Recover !Bad Signat...
 
Notifications
Clear all

Recover !Bad Signature Files in Encase 5

9 Posts
3 Users
0 Reactions
3,118 Views
 Nino
(@nino)
Active Member
Joined: 17 years ago
Posts: 7
Topic starter  

I've done a file signature analysis on the evidance image I'm working on.
And most of the important documents I'm interested (words, spreadsheet, pictures) in are in condition of !Bad Signature. Which means I cannot open and see the content.

Is there any way that I can open or recover these files?
If I have to use third party software, how do I transfer the image I've acquired in Encase to that software?

Thank you very much for helping D


   
Quote
(@seanmcl)
Honorable Member
Joined: 19 years ago
Posts: 700
 

Are these files intact? Are they encrypted? Is it possible that the contents were wiped? Is it possible that what you are seeing are the MFT entries and that the space, itself, has been reallocated?

Have you tried the "Repair Document" functionality in Office. There are also some commercial Office document recovery packages, but if the signature is bad, it may be that something else is going on, here.

It is hard to say more without seeing some examples


   
ReplyQuote
 Nino
(@nino)
Active Member
Joined: 17 years ago
Posts: 7
Topic starter  

They are not encrypted. And the text pane look something like this g/~&vI]nB
Psg#YM/·n!·-·m(8·Wi6·gH· b.q·+·2E·a··T+·t&·(··a·9U}r

How do I know that what I'm seeing is MFT entries and not the content of the file?
*sorry if this question sounds stupid D I'm totally new in forensic.

Thanks.


   
ReplyQuote
(@seanmcl)
Honorable Member
Joined: 19 years ago
Posts: 700
 

In Encase, the file description will say something like "File,Deleted,Overwritten". Depending upon which version of Encase, there may be a special file icon showing that it is overwritten and the status (bottom) line will have the name of the file to which the blocks are currently allocated.

Of course, you wouldn't expect that all of the files in this state would start with the exact same sequence. Do they? If so, can you post the first few bytes in HEX instead (easier to disambiguate)?


   
ReplyQuote
 Nino
(@nino)
Active Member
Joined: 17 years ago
Posts: 7
Topic starter  

Mine is Encase 5.
The file of my interest is labeled 'File, Deleted, Archive'

The first few bytes
E7 AF 7E A6 F6 C9 5D BA 6E 42 0D D0 F3 67 A3 59 CD


   
ReplyQuote
(@seanmcl)
Honorable Member
Joined: 19 years ago
Posts: 700
 

Mine is Encase 5.
The file of my interest is labeled 'File, Deleted, Archive'

The first few bytes
E7 AF 7E A6 F6 C9 5D BA 6E 42 0D D0 F3 67 A3 59 CD

Do all of the files begin with this same sequence? And does the file name in the status line match the name and path in the table pane?


   
ReplyQuote
 Nino
(@nino)
Active Member
Joined: 17 years ago
Posts: 7
Topic starter  

No. The sequence for the first file is
E7 AF 7E A6 F6 C9 5D BA 6E 42 0D D0 F3 67 A3 59 CD

while the second one is
44 C8 21 81 58 A9 BC 7C B7 FF 9E 75 80 A3 78 2F 66

But their names match with the ones in the status line. I don't think they've been overwritten.


   
ReplyQuote
(@seanmcl)
Honorable Member
Joined: 19 years ago
Posts: 700
 

Well, again, I'm shooting in the dark, here, because I can't see what you are seeing, but in my experience, the most likely explanation is that the file contents were wiped leaving the file pointers intact. A less likely explanation is that they have been encrypted. I would look for installed programs and in the registry for evidence of wiping or encryption programs having been installed or run. I saw something very similar to what you are seeing a few months back and it was a case of the user deliberately obfuscating the contents of the files.

You could also use Encase to do a search for Microsoft Office signatures, especially in unallocated space. You may be able to find/recover what you are looking for, from there.

I would also try searching the entire volume for the file names. There may be LNK file or other data indicating what might have happened to them and/or whether copies exist on an external device.

Also, .TMP files may exist containing the most recent prior version of the files.

I doubt that this will work but you could also copy the files to your local drive and use a HEX editor to add the Microsoft Office header but I don't hold out much hope for this since, I assume, the data you are looking at starts at the beginning of the block.

Finally, to be on the safe side, you could go to the starting block of the file and look at the blocks before it (again, a long shot).


   
ReplyQuote
(@ironfist)
Active Member
Joined: 20 years ago
Posts: 6
 

Nino,
!Bad Signature means the File Extension is known BUT the File Header does not match. In other words your files may have a recognised file extension, .doc, .xls, .jpg but they are incorrect and EnCase will not open them because after you run file signature analysis EnCase uses the file header and associates the appropriate program to view it. If you know the file header then you can create a File Viewer and make a file association to it and use that to open the files. Have a look at www.filext.com or search for file headers in Google.
A word of advice don’t rely on file extensions they can be easily changed, the Hex header is more difficult to do and requires a hex editor. If your evidence contains such things then it will give you some thing to think about.


   
ReplyQuote
Share: