Recover data from formatted drive/floppy
I am self learner about Computer Forensic and I use trial tools such as EnCase and X-Ways to recover lost files. I would like to ask some question to you guyz out there.
If the file was deleted from the hard drive, the application can recover it. But how about if the hard drive has been formatted? Can it be recovered?. I try to format a floppy disk, and implement those EnCase or X-Ways tools to recover the previous file in that floopy. But I fail to get it back.
Is that true that if the drive is formatted, we can't get any data back?
Recovering data deleted by formatting is possible with the exception of low level formats. While general formatting and quick formatting deletes only the data information and leaves the actual file on the HDD, low level formatting deletes all data areas and causes the same result as an overwrite.
But why when I do a test on my floppy for example, I save one word file and delete it from the floppy. After that I do general format on that floppy. Then I use encase/xways tools to get the data back from the floppy but I can't even see any file appear… why is it?
You won't see the file in a hierarchical (windows explorer) type layout as the format will have gotten rid of the file structure.
Search for the header ÃÃ.Ã Â¡Â±.Ã¡ (ms office header for .docs, .xls etc…) in free space or do a keyword search in the free space for a word or phrase you know to be in the document. You should be able to find it.
I will try it now
ok success. i create a text file name test and write something inside it. and format the floppy disk. i use encase to recover it and i found it. this is similar to any document such as word or ect…
but how about picture such as jpg, gif, bmp?….how to track it and save it back to it own format?
thanks for guidance
It is the same thing regardless of the type of file although some are more difficult that others. You can test using the same logic. Save a .jpg to the floppy and format it. If you go back into the free space area and look for the header Ã¿Ã˜Ã¿Ã you should locate the file.
It is possible to manually extract them but most of the forensic software packages have built in features that search for file headers and then recover them for you if found.
If you want some more info on file signatures take a look at http//www.garykessler.net/library/file_sigs.html
Hope this helps.
thank you…that help much.
i have one little question…
for Encase, at the first time I Acquire the floppy, the message appear like below
a write lock could not be placed on drive A. The drive contents may change during this process. Continue?
what does this mean?…does this mean I cannot proceed because if I proceed the data will change?..or is this a bad habbit for a forensic guy?…normally for testing I just click Continue…
I am not overly familiar with Encase; other members of the forum would be able to help with specific inquiries. However one of the cardinal rules in this field is not to alter the original media if at all possible
You would normally take a checksum or hash value of the source drive (ex md5) image it and then ensure they the same by checking the hash value of the image against the original. There are hardware write blocking devices available on the market that are attached to the source drives to prevent any writes to them. I know Winhex forensics does not allow data to be written to the source drive by using software blockers but I believe most in the field couple this with a hardware one to be sure..?
In respect to the error you are gettingâ€¦it is just Encase telling you that it cannot write protect the drive and it MAY be altered during the acquisition. Although I havenâ€™t tested myself on floppies you can just use the write protect notch on the disk itself. I am not 100% sure whether this fully protects it during an acquisitionâ€¦
hezry…I should also add that I am pretty new in the field therefore my knowledge is certainly lacking in many respect.
If you are interested in the field this is a good resource and many of the older discussions contain a wealth of info as well.
thank you….you help me a lot
As a WinHex user, you have a wonderful tool located at TOOLS-> DISK TOOLS-> FILE RECOVERY BY TYPE. You will find about 54 specific headers available for use in data carving. In addition, it is very easy to permanently add more headers to that database if you know of a file type that was missed by X-Ways and know (or can determine) the header. In addition it lets you set the depth and the general location of your data carving. It even gives you the option of sorting your "take" into seperate file folders. All DOC in one folder, all JPG in another, etc.
thank you…but which one is most forensic used between xways and winhex? for my view both are same i think.
Stefan Fleishmann, the author and owner of both programs seems to use them pretty much interchangeably He teaches to install both in the same folder and to Alt-Tab toggle back and forth between them.
We have and use both. However, I prefer WinHex because the Forensic version enforces a strict discipline designed to keep the user from making mistakes in moving evidence around. The truth is that the Forensic version is made for a guy like me to keep me out of trouble and your question prompts me to start accepting the occasional error messages that WinHex will not generate.
There are other differences that appear to me to be more aimed at marketing than anything else. In other words, There are certain things that you can do with a Forensic License that you can't do without it. However, we have licenses to all of his products (Except Game Cheats) and any differences or restrictions in capability are transparent to me. As I recall, when you buy an X-Ways Forensic License, the regular WinHex license is included at no extra cost.
Another possible difference between WinHex and X-Ways Forensics that I often forget is that unlike Encase and FTK (that I use), Stefan seems to be going after more than just the forensic market. Data recovery, and Game cheats are two other places his software is used. I assume that his non-forensics users would have no need for the forensics version.