Join Us!

Locating MS Office ...
 
Notifications
Clear all

Locating MS Office files in UC and Recovering them.  

  RSS
bperk
(@bperk)
New Member

——————————————————————————–

Hi all. Here is the scenario. A fella had a job pushed to his laptop (software delivery) and part of the job was to clean up after itself. The problem is the clean up deleted C\Temp and then created a new C\Temp. In the Original C\Temp was over 100 MSFT docs (ppt, xls, doc). I have been asked to see if I can recover these files. There was a lot of disk activity due to the job\install.

So far I have done the following with no luck with EnCase.

- Recovered Files
- Recovered Folders
- Case Processor - File Finder using MSFT file headers (this one brings backs hundreds of nonsensical data)
- I dont see any flagged deleted files

Any help will be much apprecieted.

Brian

Quote
Posted : 21/08/2009 8:57 pm
kovar
(@kovar)
Senior Member

Greetings,

Try PhotoRec. EnCase should have recovered some things. If PhotoRec works, I'd love to know why EnCase didn't.

-David

ReplyQuote
Posted : 21/08/2009 9:05 pm
bperk
(@bperk)
New Member

Greetings,

Try PhotoRec. EnCase should have recovered some things. If PhotoRec works, I'd love to know why EnCase didn't.

-David

David, Thank you for the suggestion. I tried PhotoRec and it recovered many files but all the encoding in the .doc is whacky. I can't read the files. Im using the same version of Office to open the files as the user has!

Any ideas why the encoding would be off?

ReplyQuote
Posted : 21/08/2009 9:29 pm
mscotgrove
(@mscotgrove)
Senior Member

Did the laptop have NTFS compression enabled?

Does your recovery search allow for that?

ReplyQuote
Posted : 21/08/2009 10:06 pm
kovar
(@kovar)
Senior Member

Greetings,

If you open the files up in something else, do they even look like an intact document? Both EnCase and PhotoRec will have problems recovering deleted files that are fragmented, which I should have mentioned earlier. "Will have problems recovering" really means "are unable to recover".

-David

ReplyQuote
Posted : 21/08/2009 10:11 pm
jhup
 jhup
(@jhup)
Community Legend

When you say the encoding is "whacky", the font set is wrong or the files themselves are corrupt and returns "garbage" when viewing the document?

ReplyQuote
Posted : 21/08/2009 10:17 pm
bperk
(@bperk)
New Member

There was no compression involved. I have tried opening the files in other apps (Word Pad for example) and I get the same results, just a bunch of garbage. There is some legible text in the recovered file, although a very small amount. Im not really getting what I was hoping for.

I'll keep at it and see what else I can do. Thx all.

ReplyQuote
Posted : 21/08/2009 10:53 pm
mscotgrove
(@mscotgrove)
Senior Member

What are the first half dozen bytes of a .DOC file, in hex?

ReplyQuote
Posted : 21/08/2009 11:53 pm
bperk
(@bperk)
New Member

What are the first half dozen bytes of a .DOC file, in hex?

Here are the values for the headerD0 CF 11 E0 A1 B1 1A E1

ReplyQuote
Posted : 22/08/2009 12:00 am
jhup
 jhup
(@jhup)
Community Legend

Can you also give the bytes at offset 512?

ReplyQuote
Posted : 22/08/2009 12:14 am
bperk
(@bperk)
New Member

Can you also give the bytes at offset 512?

Here are the 8 bytes at FO 512 for one of the recovered files that come back with unreadable encoding (text)

FD FF FF FF FE FF FF FF

I can see this is a problem already !

ReplyQuote
Posted : 22/08/2009 12:27 am
mscotgrove
(@mscotgrove)
Senior Member

The first bytes are fine.

The file is probably either truncated, or fragmented, or partially overwritten

ReplyQuote
Posted : 22/08/2009 12:33 am
jhup
 jhup
(@jhup)
Community Legend

If I remember well, later versions of Word & Excel files have a second set of subheaders at offset 512, and should be EC A5 C1 00, and FD FF FF FF respectively.

ReplyQuote
Posted : 22/08/2009 2:18 am
mscotgrove
(@mscotgrove)
Senior Member

Your FD FF FF etc is probably correct. It is data that can be seen in a MS Compund Document.

Fragmentation only happens on a cluster boundary. Offset 512 will therefore still be in the first cluster. I have not come across a hard drive with a cluster size of 1 sector. A single sector cluster is what you find on floppy disks amd posibly a small memory chip.

Reconstructing fragmented Word documents is possible but not easy. It is particulally difficult when there are a series of such documents as many of the jig saw pieces look the same, but are from different jigsaws. The best that can normally be done is to work just on the text and hope that the cluster boundaries are across a long word, or nice phrase, so both halves can be matched.

ReplyQuote
Posted : 22/08/2009 2:55 pm
bperk
(@bperk)
New Member

Your FD FF FF etc is probably correct. It is data that can be seen in a MS Compund Document.

Fragmentation only happens on a cluster boundary. Offset 512 will therefore still be in the first cluster. I have not come across a hard drive with a cluster size of 1 sector. A single sector cluster is what you find on floppy disks amd posibly a small memory chip.

Reconstructing fragmented Word documents is possible but not easy. It is particulally difficult when there are a series of such documents as many of the jig saw pieces look the same, but are from different jigsaws. The best that can normally be done is to work just on the text and hope that the cluster boundaries are across a long word, or nice phrase, so both halves can be matched.

Thank you for all your input. Very much appreciated.

ReplyQuote
Posted : 24/08/2009 5:40 pm
Share: