Thursday, September 30, 2010

AVI data carving

Most data files are written sequentially which means that data carving can have a good guess that the data will typically be sequential. However, recently some AVI files have been found that do not seem to follow this pattern.

The file in question was written using a video camera and it appears that the first section was the data - a series of tagged chunks ofthe starting "00dc" or "00wb". An AVI file contains an index and in this version, the index was added to the first block after the main header information. Thus to carve the files it is necessary to read the header, and then in effect go back to find the blocks used. To make the job possible, the index does conatin the offset and length of each tag. It is therefore possinle to search the raw disk for a cluster that contains a '00xx' tag at a certain location within a block, with a defined length.

Recent developments with CnW Recovery software have added the automatic feature so that a trailier can be created if missing.  This means that even a partial fragment can be viewed.

Sunday, September 19, 2010

xD Memory cards

Photo recovery from most camera memory chips is fairly straight forward. If deleted, then file can be recovered, largely with original names. Failing that, data carving can be used to extract the photos. The only remaining issue is recovering fragmented photos, something that CnW Recovery software can do with a moderate success rate.

For some xD memory chips, they can be formatted rather than deleted and the end result is every sector (after a blank directory) is full of 0xFF. ie there is absolutely no information left to recover photos from.

There are theories that if you examine each bit on the memory chip you may discover that it is only at 99% the standard level which means it was previously a different level. This would require the complete resources of the FBI, and probably only have a 25% success rate on each chip. It would be far cheaper, and more successful to pay for the holiday again.

The moral as ever is to make sure that when ever photos are taken, they should be transfered to a new source (ideally multiple locations) and verfied before deleting the camera memory. The other advice is not to delete individual photos as there can be two problems. A single mistake can delete all the photos, and also new photos can be fragmeted making future data recovery harder.

Monday, September 13, 2010

Disk drives fails on certain sectors

I received a disk drive today that often worked, but when it hit a few sectors it would fail, so the the only way forward was a power reset. My normal approach would be to do an incremental image, and restart after every failure. This disk was 1TB so an incremental image would take several hours which I did not have. By doing a partial image of the directory area, I couild determine that the required data, from a single subdirectory was stored over the complete disk.

My approach to save time was to do a selective restore of the required directory but at the same time, when a failed sector was found, change the program so that it would be skipped. The hope was that the requested data would not hit too many failed sectors, each requiring a program change and recover restart.

It will actually be a very useful feature to add to the software so that a hardware reset could be done, and recovery then continue.

Monday, September 6, 2010

Success with XFS deleted files

After a lot of hard work (and head scratching) it is now possible to recover deleted files from the problem XFS disk. This is a new development within the CnW data recovery software which will recover the file without doing any data carving. In other words, the files are recovered with correct names, original dates, and very largely, correct directory structure.

The process, by necessity is rather slow. It starts with a complete scan of the drive (or in this case, the RAID-0) to locate all existing iNode entries on the disk. These are then analysed, and regenerated to provide a list of possible directory entries. Once the disk structure is know, files can be recovered, including all files that have been deleted.

With all deleted files, there is always a danger that a new file written to the disk after the file was deleted, could overwrite critical data. However, if the recover process is started as soon as the error, or corruption is know, recovery levels will be good.

Wednesday, September 1, 2010

Another RAID problem

I rececently received three disks from an Apple RAID. One disk had hardware issues and the RAID was RAID 0, ie all the disks are striped so that 32K of data is written to one disk, then the next 32K to the second disk.

Within the Apple, some files could be recovered, and gthen the while system would hang.

The problem disk had a hardware issue so then when making an image of it, the drive would hang, and the only recovery path was a power cycle reset. By using incremental imaging it was possible to build up an adequate image of the drive. A few sectors had to be skipped, but probably 99.9% were imaged.

To receover the data it was necessary to emulate the Apple RAID. As is typical, the first section, actually a FAT partition was identical on all three disks, but the data section was spread over the three disks, starting at location sector 0x64028. It was necessary to work out both the stripe size and disk order. The stripe size was worked out by fortunately finding a sequential file that had line numbers marked in the text, It was therefore possible to see when there was a jump, in this case after 32K of data, and also the sequence of the disks. The sequence was slightly curious as the disks were marked 1,2,3 but the data in sector 0x6402A was on disk 2, and not disk 1. Thus the order of 2,3,1 was tried and the file system was the readable.

The result was that the CnW incremental imaging, and the RAID option recovered a very large amount of valuable data.