Hello fellow forensicators. I'm new to the Forums here,
And looking for some help with some sound recordings from a HUAWEI M7 which was deleted
and needs to be recovered.
I've made a physical dump through a Oxygen Forensic software, and after image it,
I can see that the file did exist (dates and times), but listed as 0kb in size .
So is the deleted sounnd recordings still exist? and can be recovery?
I'd like to ask for any suggestions on how I can recovery this recordings from the dump I retrieved from mate7.
Or does anyone have some methods, tools, or tricks for this? I've been scouring the net for resources, but haven't come across anything useful .
Thanks for any suggestions!
Back to basic.
This phone is running Android and Android uses EXT4 as filesystem. Maybe focus your search on EXT4 recovery options.
Have a look at inodes and pointers. I don't say Oxygen is wrong but always better to check it.
Another option is using filecarving.
Thank you for u reply !
As my very limited knowledge of linux data recovery ,i don't know how to use the inodes and pointers informaton in EXT4 filesystem,(can you teach me somethings about inodes D )
so i try second method , I find that only Winhex can carving the .m4a files,
but no result was find after carving. ?
So is there another programs like winhex that can carving the .m4a file? šÆ
Thank you!
If we are moving from "sound recordings from a HUAWEI M7" to more generic "EXT4 data recovery" there are a number of tools.
.m4a files should be AAC compressed files (MPEG 4)
https://
so most tools should be able to recognize them.
Of course if the data is not there, it is not there, in the screenshot you posted it seems like you have three deleted files of very small sizes
0
3620
2588
Though i doubt it, it is possible that the 3620 and the 2588 bytes file are/were valid files, surely the one with size 0 bytes is/was 0 bytes in size, besides beating Nada in compactness wink
http//
it is unlikely that you will ever get more than 0 data from it.
Which other tools have you tested/tried?
Photorec should be able to recognize all the various formats for MPEG-4 conatiner, unless the specific HUAWEI format is non-standard
http//
http//
http//
But before anything else have you tried extundelete?
http//extundelete.sourceforge.net/
jaclaz
Thx for you reply,jaclaz! D
I find PhotoRec is so powerful to carving the unknown format file ,but the carved files were so big!and was unreadable, See the pic !
Maybe the dump of the phone was incompleteļ¼
So next time i will try it with the cellebrite UFED ,
And i have a question does anybody have experience doing it with UFED and success ?
I find PhotoRec is so powerful to carving the unknown format file ,but the carved files were so big!and was unreadable,
It is entirely possible that Photorec recognized a "header" pattern but missed a "footer" pattern, thus wrongly "extending" the size of the file.
You will need to compare a (good/working) audio file coming form that phone with the first few bytes of the files Photored "recovered".
BTW it is also possible that Photorec recognized some areas "wrongly", data recovery is not an "exact science".
You can probably also try DMDE to "undelete" those files, but I have no expereince on using it on ext2/3/4 so I can't give you any specific suggestion on the procedure
http//dmde.com/
jaclaz