problems recovering deleted files that are fragmented, which I should have mentioned earlier. "Will have problems recovering" really means "are unable to recover".

-David


   
ReplyQuote
jhup
 jhup
(@jhup)
Noble Member
Joined: 16 years ago
Posts: 1442
21/08/2009 10:17 pm  

When you say the encoding is "whacky", the font set is wrong or the files themselves are corrupt and returns "garbage" when viewing the document?


   
ReplyQuote
 bperk
(@bperk)
Eminent Member
Joined: 16 years ago
Posts: 24
Topic starter 21/08/2009 10:53 pm  

There was no compression involved. I have tried opening the files in other apps (Word Pad for example) and I get the same results, just a bunch of garbage. There is some legible text in the recovered file, although a very small amount. Im not really getting what I was hoping for.

I'll keep at it and see what else I can do. Thx all.


   
ReplyQuote
 mscotgrove
(@mscotgrove)
Prominent Member
Joined: 17 years ago
Posts: 940
21/08/2009 11:53 pm  

What are the first half dozen bytes of a .DOC file, in hex?


   
ReplyQuote
 bperk
(@bperk)
Eminent Member
Joined: 16 years ago
Posts: 24
Topic starter 22/08/2009 12:00 am  

What are the first half dozen bytes of a .DOC file, in hex?

Here are the values for the headerD0 CF 11 E0 A1 B1 1A E1


   
ReplyQuote
jhup
 jhup
(@jhup)
Noble Member
Joined: 16 years ago
Posts: 1442
22/08/2009 12:14 am  

Can you also give the bytes at offset 512?


   
ReplyQuote
Page 1 / 2
Forum Jump:
  Previous Topic
Next Topic  
Share: