Join Us!

Recover data from f...
 
Notifications
Clear all

Recover data from formatted drive/floppy  

  RSS
hezry79
(@hezry79)
New Member

I am self learner about Computer Forensic and I use trial tools such as EnCase and X-Ways to recover lost files. I would like to ask some question to you guyz out there.

If the file was deleted from the hard drive, the application can recover it. But how about if the hard drive has been formatted? Can it be recovered?. I try to format a floppy disk, and implement those EnCase or X-Ways tools to recover the previous file in that floopy. But I fail to get it back.

Is that true that if the drive is formatted, we can't get any data back?

Thank you

Quote
Posted : 22/07/2005 9:30 pm
fatrabbit
(@fatrabbit)
Active Member

Recovering data deleted by formatting is possible with the exception of low level formats. While general formatting and quick formatting deletes only the data information and leaves the actual file on the HDD, low level formatting deletes all data areas and causes the same result as an overwrite.

ReplyQuote
Posted : 23/07/2005 1:15 am
hezry79
(@hezry79)
New Member

But why when I do a test on my floppy for example, I save one word file and delete it from the floppy. After that I do general format on that floppy. Then I use encase/xways tools to get the data back from the floppy but I can't even see any file appear… why is it?

ReplyQuote
Posted : 23/07/2005 8:05 am
andy1500mac
(@andy1500mac)
Member

You won't see the file in a hierarchical (windows explorer) type layout as the format will have gotten rid of the file structure.

Search for the header ÐÏ.ࡱ.á (ms office header for .docs, .xls etc…) in free space or do a keyword search in the free space for a word or phrase you know to be in the document. You should be able to find it.

Andrew-

ReplyQuote
Posted : 23/07/2005 9:37 am
hezry79
(@hezry79)
New Member

I will try it now

ReplyQuote
Posted : 23/07/2005 9:46 am
hezry79
(@hezry79)
New Member

ok success. i create a text file name test and write something inside it. and format the floppy disk. i use encase to recover it and i found it. this is similar to any document such as word or ect…

but how about picture such as jpg, gif, bmp?….how to track it and save it back to it own format?

thanks for guidance

ReplyQuote
Posted : 23/07/2005 10:11 am
andy1500mac
(@andy1500mac)
Member

It is the same thing regardless of the type of file although some are more difficult that others. You can test using the same logic. Save a .jpg to the floppy and format it. If you go back into the free space area and look for the header ÿØÿà you should locate the file.

It is possible to manually extract them but most of the forensic software packages have built in features that search for file headers and then recover them for you if found.

If you want some more info on file signatures take a look at http//www.garykessler.net/library/file_sigs.html

Hope this helps.

Andrew-

ReplyQuote
Posted : 23/07/2005 11:23 am
hezry79
(@hezry79)
New Member

thank you…that help much.

ReplyQuote
Posted : 23/07/2005 11:35 am
hezry79
(@hezry79)
New Member

i have one little question…

for Encase, at the first time I Acquire the floppy, the message appear like below

a write lock could not be placed on drive A. The drive contents may change during this process. Continue?

what does this mean?…does this mean I cannot proceed because if I proceed the data will change?..or is this a bad habbit for a forensic guy?…normally for testing I just click Continue…

ReplyQuote
Posted : 23/07/2005 11:40 am
andy1500mac
(@andy1500mac)
Member

I am not overly familiar with Encase; other members of the forum would be able to help with specific inquiries. However one of the cardinal rules in this field is not to alter the original media if at all possible

You would normally take a checksum or hash value of the source drive (ex md5) image it and then ensure they the same by checking the hash value of the image against the original. There are hardware write blocking devices available on the market that are attached to the source drives to prevent any writes to them. I know Winhex forensics does not allow data to be written to the source drive by using software blockers but I believe most in the field couple this with a hardware one to be sure..?

In respect to the error you are getting…it is just Encase telling you that it cannot write protect the drive and it MAY be altered during the acquisition. Although I haven’t tested myself on floppies you can just use the write protect notch on the disk itself. I am not 100% sure whether this fully protects it during an acquisition…

Andrew-

ReplyQuote
Posted : 23/07/2005 12:57 pm
andy1500mac
(@andy1500mac)
Member

hezry…I should also add that I am pretty new in the field therefore my knowledge is certainly lacking in many respect.

If you are interested in the field this is a good resource and many of the older discussions contain a wealth of info as well.

Andrew-

ReplyQuote
Posted : 23/07/2005 1:04 pm
hezry79
(@hezry79)
New Member

thank you….you help me a lot

ReplyQuote
Posted : 23/07/2005 1:30 pm
akaplan0qw9
(@akaplan0qw9)
Member

Dear Hezry,

As a WinHex user, you have a wonderful tool located at TOOLS-> DISK TOOLS-> FILE RECOVERY BY TYPE. You will find about 54 specific headers available for use in data carving. In addition, it is very easy to permanently add more headers to that database if you know of a file type that was missed by X-Ways and know (or can determine) the header. In addition it lets you set the depth and the general location of your data carving. It even gives you the option of sorting your "take" into seperate file folders. All DOC in one folder, all JPG in another, etc.

ReplyQuote
Posted : 23/07/2005 6:12 pm
hezry79
(@hezry79)
New Member

thank you…but which one is most forensic used between xways and winhex? for my view both are same i think.

ReplyQuote
Posted : 23/07/2005 7:14 pm
akaplan0qw9
(@akaplan0qw9)
Member

Stefan Fleishmann, the author and owner of both programs seems to use them pretty much interchangeably He teaches to install both in the same folder and to Alt-Tab toggle back and forth between them.

We have and use both. However, I prefer WinHex because the Forensic version enforces a strict discipline designed to keep the user from making mistakes in moving evidence around. The truth is that the Forensic version is made for a guy like me to keep me out of trouble and your question prompts me to start accepting the occasional error messages that WinHex will not generate.

There are other differences that appear to me to be more aimed at marketing than anything else. In other words, There are certain things that you can do with a Forensic License that you can't do without it. However, we have licenses to all of his products (Except Game Cheats) and any differences or restrictions in capability are transparent to me. As I recall, when you buy an X-Ways Forensic License, the regular WinHex license is included at no extra cost.

Another possible difference between WinHex and X-Ways Forensics that I often forget is that unlike Encase and FTK (that I use), Stefan seems to be going after more than just the forensic market. Data recovery, and Game cheats are two other places his software is used. I assume that his non-forensics users would have no need for the forensics version.

ReplyQuote
Posted : 24/07/2005 12:59 am
Share: