CnW Recovery Software Table of Contents

Transcription

1 CnW Recvery, 2014

2 Table f Cntents CnW Recvery 6 Intrductin 9 Dem prgram 12 Dem Status 13 Sftware limitatins 14 Installatin 15 Dngle installatin 17 Media detectin 19 Cnfiguratin fr CnW Recvery Sftware 22 Recvery ptins 24 Registratin 25 Directries 27 Hardware cnfig 28 Basic Rules f Data Recvery 29 What t d when media has failed 29 Hardware failure - what next? 31 Welcme screen and wizard 32 Unrecgnised media 34 Mini DVD recvery 36 Create new vide DVD 38 Pht Recvery 39 AVCHD recvery 40 3GP and MP4 recvery wizard 42 ZIP and DOCX recvery wizard 47 Vide scan f hard drive 48 Verify disk structure 49 Physical Media Test 51 Failing disk drive 53 Frmatted disk recvery 54 Partitined disk recvery 56 AVI Recvery 57 Frensic Data recvery 58 Recvering Files 59 Getting started - General data recvery 59 Typical data recvery prcedures 61 View sectr n hard drive, flash memry r CD 62 Disk imaging 64 Raid disks 66 Hw t use incremental imaging t recver damaged drives 67 Disks with single head failure 69 Image file selectin 70 Partitins, analysis and recvery 72 Partitin analysis mde 75 Partitin Table structure 76 Hw t recver crrupted partitins 78 GUID Partitin tables 80 Magnetic Media Recgnitin 81 Deleted file recvery 82 CD Recvery 83 Hw t recgnise type f CD/DVD 85 p2

3 UDF Anchr Vlume 87 Unerase CD-RW 88 Multi-sessin UDF 91 Camcrder Recvery 92 Rebuild vide disk files 94 FAT Disk restre 96 Hw t recvery FAT disk when bt sectr and ne FAT is missing 100 BIOS Parameter FDC descriptr fr FAT 102 Missing directries and files n a FAT disk 104 Hw t recver FAT disk when bt sectr is missing 105 FAT 32 deleted file recvery 106 FAT File allcatin table validatin and crrectin 108 Recver FAT32 disk when it has been refrmatted as NTFS 109 exfat 110 Linux and Unix recvery 111 Macintsh Recvery 113 MTF.BKF files 116 NTFS Recvery 117 BIOS Parameter FDC descriptr fr NTFS 122 NTFS MTF range 123 Search fr MFTs 124 Files lst when NTFS reladed 126 Cannt read first mft, cpy failed 128 NTFS with cnfused partitins 129 Alternate Data Stream 130 Recvering when a new /different perating has been laded 131 Deleted Partitin 133 Hw t find and recver lst files 134 Recvery frm a drive with many bad sectrs 135 Data carving ptins 137 Raw files 139 Search String 140 Recvering files frm image frmat 142 Fragmented file prcessing 143 Jpeg images and metadata 146 Fragmented Files 147 Fragmented AVI files 149 Tutrials 150 General NTFS Recvery 151 Recver vide frm camcrder with a hard drive 153 Recvery f lst files n an therwise wrking disk 154 Pht recvery 155 Imaging failing drive 156 Vide file recvery 158 Vide recvery frm mini-dvds 158 Vide recvery frm memry devices 160 MP4 disk layuts 161 mp4_scan 164 MP4 file structure 165 GPr vide recvery 166 HP MediaVault data recvery 168 HP Mediavault Tutrial 169 Frensic Tls 172 CnW Recvery frensic investigatin tls 172 p3

4 Discver deleted files 175 ISO9660 and Jliet investigatin 176 UDF frensic investigatin 177 NTFS frensic investigatin 178 MFT Parse 179 DVD Prperties 181 Data Carving 182 Manual Data Carving 184 Data Carving with an Excel File 185 File Validatin 187 XML Frensic Reprt 188 NSRL Hash tables 190 Disk scan 191 Virtual disk image 193 Frensic analysis tips 194 File selectin 195 Overview 195 File extensin selectin 197 Date selectin 198 Directry selectin 199 File name selectin 200 File selectin based n MD5 value 201 File size selectin 202 Imprt List 204 RAID drives 205 RAID drive selectin 207 RAID cnfiguratin 208 RAID bxes and cnfiguratins 210 RAID JBOD 211 Typical RAID setup parameters 213 HP Mediavault recvery 214 Fragmented files 216 Fragmented 3GP/MP4 files 216 Typical 3GP crruptins 219 Fragmented Zip and DOCX files 220 Recgnising Sectrs 223 Master Bt Recrd 223 GUID Partitin sectrs 225 BIOS Parameter Blck BPB 227 FAT directry entry 229 NTFS directry entry, MFT 231 Disk clusters 233 Apple Vlume Header 235 VMFS sectrs 236 General tls 238 Split directries 238 Merge disk images 239 Extractin 240 User passwrds 241 AVCHD recnstructin 242 Extract and jin 243 Fake memry test 244 Recnstructin tips 245 restratin 245 p4

5 Lgs 246 Lg verview 246 File details 247 Search fr sectr 251 File fragments 252 Jb details 253 Frensic Reprt 256 Keywrd search 258 Trace file 259 Errrs and prblems 260 An errr ccurred in an unknwn file 260 Missing files 261 Errr Messages 262 All files are shrt 263 Files nt saved 264 CD physical structures 265 Disk at nce 265 Track at nce 267 Sessin at nce 268 Packet writing 269 CD terms 270 Glssary 272 Terms 272 Useful links 273 Cntact Us 274 Addresses, and cntact details 274 p5

6 CnW Recvery Sftware Data recvery sftware fr all PC strage devices Intrductin Dem prgram Sftware limitatins Installatin Media detectin Cnfiguratin f CnW Sftware Recvery ptins Registratin Directries Hardware cnfiguratin Welcme Pht recvery Mini DVD recvery Create new DVD AVCHD recvery Frmatted disk recvery Partitined disk recvery Failing disk drive Physical media test Verify disk structure DOCX and Zip recvery Recvering files - start here Getting started Typical data recvery prcedures View sectr n hard drive Deleted file recvery CD Recvery Camcrder recvery Partitins, analysis and recvery FAT Disk recvery BIOS Parameter FDC descriptr Recver FAT32 disk when it has been refrmatted as NTFS NTFS MFT Range Search fr MFTs Files lst when NTFS reladed Recvering when a new peratin system has been laded Cannt read first MFT, cpy failed NTFS with cnfused partitins NTFS recvery BIOS parameter FDC descriptin NTFS MFT range Search fr MFTs Files lst when NTFS reladed p6

7 Linux and Unix recvery Macintsh recvery Recvering files when a new r different file system has been laded RAID recvery RAID drive selectin RAID cnfiguratin RAID JOBD Typical RAID setups HP Media Vault and Bradcm MTF.BKF files and recvery Deleted partitin Hw t find and recver lst files Recvery frm a drive with many bad sectrs Disk Image Recverying files frm image frmat RAID 0 disks Hw t use incremental imaging Data carving ptins Raw files Search String Tutrials General NTFS recvery Recver vide frm a camcrder with a hard drive - rather than a DVD Recvery f lst files n an therwise wrking disk Pht recvery Image a failing drive HP Mediavault data recvery HP Mediavault RAID drives RAID drive selectin RAID cnfiguratin RAID bxes and cnfiguratins RAID JBOD Typical RAID setup parameters HP Mediavault recvery frm a RAID Vide recvery Vide recvery frm mini-dvd Vide recvery frm memry chips MP4 disk layuts Basic Rules f Recvery What t d when media has failed Hardware failure, what next Frensic tls CnW Recvery frensic investigatin tls Discver deleted files p7

8 ISO9660 and Jliet investigatin UDF frensic investigatin NTFS frensic investigatin MFT parse DVD prperties Manual data carving File validatin Frensic analysis tips Frensic Data Recvery Recvering Files Getting started - General data recvery Typical data recvery prcedures View sectr n hard drive Disk imaging File Selectin Overview File name selectin Date selectin Directry selectin File selectin based n MD5 value File size selectin Imprt List Frensic Tls Recvery and frensic investigatin tls Discver deleted files ISO9660 and Jliet investigatin UDF frensic investigatin NTFS frensic investigatin DVD prperties Data carving Manual data carving File validatin Frensic Reprts - in XML Lgs Lg verview File details Search fr sectr File fragments Jb details Frensic reprt Keywrd search Last updated Nvember 2014 Cpyright CnW Recvery Develpments Ltd p8

9 Intrductin CnW Data Recvery Sftware Recver lst r deleted data, files, phts and vides Partially failed, crrupted r quick refrmatted disks Frensic investigatin tls CnW Recvery is a prgram t recver and restre data frm all CDs, DVDs, hard drives and memry chips. It recvers data frm damaged and crrupted disks, memry chips, CDs and DVDs. It ptinally prvides a large amunt f frensic analysis f the media including partial files, deleted files as well as data stred in unallcated space. The cmprehensive prgram is cnfigured with many ptins ranging frm basic data recvery f CDs, and camera memry chips, up t full and autmatic frensic analysis f mst media. Full lgs are created fr the frensic applicatins, alng with data hashing fr security t verify that data has nt been changed since restred. The basic functins f CnW are t list the disk prperties, and t recver the data in ne f several pssible ways. Where ever pssible, the prgram will determine the best mde f peratin, but this can nrmally be verridden where the user has determined that a different mde may be mre apprpriate. CnW can be used t recver data frm almst any Windws cmpatible strage device including the fllwing Hard disk drives RAID 0 and RAID 5* cnfiguratin LBA48 cmpatible, ie disks/raids larger than 2TB can be read Flppy disks CDs and CD-RW DVD and DVD-RW, including mini DVD Imega Rev drives Optical disks Flash memry Camera memry p9

10 Thumb drives and Pen drives Jaz drives 1GB 2GB Zip drives 100MB, 200MB, 750MB Disk Image files The prgram perates with USB, IDE, Firewire, S-ATA r SCSI drives n a Windws 2000, Windws XP r Vista system. Image files (dd frmat) may als be generated and subsequently used rather than the riginal media. Lgically it will read disks and media frmatted as FAT12, FAT16, FAT32, NTFS, MAC HFS Plus, ISO9600, Jliet, UDF. MTF (.BKF files). Sme Unix frmats including XFS, Reiser FS, HP Media Vault are supprted. It supprts multiple partitin drives, and multi-sessin CDs/ DVDs. Each type f media, and hw t recver frm it, is described in detail in the relevant sectin f the Recvery chapter in this manual. Typical features that will be used in recvery include the fllwing Recvery when bt sectr missing r crrupted Recvery when disk has been re-partitined Recvery after a quick frmat Wizard peratin MP4 recvery AVCHD recvery Deleted file recvery - including intelligent recvery n FAT32 disks Disks with failed sectrs One step vide disk recvery and creatin f new vide cmpatible files Data carving Fragmented pht and avi recvery Disk imaging - included incremental images Viewing f sectrs Deduplicatin f files Raw file recvery - when n file system remains Lgging f file details - enhanced in frensic mde Alternate Data Stream n NTFS disks, and Mac Resurce frks Slack* and unallcated space recvery Prcessing and recvery f fragmented files, eg JPEGs, 3GP Manual* data carving (* sme f the abve are frensic/raid nly features). p10

11 A free dem dwnlad my be evaluated t determine if yur data can be recvered. The prgram may then be purchased nline frm T help use the prgram, g t the getting started tutrial. Amngst ther pints, it explains hw t recver files n a crrupted hard disk. Typical recvery prcedures is a list f examples f hw different types f failure r crruptin can be handled. If prblems are encuntered, the sectin n Errrs and Prblems may prvide assistance. With every screen f CnW Recvery sftware, if yu press F1, there will be a cntext sensitive help screen. On many screens by mve the muse ver a buttn, a small help message (tl tip) will be displayed On many f the recvery ptin bxes, by duble clicking n a sectr value, the sectr will be displayed. CnW Recvery may be cntacted by with any questins inf@cnwrecvery.cm r lking n the website A PDF cpy f this help may be dwnladed frm Overall, the prgram is simple t use, and pwerful enugh t recver data in all instances. p11

12 Dem prgram The dem prgram is exactly the same as the prductin versin, with the exceptin that files may nt be restred t the hard disk. This is an imprtant pint because if the dem can nt see a disk drive, r files required, neither will the licenced versin. On startup, the Welcme screen will be displayed, and nce a registratin cde has been received, there is a functin buttn t enter the key value. In rder t cmplete any registratin, the 8 byte Machine ID cde must be sent t CnW, which will then enable the sftware n current machine. There is als a direct link t the nline Purchase Nw page f the CnW Recvery Web site. Purchase f a licence may be made using PayPal and the registratin key will be returned within a few minutes, fully autmatically. Will the prgram recver my files? T get the best value frm the dem, it is wrth trying t recvery data frm a prblem disk. Any files that culd be recvered can be displayed, either as a Hex dump, r in the case f pictures, a small image can be displayed. The lg lists all such files, and is used t view them - even n the dem. The easiest way t recver data is by using the Wizard but fr mre cmplex setups, the Main Recvery functins and ther ptins will be required. Alng with recvery tls, CnW Recvery has useful tls such as sectr viewing and partitin analysis, and extensive lgging features. Optins The standard dem des nt enable the frensic features r RAID features. If these need t be evaluated, please cntact CnW fr details f hw this ptin can be viewed in dem mde. Supprt questins Any query, r questin will be respnded t typcially within a day, and ften within the hur - depending n time znes acrss the wrld. p12

13 Dem Status When the wizard des a media scan with ethe Dem system, it will display a very brief screen giving details f the number f files restred, and hw many were images. This screen is shwn belw. This is a brief indicatin f what culd be recvered with the fully licenced cpy f the sftware. In rder t view sme f the files, it is pssible n the analyse screen t pen the Lg and duble click n n files. These will then be displayed, eithyer in Hex, r an image. p13

14 Sftware limitatins with failed hardware CnW Recvery is a sftware nly prgram and s there are limitatins n the types f recvery it can d. It des rely n being able t see the drive as a physical device within Windws, typically as a USB r IDE device. Gd signs Drive spins Heads mve N clicking N very ht spts Bad signs Drive nt spinning Drive clicking Ht spts n cntrller bard - r smke Any f the abve nrmally means that a physical repair will be required. It culd be new heads, cntrller bard / firmware updates r a new mtr. It is nt pssible t repair every drive, inparticular thse wh have suffer platter damage. DO NOT pen a drive unless yu are qualified repairer - yu will d far mre damage than gd. If a drive has a failure f the cntrller bard, r will nt spin then n sftware nly slutin will wrk. If the drive is recgnised as a physical drive, then there is a very high chance that CnW Recvery will beable t recver data. Fr CDs and DVDs it is always recmmended that a full RW drive is used t recver data. These types f drives have features that will enable disks that have nt been clsed t be read. Hwever, nt every unfinalised DVD can be read - sme will require services frm CnW ffice wh have a mdified drive t read such disks If there is any questin f whether the prgram will wrk, the quick answer is t dwnlad the dem and try. p14

15 Installatin Insta lla tin and hardw are requirements CnW data recvery sftware will perate n any mdern PC running, Vista r Windws 7. Minimum hardware is as fllws. Mst machines, including laptps, less than 5 years ld will be fully cmpatible 1GB RAM r better (mre preferred) Prcessr 1.5GHz r better (2GHz preferred) 20MB disk space fr prgram installatin Available disk space t match the capacity f the media being restred Interface t media being restred typically USB 2.0 r USB 3.0 Versin 1 is extremely slw USB card reader t read camera memry chips Interface fr media t be recvered Fr hard drives, an external USB case is gd Fr IDE laptp drives, a 3.5" t 2.5" adaptr is required, r a USB case CD/DVD, a suitable RW drive, typically USB based. When using external drives, d ensure there is always gd cling - a drive fan is an easy slutin, r a case with a large built in fan. NEVER LOAD CnW RECOVERY SOFTWARE OR ANY OTHER RECOVERY SOFTWARE ON TO HARD DRIVE THAT HAS FAILED OR BECOME CORRUPTED. IT CAN LEAD TO MAKING A RECOVERY IMPOSSIBLE, OR LOSING MORE DATA THAN NECESSARY. Please read What t d when media has failed fr mre details Vista and Windws 7, 8 With Vista and Windws 7 it is necessary t run in Administratr mde (in rder t access physical drives). When the prgram is started, the UAC message bx is displayed, and has t be accepted. Hw t lad the sftware T lad the sftware, run the CnWIinstall.msi prgram dwnladed frm The link frm the dwnlad page actually dwnlads a small prgram, CnWDwnlad, that will then autmatically dwnlad and run CnWInstall.msi. Nrmally the default settings will be fine. The default installatin directry is c:\prgram Files\CnW Recvery\CnW but this may be changed if required. The imprtant files that are restred are cnw.exe and cnw.hlp. There is als a subdirectry with sample File Selectin files If a SCSI device is t be used, then a SCSI adapter card has t be installed, and the manufacturers device drivers laded. CnW Recvery des nt use ASPI, althugh the prgram wrks when ASPI has been installed Hw t update CnW Recvery sftware The sftware stred n the web site ( is always the current, mst upt date versin. The dem sftware, and prductin sftware are identical, but are cntrlled by the registratin key. T upgrade the sftware t the latest versin, dwnlad frm the web, and install as abve. Hardware setup p15

16 The hardware setup can be quite varied. The, mst imprtant pint t nte is that CnW Recvery sftware wrks by recvering files t a different drive, rather than trying t restre files t the riginal drive.. The next sectin Media detectin gives details f each type f media. Windws XP supprt Supprt fr Windws XP was stpped in March Any dwnlads n an XP system after this date will have a frzen versin V4.44 installed. The reasn fr stpping supprt is t make use f Windws Media Fundatin and many useful tls t assist with vide recvery. The timing als cincides with Micrsft's end f supprt fr XP p16

17 Dngle installatin When a dngle is used, the registratin number (in the Cnfiguratin menu) is set t "Dngle" (upper r lwer case) and the dngle must be inserted in a USB prt. When first inserted, the device drivers must be laded. This is a simple peratin, as described belw. It des vary between perating systems, but the fllwing is a general guide line Driver dwnlads. A separate dwnlad is required fr the dngle drivers. Please g t the fllwing link link t dwnlad the drivers. The link is near the bttm f the page and the dwnladed file is CnWDngle.msi This is a standard Micrsft Install file and will by default save the drivers in the prgram files(x86) CnW recvery\cnw directry. Drivers will nt need updating between versins f CnW. Insert the dngle in the USB prt and Windws will detect new hardware. If it cannt find the driver, r give yu a chice f where t search then G t Cntrl Panel, System, Device manager, r device drivers In this clumn, yu shuld see the DL-D device with a yellw questin mark, indicating n driver fund Select the device and the Update driver In all cases... On the first menu d nt search the internet fr drivers On the secnd menu, select the ptin t install frm a specific lcatin The lcatin t install frm is in the prgram files, where CnW has been laded. By default this will be c:\prgram files\cnw Recvery\cnw\CDM20802 WHQL Certified r c:\prgram files (x86)\cnw Recvery\cnw\CDM20802 WHQL Certified The driver is nt certified, s please accept the next dialg warning bx. D nt be put p17

18 ff by the red clur. Installatin will then take place. It is nt necessary t rebt the PC after installatin. The installatin is nly required the first time the dngle is laded n a new PC. If the sftware is run withut the dngle being installed, it will nly perate in dem mde, ie n files will be saved. The dngle is nt a CnW prduced device and the fllwing link is frm the manufacturer which can be used if there are prblems with the driver installatin try the site. The dngle is based n the FT232 device, but has a nn standard prduct ID, and s the.inf files have been mdifed specially t handle this device Windws 7 64 bit cmpatibility. The CDM20802 versin f the driver, and CnW supplied.inf files are cmptaible with Windws 7-64 bit Windws 8-64 Unfrtunately the installatin f Windws 8-64 is a bit mre cmplex. The current driver fr the dngle is nt signed by the manufacturer and s a prcess is required t allw Windws t lad an unsigned driver. This is a few simple stages, but it des require rebting the PC, and s these instructins shuld be printed ut t aid the prcess. 1. Windws Key + R 2. Enter shutdwn.exe /r / /f /t Click the OK buttn System rebts here 4. System will restart t a Chse an ptin screen 5. Select Trublesht frm Chse an ptin screen 6. Select Advanced ptins frm Trublesht screen 7. Select Windws Startup Settings frm Advanced ptins screen 8. Click Restart buttn 9. System will restart t Advanced Bt Optins screen 10. Select Disable Driver Signature Enfrcement 11. Once the system starts, install the drivers as described abve p18

19 Media detectin Befre ne can recver data, it is necessary t detect the drive and media. This sectin will gives f hw new drives and media shuld attached t yur PC. Each type f media is attached in a different way, but because the m edia has prbably been crrupted, s prblems may arise. Each media type is discussed in detail belw. Camera Memry Chips A camera memry chip can nt nrmally be read directly frm a camera. There are tw reasns, the first being that there many variatins f camera, and camera drivers, and the secnd is that very few camera let an utside device actually access the memry. As it is ften the memry that has becme crrupted, it is essential t be able t access this directly, withut any camera sftware 'in the way'. The mst satisfactry way t recver memry chips is with a dedicated, ften USB card reader. These can be purchased fr very reasnable sme, say $10-20, and ften read multiple types f memry chip. When used n a XP PC, Windws 7/8 PC, the memry chip will appear as a lgical drive, fr instance Drive H:. Once detected, CnW Recvery Sftware will be able t access the data and recver any files. Memry chips can physically die s it always wrth while testing the USB - card reader etc t make sure the system will read wrking cards. Hard disk drive, Zip and Jaz There are several interfaces that may be used t access a disk drive, r memry chip. Frm a sftware stand pint, it is necessary fr the cmputer t see the drive as a physical drive, r as a lgical drive, eg drive G: The fllwing interfaces are supprted, USB, IDE, Serial-ATA, SCSI and Firewire. USB This is prbably the mst cmmn interface t be used. A very gd way t access failed hard disk drives is in a USB drive caddy. This can then be ht plugged nt a PC with n dismantling f the PC. N special drivers are required. Occasinally with USB interface, a failed drive will nt be recgnized immediately and it may be necessary t rebt the PC. Smetimes, ging int cntrl panel and devices and ding a hardware scan will kick the drive interface int life. There are USB adapters that will drive laptp hard drives directly ften using 2 USB cnnectrs t get adequate pwer fr the drive. Other versins are just a cnnectr that cnverts an IDE cable t a cnnect cmpatible with a laptp drive. The biggest advantage f the USB interface is that the ht plugging means that 9 times ut f 10, it is nt necessary t rebt the cmputer IDE T cnnect an IDE drive directly nrmally means partially dismantling the PC which is nt nrmally the preferred rute. Cnnecting a drive requires that drive ID is set crrectly, ie Master r Slave ensuring that it des nt cnflict with ther devices n the same cable. Fr bvius perating reasns, CnW sftware will nt allw analysis r recvery frm the main prgram hard drive, ie the C: drive. Any IDE drive must be plugged in when the cmputer has been turned ff, and shuld be detected n start up. Serial ATA and SCSI Bth these interfaces either require an suitable hst adapter card, r the relevant interface built int the cmputer mtherbard. The drive may then be cnnected within the PC r externally. Fr SCSI it nt necessary t have an ASPI driver laded, thugh test shw that when ASPI is laded, the sftware cntinues t wrk as p19

20 required. Althugh it may be pssible t plug these devices in when the cmputer is running, typically it will need t be rebted t see the new device. The alternative can be t g t the Cntrl Panel (in Windws), select System, and then Device manager. There is an ptin t 'Scan fr new hardware'. This will nrmally detect new drives, withut needing t rebt the machine. Firewire Many remvable drive caddies have a Firewire interface. It can be faster than USB, but des nt have the same ht plugging capability f USB. Sme laptps and cmputers have built in Firewire interfaces, fr thers a special adapter bard will be required. T recgnised a Firewire drive, it is either necessary t rebt the cmputer, r use functins within the cntrl panel (see belw) t recsan fr new drives. Fr regular swapping f drives, USB is prbably easier t use. Parallel Parallel interfaces are nrmally nly used n lder Zip drives. Mst mre recent drives are USB based Cmputer Management Cntrl Panel A very useful Windws tl is the Cmputer Management ptin within the cntrl panel. Select Administrative Tls, and then Cmputer Management. The screen belw will be displayed. If this prgram des nt detect the required drive, then neither will CnW Sftware - the prblem is likely t be hardware related, and a sftware slutin will nt help. When yu click n Disk Management, all disks that are seen by the cmputer are displayed. It may include unrecgnised disk, unfrmatted etc. DO NOT TRY AND FORMAT ANY DAMAGED DISK, CnW Recvery sftware will d better at recvering data withut an extra layer f frmat being added. On this screen, by Right Clicking n a disk descriptin, it is pssible t change the Drive Letter. CnW Recvery des nt mind which drive letter is used, but ccasinally it is pssible t have a drive letter cnflict with a Subst Drive. The disk management prgram will smetimes shw a disk as a Raw drive, r raw disk. This happens when it cannt determine the perating system, r the perating system is nt a standard PC ne, fr instance a Macintsh disk may well shw in this mde. It can als be the case when the disk has lst it's bt partitin. In these cases, it is ften best p20

21 t start by using View Sectr t try and determine what type f disk it may actually be. On the cmputer Management men is an Actin functin. This can be used t rescan the disks, and ccasinally this will add disks that have nt been detected autmatically. CnW Recvery sftware will display drives n tw ways, ne as the lgical drive, eg Drive :, and the ther as a Physical Drive. In the screen abve, the drive marked as Disk 5 wuld be shwn with tw entries, I: and Phys-5. With sme disks, the system des nt allcate a drive letter, and s the nly way t view the drive is as a physical drive. If bth mdes shw, selecting either ne will prduce identical results. Testing Once a drive has been cnnected, it is ften wrth ding a shrt test t verify the cnnectin is crrect. The simplest test is t read a sectr and make sure that data can be viewed. If sectr zer cannt be read, try say 100, r 0x100. Fr a mini DVD, try 15,000 r s, ften the start f the disk is very crrupted, and unreadable. Drive letter r disk number CnW Recvery has tw ways it will detect and represent a drive. It can either be as a lgical drive, eg Drive G:, r as a physical drive, Physical Disk 3. Bth are valid and will prduce the same results. If a drive is nt recgnised by the perating system in any way, then the nly ptin that will be displayed will be the Physical Drive number. CD and DVD Fr data recvery n a CD r DVD, a cmpatible drive is essential. Frtunately, mst new drives are always fully backwards cmpatible. One imprtant nte thugh is that burners (ie drive that will write t a blank disk) have many mre features than the simpler Read nly drives. Fr this reasn, it is always best t use a drive that is a burner. The interface f the drive is nt imprtant. CnW Recvery sftware will wrk with all cmmn types, such as IDE, USB and SCSI It may be nted that fr sme CDs and DVDs, when they are very crrupted, r unclsed etc, the startup rutine f CnW Recvery sftware can be rather slw (minutes rather than secnds). This prblem is being wrked n, but patience is useful. p21

22 Cnfiguratin fr CnW Recvery Sftware The cnfiguratin diaglg bxes are fr general cnfiguratin f the prgram. The parameters are glbal in their cverage and typically define hw a user wants t d their data recvery. Fr a ne ff recvery, the defaults will prbably be quite acceptable. The mst imprtant feature t check is if the recvery has t be written t CDs r DVDs. In this case, the Restre Optins have flags that assist with file naming, and lcating files int suitable subdirectries Restre ptins This range f ptins largely cntrls chices n file namimg, and splitting fr CDs, DVDs Display versin numbers n 9660 CDs CDs internally append a versin number t each file name. Thus a file will lk like filename.ext;4 fr versin 4 f the file. Fr PCs, versin numbers are nt used, and s the cncept is rather meaninless. By deafult, these versin numbers are surpressed. Limit file name length t be Jliet cmpatible When writing t a CD r DVD, Jliet filenaming is very cmmn (the ther usual ptin is UDF). Jliet filenames have a limit f 64 characters fr each element f the name and path. If a CD is t be burnt r written with a lnger filename, the applicatin will nrmally ask t cnvert the names, r the user has t manually change the name. Often files that are URL addresses can be very lng. This ptin will autmatically reduce the name name length t remain cmpatible with CD writing. The methd used is first t remve any spaces within a name. If that des nt save enugh space, then the middle f the name is remved, whenever pssible ensuring that the file extentin remains unchanged. Limit file name t be UDF cmpatible This ptin is much as fr the Jiet abve, but UDF des allw lnger file name elements. Place files in directries fr easy DVD burning The three ptins allw fr placing files in dubdirectries fr burining t DVDs, Dual layer DVDs r CDs. When selected, the files are written t a subdirectry fr each utput media. These directries are called DV01, DV02, CD01 etc. There is sme p22

23 apprximatin f the ttal capacity that can be written, allwing fr lng files, and many shrt files. Typically a DVD r CD will be filled t abut 90-95% full capacity. The ptin des save a cnsiderable amunt f time trying t find break pints by hand. Files that are t large fr an CD r DVD (ie mre than 700MB r 4GB) will be written t the selected utput directry, and nt included in a DV01 type subdirectry. Save riginal files when a restre fix has been made When ding a raw read, sme files are passed thrugh a verify prcess. This may include an attempted fix n the file t try and recvery a crrupted, r incmplete file. The new file will then have a.fix extensin t indicate that it has been changed. This ptin will allw the riginal files t be saved as well as the fixed versin. It is recmmended that this ptin is enabled - except when is a very severe prblem with utput strage. Mve files with failed signature int...\sig_fail directry As part f the recvery prcess, files have their signature checked. If a file fails this check, it can be mved int a new directry. Fr a nrmal recvery prcedure, this functin has limited use as there will be many files that fail signature checks. Hwever, fr a frensic investigatin that may be interested in JPGs, this functin will separate ut JPG files that have been renamed, in a pssible attempt t hide them. This menu is reached frm the Main Functins screen. If the prgram has just been started, and the wizard is displayed, just select any drive, and then the Main Functins ptin. At this pint the Cnfigure icn will be displayed, and the ptins can then be selected. p23

24 Recvery ptins These are ptins f hw files shuld be restred, and cntrl file names, and smetimes, file lcatins. CD-ROMs (IOS9600 and Jliet) stre a versin number as part f the file name. Typically this number is nt required when saving t a Windws system, and this ptin (by default) remves the extensin number Limit file name length t be Jliet cmpatible. CDs and DVDs have certain limitatins n file name lengths. This ptin will autmatically ensure that all file names are cmpatible with writing t a CD. It bviusly has t reduce the file name, and initially it will d it by remving spaces frm the file name. If this is nt adequate, it will start remving characters frm the middle f the name, leaving the first characters and final characters unaffected. When it is necessary t reduce the length f a subdirectry, it will always start with the last subdirectry in the chain. Mve files that fail the signature int the \sig_fail directry. Mst cmmn file types have a signature that is recgnizable. Fr files that fail this test, they can be separated int a different subdirectry fr later investigatin. Place files int directries fr easy burning. This is an ptin that is useful when restring frm hard disks, and the utput is required n DVDs (r CDs). The files are split int subdirectries under headings f DISK1, DISK2 etc. Each directry will be filled t an apprx capacity f a DVD (r CD). Files which are bigger than the capacity f the utput media, will be stred in a separate subdirectry fr manual prcessing, fr instance they culd be Zipped. When creating these DISK directries, all subdirectries are retained. This can lead t a prblem f file names getting t lng in which case they will be truncated and s the utput path shuld be as near the rt as pssible, and as shrt as pssible. Gd examples wuld be F:\R1 F:\R2. When the DVD ptin is selected, files directries will be filled t abut 4.7GB, fr CDs, apprx 650M. Dual layer DVDs can als be split. Save riginal files when a fix has been made. Certain files are scanned fr integrity when restred frm unallcated space. This is an ptin t retain an riginal file as well as the fixed file. By deleting the riginal file, at times a significant amunt f disk space may be saved, but fr frensic investigatin, this may nt be an imprtant criteria Retain Lgs perid. Lgs grw with use. This ptin will allw users t autmatically delete lgs after a perid f time by default this is 3 mnths. p24

25 Registratin and ptins In rder fr the sftware t be used t restre data, rather than just view it with the dem, the prduct must be registered (ie purchased). Registratin is cntrlled by the dialg bx shwn belw that may be selected by pressing the (blue) 'Cnfig' functin n the main menu bar. There is als a shrt cut frm the first welcme bx when running in Dem mde. The prduct can be purchased nline after it is necessary t submit the Machine ID in rder t receive registratin Cde. The registratin cde is such as " A B0C 4C96C566". This must be 'cut and paste' int the Registratin Num ber bx shwn abve. It is the necessary t restart the prgram (nt the PC) befre the new registratin is enabled. Once restarted, it will be pssible t verify the ptins enabled. Clicking n the check bxes will nt change the selected ptins. When a Dngle is used, the registratin number is 'dngle' T make entering the number by hand (cut and paste is easier thugh) spaces may be included between the numbers. These spaces are ignred and s are ptinal. Optins CnW Sftware is sld with a few ptins, as listed belw Dem The dem is fully functinal, but des nt save any files nt the hard drive. This als means that it is nt pssible t create a disk image file, r handle the data carving functin f prcessing fragmented files. The dem des nt have any time limitatin. The dem will give a very gd indicatin if drives and disks can be recvered. By using the lg, images (nrmal hex dumps) f files can be viewed. 30 Day Licence The 30 day licence is fully functinal and will perate fr 1 mnth. At the end f that perid, it reverts back t the dem mde p25

26 Full licence If bth Dem and 30 day licence bxes are clear, then it is a full licence, that will wrk fr an unlimited perid f time. The prgram may be updated a frequently as required fr the first year f purchase after which a supprt, update fee will be chargeable. The prgram will never time ut, thugh regular updates will exist. Raid Optins This enables the ptinal RAID sftware and can be purchased with a licence - but nt part f 30 day licence. Frensic Optins The frensic ptins allw further investigatin f a disk. The fllwing list belw will grw, and currently includes Hash values fr all files recvered Frensic Reprts Recvery f quick frmatted CD-RW disks p26

27 Directries As part f the data recvery prcess, the directries ptins allw users t stre files in lcatins suitable fr their wn cmputer. By default, all wrking data is stred under a directry c:\cnwdata, but these can be mved t any ther lgical lcatin r drive. Image directry The image directry is where a file image will be saved. The drive fr this directry must have enugh space t save a cmplete disk image. One pint t take care f is related t cmpressed NTFS drives. Frm experience, a cmpressed NTFS driv e has a limit n the maximum file size that may be saved. The maximum is dependant n the size f the CPU memry, and as arugh guide, a 1GB system will have prblems with files f abut 60GB r greater, The symptm is nrmally a 'defered write errr' Lg directry Details f every file recvered is lgged. The lgs can becme fairly large, s adequate space shuld be allwed. Hwever, the lgs will cmpress well, s it is a gd directry t apply NTFS cmpressin t. Under recvery ptins it is pssible t limit the length f time lgs are stred, which again may help cnserve disk space. Scan ffsets directry Fr sme FAT disks it is pssible t adjust fr areas f the disk that are nt in the crrect lgical lcatin. This is typically due t the hard drive mapping table being crrupted. The ffsets are stred in a file in the scan ffsets directry Lg Exprt Directry Lg files may be exprted int a CSV frmat. These files are stred in the directry specified in this sectin File Filter Directry File filter rutines are stred as shrt data files. This is the directry lcatin f where data files are stred. Search Strings The search strings directry is where tables f search parameters are stred Temprary files directry The temprary directry is used fr sme prcesses that require temprary files. These files may be deleted, and at times the prgram will autmatically purge the directry. D nt be tempted t stre any user data in this directry. p27

28 Hardware cnfig The hardware cnfiguratin allws users t cnfigure the system t perate as required, in particular when a disk errr is detected. Enable multiple sectr reads This ptin will place the reading drive int a mde where multiple sectrs are read at nce. This gives a very large perfrmance benefit ver single sectr reading. Hwever, when an errr is detected, the system will autmatically g t single sectr reading. It will als autmatically g t multiple sectr reading after a cnsiderable number f sectrs have been read withut and errr. Never skip sectrs In this mde, while creating a disk image, the prgram will never try and skip a sectr after a sequence f errrs has been fund. Frensically this is the secure mde, but realistically, skipping sectrs can save a cnsiderable perid f time, when creating a disk image, thugh data may be lst. p28

29 Basic Rules f Data Recvery What t d when media has failed A very imprtant rule f data recvery is never t make the situatin wrse, and never change anything may prevent the next level f recvery being attempted, if the first level fails. Put very simply, this means that ne shuld never write t a media that has failed r becme crrupted. With Read Only memry, such as CDs, and DVDs, this is nt a prblem. Fr hard disk drives, this message is extremely imprtant. If the media is failing, such as a hard disk acquiring mre bad sectrs, the best first stage is t make an image f the disk. This image may then be used withut any danger f either making the hard disk fail quicker, r fail s that n mre data may be recvered. Frensically, this is als a very gd mve all time spend with the riginal media has t be lgged and mnitred very carefully. A true image f the disk, with relevant MD5 hash value reduces sme f the chain f custdy issues when dealing with a frensic, r legal recvery situatin Data recvery is required when media either fails due t either hardware issues, r sftware crruptin. Hardware issues T recver data first ne must beable t read the media. A very simple test is t g t the view sectr functin and try reading a few randm sectrs. If sectrs can be read, then there is gd hpe f further recvery. If n sectr can be read, then ne needs t investigate further, but data lss may be the utcme. See Hardware failure, what next fr sme ideas With failure due t hardware issues, the first stage must be t access as much data as pssible frm the disk, and save n a new strage device, ie anther harddisk. The best way t d this is t make a disk image using the Image and raw recvery functin. A curius aspect f hard drives is that mst mdern nes are allways recalibrating themselves. This smetimes shws with a drive that can be extremely slw t read, but after maybe 12 hurs suddenly ges quickly. This can als be due t errrs being mainly at the start f the disk. See Recvery frm a drive with many bad sectrs fr mre details With a drive that cannt be recgnised by a PC, but the disk is still spinning, there may be an issue with the cntrller bard. Replacement f the cntrller is actually very simple, just unscrew abut 5 screws. It must then be replaced with an identical card, with identical versin. Hwever, d nt expect a high success rate fr this. If the heads have failed, then a new cntrller bard will nt assist. Als, with reference t the recalibratin nte abve, the cntrller bards may be calibrated s far apart, that n data will be seen. Opening the drive shuld never be dne. Unless pened in a special clean rm envirnment (ie nt an ffice r dmestic rm) the drive will be damaged due t dirt in the air. Sftware issues Unlike hardware issues, sftware crruptin is ften easier t handle. As always, it is best t make a cpy f the drive, s that there can be an unlimited number f attempts t recver data by using different aspects f CnW Recvery sftware, and p29

30 smetimes by trial and errr with setting parameters. Much f this manual will guide yu thrugh different apprpaches that can be tried. Crruptin, and sftware failure can be caused by ne, r many f the fllwing causes Accidential deletin Refrmating Pwer cuts / surges Operating system errr Remval f media befre writing cmpleted, r finalising fir CDs/ DVDs Relading perating system Bt sectr failure Any many ther reasns p30

31 Hardware failure - what next? If while trying t read a disk with the View functin CnW Recvery sftware n sectr can read, r the sectr is just displayed as 5A 5A 5A, it is pssible that the media is ttally dead. Befre giving up, there are several things that can be tried, smetimes media dependant. The first stage with all types f media is t ensure that the basic reading / interface hardware is wrking. Thus if trying t read a DVD, test the drive with a knwn gd DVD. If reading a memry chip, try a knwn wrking memry chip in the same card reader. Range f errr It is imprtant t knw if the whle media has failed, r just part f it. This can be tested by using the Views sectr functin, and trying different values, within the range f the disk. Mst disks shuld start reading at lcatin 0 (thugh sme CDs start at 500, and mini DVDs at abut 12,000). The tp sectr n a disk is dependant n the size f the media. Fr hard drives, and memry chips, the cacpcity is nrmally knwn, and as rugh guide, the tp lcatin in MBs is twice the capacity in GBs. Fr example, a 30 GB disk has abut 60 millin sectrs. A 512MB (0.5GB) memry chip has abut 1 millin sectrs. A sectr is 512 bytes. Fr CDs and DVDs, a sectr size s 2048 bytes (2K). The number f sectrs n a CD / DVD des depend n hw much has been written but a full CD culd have abut 350,000 sectrs and a full DVD culd have just ver 2 millin sectrs. As mentined abve, CDs and DVDs d nt always start at sectr 0. Sectr 16 is nrmally vey imprtant, and s shuld always be tested If every sectr attempted fails (ie errr message r 5A 5A n the screen) then there is nt much hpe with the present hardware. Hardware variatins Fr a CD /DVD it is imprtant t make sure that the drive is a RW drive, and cmpatible with frmat being used. Often thugh, reading marginal CDs can be drive dependant. Thus try the media n a different drive, there may be sme luck. Fr a hard drive, the prefered way t read the drive is in a USB caddy. Try a different caddy, r pssible cnnect the drive directly t an IDE cnnectr in the cmputer Fr a USB memry stick check that the cnnectr has nt been brken. Very ccassinally it is pssible t repair these, but des require a significant element f gd luck. Partial reading If sme sectrs can be read, then the next stage must be t make a disk image. Using the Image functin an image can be created. If the start f the media cannt be read, it can be skipped. The image will be padded (with 5A 5A). It is als pssible t skip a sectin. If the cpy ges very slw due t failed sectrs, the cpy can be cancelled and started at a higher lcatin. Any missing area will be padded. Once an image has been created, a recvery can be attempted, and it is pssible that much data can be recvered p31

32 Welcme Screen The first entry screen fr CnW is where the media is selected, and typically the type f recvery. It als allws ging straight t the main recvery tls. T select a physical drive On prgram start up, the list bx at the tp left is filled with all pssible drives. If a drive is selected, very brief details are shwn belw. Als, at this pint, the types f functins pssible are enabled. The bx belw gives a very brief descriptin f the drive with partitins and ttal drive capacity. It is nt pssible t select Drive C: r Phys-0 as these are nrmally the system drive. Recvery shuld never be attempted n a wrking system drive as temprary files etc culd be written t the disk at any time and ptentially verwrite any lst files. T recver such files, the disk must be set up as slave drive n a different PC User name and jb reference These parameters are used in the lg, and and as a selectin basis fr the frensic reprt Main Functins Recvery functins and ther ptins The main menu is where all the basic recvery tls can be accessed. There are ptins t cnfigure recvery functins and mdify certain parameters. When a drive has had majr failure, r crruptin, it is nt always pssible t determine the exact riginal cnfiguratin exactly, but CnW will allw these relevant values t be entered manually. All the basic recvery functins are selected frm this main menu Data carving Data carving is the prcess where a disk f any frmat may be searched fr pssible files, based n the file signature. Files are then saved in subdirectries based n file p32

33 type. This wrks with all types f media but shuld be treated as a secnd ptin as file names and directry structure is nt retained. Create drive image file This creates an image file f the media. It is in effect a Unix DD file with a ne fr sectr sectr mapping. Blank and unreadable sectrs are padded. Incremental imaging may be perfrmed with this functin. Frensic image and scan (under develpment, due December 2013) This is a frensics nly ptin. The functin will ptinally create a disk image file, and then scan fr all files, and ptinally take hash values f the files, and unallcated space. Recvery Wizards Befre any rutine is run, there is a very simple physical drive test t try and detect if there are significant errrs n the drive. Memry chip pht recvery Fr the majrity f memry chips, this will be a simple ne stage peratin. The memry will be analysed, and files recvered. During the recvery prcess thumbnails f phts will be displayed. This is als an ptin t help prcess fragmented files Failing hard drive This prcess will first create an image file f the disk, and then call the relevant recvery rutine. CD/DVD recvery This functin calls the CD recvery functin Mini DVD vide It is very cmmn fr mini DVDs t becme unreadable. Smetimes due t being taken ut f the camera. This functin will analyse the disk and prduce a cmplete vide file. Crrupted drive This wizard calls the main recvery rutine with the best settings t read a crrupted drive. AVCHD memry chip The recvery scans a memry chip and recnstructs all fragments frm AVCHD files Repartitined drive This is a wizard t be used when a drive has been repartined. Attempts will be made t estaiblish any previsu partitin Frmatted drive This is a wizard t wrk n a drive that has been refrmatted. The drive is analysed t determine if the drive has had the lgical file system changed. p33

34 MP4/3GP Recvery This functin des a cmprehensive scan f the disk r memry chip and will attempt t recnstruct MP4 vide files. DOCX and Zip recvery - under develpment The disk r memry chip will be scanned and alll Zip files recnstructed. Fragmented files will be jined and crrupted files will be recnstructed t create a valid ZIP file, but may nt be cmplete AVI Recvery - under develpment AVI files are typical vide files frm cameras. Being typically FAT32, these suffer frm fragmented files and the wizard will help recnstruct such files. AVI is als smetimes used with security camera sftware. PC Sleep / hibernate mde When CnW Recvery is recvering files, the sleep / hibernate mde f a PC is inhibited. This means that lng recvery prcess can be started and they will nt be truncated by maybe a 2 hur 'sleep' plicy n a PC. Unrecgnised media The CnW Wizard will try and determine what type f disk is being read. If a disk has very few gd sectrs, r is very badly crrupted, typically at the start f the disk, it can be difficult t determine. It is als unlikely that wizard will manage recvery, s the manual peratin will be required. T determine the type f media des take experience, but the fllwing is a brief guide fr the pssible types. They fall int tw categries, fr CDs and DVDS, r fr magnetic media such as hard drives and flppies. CD / DVD perating systems ISO9660 Jliet UDF Macintsh Fr mre details n recgnitin see Hw t recgnise types f CD/DVD Magnetic Media FAT12 FAT16 FAT32 NTFS HFS+ (Macintsh) Fr mre details n recgnitin, see Magnetic media recgnitin Once the perating system has been determined, it will be pssible t start the Recvery functin in the crrect mde. Fr CDs, this will mean selecting the crrect perating system in the ptins bx. Fr magnetic media, the perating system will be entered via the partitin selectin rutine. p34

35 p35

36 Mini DVD recvery Mini DVDs stre 1.4GB, r abut 30 mins f nrmal quality vide. Unfrtunately they c an fail fte due t camera r peratr errr, r just bad luck. This functin will analyse the disk and determine if there is viable vide n it. If s, it will read and prduce a directry with a vide disk image. The prcess has nly nly a single prmpt, t ensure that the crrect ut put diectry has been selected. The first stage is t read areas f the disk t determine if it is a vide disk. Many failed disks d nt start until abut sectr 4000, ie apprx 0x1000. The next stage is t determine the range f data, testing fr bth tp and bttm lcatins. If the final lcatin is less than maybe 0x5000 then it is likely that the vide disk is nt really valid. It indicates that the full disk cannt be accessed by sftware alne. CnW Recvery d prvide a recvery service fr such disks, which is perfrmed using specialised hardware. The Create image file first ptin will generate and image file n the utput directry. This is a useful backup f the DVD disk. Once the utput directry has been selected, the prgram reads the disk and extracts all MPEG files. These are stred in a directry within the utput path. The final directry structure is as belw x:\chsen_dir\!vide\mpeg\video_ts The!vide directry will have a MPEG and IFO directry t stre the raw MPEG and IFO files The VIDEO_TS directry will have a recreated disk image, and recreated IFO files - the p36

37 riginal IFO files are ignred as ften the data is nt actually cmplete. Once a recvery is cmplete, there is an ptin t create a new vide DVD. This DVD will be playable in a standard vide player. p37

38 Create new vide DVD Once the wizard has recvered vide data, the data is stred in a file structure suitable fr burning t a new DVD. This functin will write the DVD as a simple ne click prcedure. Thed prgram will search fr suitable drives, and give a list f such drives. Once the relecant drive letter has been selected, it will wait until a blank DVD has been detected. At this pint the Burn nw functin can be selected, and a new DVD created that will be cmpatible with standard vide recrders. p38

39 Pht Recvery Memry chip and pht recvery is a rutine aimed at camera memry chips. It will be selected fr any device upt 64GB which is either as FAT device, r has n recgnisable file system (many camera memry chips have had the start f the chip verwritten). The rutine is designed t be as autmatic as pssible, and the chip will be analysed befre the type f recvery chsen will be attempted. During the recvery prcess, example recvered phts will be displayed n the right hand side f the screen The ptin t prcess fragmented files is applied after a recvery scan. It will detect which files are nt valid, pssibly due t fragmentatin, and attempt t create new files frm fragments fund n the disk. The success rate des depend n the fragments being present in the first place, and als n hw fragmented the files are. p39

40 AVCHD recvery Vide camera ften use FAT t recrd data. When deleted, all details f any data fragments is lst. Als, n sme cameras, all infrmatin abut the lcatin data is stred in is als lst. CnW have therefre created a special, dedicated functin t scan the memry chip and recver all AVCHD vide clips. Unlike many ther recvery prgrams, it will prduce a number f lng clips rather than 100s f shrt clips that have t jined tgether by hand. The prcess allws fr fragmented and deleted files. The rutine was designed fr memry chips but with V3.91 the 128GB limit has been vercme. Recvery frm hard drives is nt recmmended, but nly due t speed issues. The rutine des examine every sectr and fr a 1TB drive this will take a few hurs. Hwever, gd results will be achieved. The prgram is a tw stage prcess The chip is scanned fr all MTS clusters The clusters are then sequenced int lng data runs CPI files are recvered MPL files are recvered Where CnW Recvery scres ver ther recvery prgrams is that it examines the whle memry chip first. It lgs the start and end f each cluster f vide. Frm this table it can build cmplete files, rather than just shrt fragments. On ne rweal life example 8GB memry chip, there were abut 500 fragments, which cmpeteing sftware prduced as 500 MPL files. CnW recnstructed the crrect number f abut 60 files. Where pssible (ie the infrmatin exists) the riginal dates f the vide files are extracted. Setup parameters There are tw imprtant paramters that must be set crrectly befre starting. The first is the sectr start and cluster size. Fr FAT chips these are ften (but always) determined by the prgram. The start sectr is an ffset f the cluster n the disk, and is mdulus the p40

41 cluster size. If the values are wrng then there will be many mre files prduced. Fr mst memry chips, the values appear t be start sectr 0, and cluster size f 0x Fr nn FAT disks the cluster size and start sectr may be different. eg NTFS may have a typical cluster size f 0x8 and ften a start sectr f 0x0 r smetimes n XP drives 0x7 The time interval is the interval between frames f vide. Aut may be selected, r fixed values f 0x8D0 r 0x69C, 0x5ab, 0xb96 may be selected. If the value is wrng, the symptm is many shrt files being fund rather than 10s r 100s r reasnable sized files. If nne f the ptins wrk, please send sme sample (shrt).mts files t CnW and a new value will be added. Hw t view AVCHD files AVCHD is a cmplex frmat that is a mix f MPL and CPI files. All tne vide is stred in MPL files, and these can be viewed thrugh prgrams such as MediaPlayer - but nly n Windws 7 (ie nt XP). CnW recvers files, but des nt create valid file names, ie the MPL and CPI d nt necessarilly tie up. One suggested methd f recvery is t cpy the recvered, cmplete files back nt a memry chip, and get the vide camera t re-index the files. This shuld prduce a memry chip in the frmat as it was befre the files were deleted, r crrupted. T view a files n an XP PC yu will need t dwnlad a cmpatible viewer - d a Ggle search fr pssible viewers. NB Never write t the riginal prblem disk/memry chip unless yu have a cpy f the disk. If it is required t write t a memry chip t re-index in a camera, either use new chip, r make sure yu have a cmplete, secure image f the riginal chip (using Image Disk functin). p41

42 3GP, MP4 and MPEG recvery wizard The wizard is largely aimed at recvering vide files frm crrupted r deleted memry chips that were frmatted with FAT32. The prcess invlves scanning the cmplete device s will slw if a large drive is analysed this way. The wizard wrks fr mst files with typical extensins f.mp4,.3gp,.mov (althugh.mov cvers several different frmats). 3GP and MP4 files are ften nt stred sequentially n a disk and s special tls have t be develped t recver the files. This wizard is designed t detect, analyse and recver as many files as pssible. This can include recnstructing missing elements f the vide file, in particular the mv atm which is essential t viewing the vide. The wizard is primarily designed fr memry chips, but will als wrk n hard disk drives. Files n hard disk drives will typically be sequential, while deleted files n a FAT32 chip are typically nt sequential. The wizard aims t detect the file type and create a playable vide. Fr bth media types, attempts will be made t recnstruct vides that are nt cmplete. The main way t perate is via a Raw Scan -which scans the cmplete disk as described belw. An ptin under develpment is fr Scan and Save files which will cncentrate n just repairing damaged files, befre ding a scan f the unallcated area f the disk. The wizard wrks in a few stages Stage ne: The cmplete disk is scanned fr elements f vide files. Typically it will be lking fr MP4 tags fr the main atms, such as 'ftyp' 'mdat' 'mv' and 'free'. each lcatin is then saved in an internal table Stage tw: A mv element is lked fr and if a sequential cmplete ne is fund, details are parsed. This indicates the type f camera, type f file, and smetimes the structure expected n the disk Stage three: At this pint, pssible files are cnstructed starting with a 'ftyp' atm, and then lking (typically) sequentially fr the 'mdat' and 'mv' atms Stage fur: p42

43 The file is parsed t see if valid. If it is nt valid then full recvery takes place. At first attempts are made t tie the mdat and mv atms tgether. If this fails, attempts will be made t recnstruct a mv atm frm scratch. This last stage des require a valid mv atm t be present n the disk. Thumbnail When the wizard makes a gd recvery a thumbnail image will be displayed - even n the dem. Fr the dem ut gives a high level f cnfidence that the vide will be fully recvered. (Nt available n Windws XP systems) Warning messages In the scanning prcess certain incnstancies are smetimes detected, and a ***WARNING*** message displayed ***WARNING *** A free atm fund larger than cluster size It is pssible the cluster size is incrrect - Press F1 fr mre help Try cluster size f 0x40 This errr indicates that the cluster size is nt cnsistent. A FREE atm is nrmally smaller than a cluster, and used t pad t the end f a cluster. If the vide has been mved frm it's riginal memry chip, then there may a different cluster size. This wuld als be true if a memry chip was cpied t an NTFS hard drive. In this case, the warning message can be ignred. If n the riginal memry chip, the 'Try cluster size f 0x??' is a guide value t be tried. ***WARNING *** ftyp atms have been fund nt n cluster bundary It is pssible the cluster size, r start sectr is incrrect. Press F1 fr mre details Try start sectr f 0x4 And/Or try smaller cluster size This errr indicates a pssible prblem with the start sectr value. The ftyp atm is nrmally nly fund at the start f a cluster. Any ther lcatin indicates a pssible prblem. As in the previus warning, cpying files t a hard drive can cause false psitives. Sme f the file/camera types currently supprted. Many ther cameras will match these variatins Camera Cann EOS700 GPr Her - Black and Silver, all variatins including high and lw reslutin files Samsung HMX-H300 Kdak Zx1 Pcket Vide Camera Sny PWM-F3 Vide frmat (cdec) AVC1 MP4V JPEG - under develment Lgical file layuts supprted The fllwing link is ne that will grw n a regular basis until all cmmn cmbinatins are fully supprted. The level f recvery will vary n each type but will eventually include repairing the fllwing types f failure p43

44 Finding each cluster frm a fragmented file (ften deleted n FAT32 disks) Creating a mv atm when it is missing Creating a ftyp atm when missing - this in effect will allw raw mdat data t be displayed The aim fr each disk type is t make the vide playable even when areas are missing. MPEG recvery This functin als lks fr and cmbines MPEG fragments. It is intended t be used n hard drives and will attempt t find runs f MPEGs and then jin them in t sequences. The matching is nt always perfect, s sequences shuld be checked fr false matches. Cluster size issues Smetimes warning message will displayed indicating that the cluster size, r start sectr may be incrrect. The rutines expect a FTYP atm t be at the start f a cluster, ie byte ffset 4. It als expects that if there is a FREE atm it nrmally nly ges t the end f the current cluster. If these cnditins are nt met, a warning message is displayed. The default cluster size and start sectr are generated frm the file system infrmatin, but is nt always crrect. This can be very true if images have been mved t a different type f drive. The slutin is nt always bvius, and may be a cmbinatin f cluster size and start blck. Hwever, fr a mdern memry chip, the cluster start is nrmally 0x0 and the cluster size fr a FAT32 is very ften 0x40. It may be necessary t try a few variatins Repair nt implemented At times a message such as "Repair nt implemented M4_FTYP_FREE_MOOV_FREE_MDAT" will be displayed. This means that this pssible repair r recnstructin mde has nt been implemented yet. Cntact CnW if it is required. The intentin is t cver all permutatins, but develpment time is nt unlimited. File type nt recgnised At times the prgram may nt recgnised the structure f the data and will request t send a diagnstic lg file t CnW. The file is mp4_scan_<date>.$$$ eg mp4_scan_ $$$. This stres the lcatins f each ftyp, mdat etc fund n the disk scan and will help CnW analyse the memry structure. There is n user data in the file, just sizes and lcatins. NB, because the file is stred in the CnW Temp directry, it is cleared dwn each time the prgram starts. Scan range When prcessing camera memry chips generally speaking it is nrmal t scan the cmplete chip. Hence the ptins fr start f scan, and % t scan will 0 and 100. If dealing with a large hard drive, the scan may be very slw. Fr a 3TB drive we are lking at many hurs just fr the base scan. Fr this reasn, it is pssible t select just an area f the disk t scan, maybe the first 5% as in the example in the screen image abve. Type f memry device There are tw types f file system that can be recvered frm, the riginal camera memry, and a lgical cpy, typically a hard drive. Each will expect data stred in a p44

45 different way. Fr camera memry, it is ften fr the basic sectins t be stred ut f sequence, and at times the mv atm may nt have been generated. Fr a lgical drive, the file is nrmally in sequence, but may be fragmented as the result f cpying files t a previusly used disk drive. Bth f these appraches require slightly different recvery prcesses, By setting the ptin t either camera memry chip, r hard drive the best results may be btained. Vide type The default setting is Aut. Fr memry chips this is prbably the best setting. Fr hard drives there is a significant chance that the drive will cntain my than ne type f vide. The ptin f vide type will allw fcusing n the relevant type f vide file. The prblem (fr the user) is t establish which type f file is required. The nly safe way is t lk at a knwn gd file and hence determine the crrect type. Fr mre details lk at M4 disk layuts r the list belw. Fr hard drive, this ptin allws the selectin f specific file types. Thus if a Cann camera is t be recvered, the crrect file type can be selected. Develpment Status The Wizard functin ne f many elements. Only certain stages have been cmpleted and the table belw shws the status fr each type f vide. There are three basic prcesses, and they are tried in turn. If a vide can be verified, nthing mre is dn, if it fails verificatin, then the next stage is prcessed Stage 1 - Recver. Assume that the data is in the nrmal sequence fr the frmat Stage 2 - Repair. Assume that the basic sequence is crrect, but the mv r mdat has becme fragmented. ie find all the pries and put them back Stage 3 - recnstruct. This is when typically the MOOV atm is missing (r t badly crrupted). Data that lks like vide data is parsed, and the MOOV atm is recnstructed. Fr this t wrk, there must be at least ne valid vide n the memry device File type Recver Repair Recnstruct *M4_FTYP_MOOV_MDAT Yes Yes *M4_MDAT_MOOV Yes Yes M4_DATA_FTYP_FREE_MOOV_MDAT Yes Yes M4_DATA_FREE_FTYP_FREE_MDAT_MOOV_FREE Yes Yes Yes M4_FTYP_MDAT_MOOV_FREE Yes Yes M4_MDAT_FTYP_MOOV_FREE Yes Yes *M4_FTYP_MDAT_FREE_MOOV_FREE Yes Yes *M4_FTYP_MOOV_FREE_MDAT Yes Yes *M4_FTYP_FREE_MOOV_FREE_MDAT Yes *M4_FTYP_MDAT_MOV Yes * represents a frmat typically fund n hard drive, rather than n raw memry chip The abve list des change n a regular basis. Fr sme f the repair and recnstructin it is dependent n the type f vide cdec used File type and pssible camera p45

46 Camera memry chip M4_MDAT_FTYP_MOOV_FREE Cann 700 M4_FTYP_MOOV_FREE_MDAT GPr Her 3 Black M4_FTYP_MDAT_MOOV GPr Her 4 Silver Hard drive frmats M4_FTYP_MOOV_FREE_MDAT Cann 700 M4_FTYP_FREE_MOOV_FREE_MDAT Kdak Zx1 Pcket Vide Camera p46

47 ZIP and DOCX recvery wizard The wizard is designed mainly fr use with memry chips and ther FAT memry devices. The prcess including scanning the cmplete disk s culd be slw if a large hard drive is analysed this way. The imprtant parametrs t set are the start sectr and cluster size. When pssible these are autmatiucally determined. On scanning, the prgram will scan the cmplete disk - thus fr a large hard disk it may be slw which is why this functin is mst apprriate fr FAT disks that tend t be memry chips r smaller. On scanning three elements will be searched fr Head cunt - the is a PK 0x03 0x04 header fund at the start f each blck f cmpressed data, and cntains the file name. The dir header is the PK 0x01 0x02 header. This is the directry entry fr each file and gives the size and ffset within the main ZIP file Central pinter. This is at the end f the Zip file and is a PK 0x05 0x06 header. It pints t the start f the directry. After scanning the prgram will attempt t recreate Zip files. This is prcess where a starting PK 0x03 0x04 is read and each file within it is read. By knwing the length f the file it is pssible t determine the lcatin f the the next header. Having scanned every cluster it is pssible t find a cluster with a header in the crrect lcatin. The chance f a false psitive is nt very likely, but t trap these the CRC value is tested, and if it fails, anther cluster is tested. p47

48 Vide scan f hard drive UNDER DEVELOPMENT! This wizard is designed t recver specifically vide files frm a hard disk drive. CnW has several wizards fr vide recvery, but these are designed with camera memry chips in mind. The vides n these chip are ften ut f sequence, but at the same time, camera memry chips are f limited capacity, eg 64GB. Hard disk drives are cmmnly 2-3TB, and grwing every year. Als, files n the hard drive tend t start as sequential files, but can still be fragmented r damaged. The wizard is used t scan the hard drive fr specific types f vide file, save, recnstruct and pssibly repair. p48

49 Verify disk structure The verify disk structure is a series f tests t see if the mst imprtant parts f the disk are crrect and valid. If the tests are successful, then the Wizard will prbably recver the required files. If the tests fail, then the prgram will recmmend a mre hands n apprach t recvery using the manual tls. The type f tests carried ut are based n what an experienced data recvery persn wuld d t determine the status f a disk befre attempting and further recvery. The tests are dependant n the disk perating system, and will autmatically sequence thrugh fr all detected perating systems. Thus sme disks have a mixture f FAT and NTFS. Each test will be described briefly, and a status given. There are a different series f test fr each type f media. Fr CDs, varius areas f the disk are examined and fr a blank CD-RW, it will suggest that an unerase prcess culd be tried. The tests are dne fr all partitins, and s the partitin being tested is shwn in the first clumn. Details f each test are described belw. Bt sectr tests Fr any disk t read lgically it must have a valid bt sectr. This is therefre the first test f any data recvery rutine. The sectr must be readable, and cntain valid data. Fr instance, the check bytes test (see in the picture abve) ensures that the final tw bytes f the bt sectr d cntain the bytes 0x55 and 0xAA. It will then decde the 1 t 4 partitin tables stred at lcatin 0x1be in the bt sectr. If the bt sectr has failed, then the prgram will indicate that the partitins functin shuld be called t recnstruct a partitin table. CD and DVD tests Many CDs and DVDs fail due t nt being t read the start f the disk. The tests perfrmed are t determine hw much f the start f the CD/DVD can be read physically. Fr vide p49

50 mini-dvds, it is cmmn fr the start t be blank, and then vide t be fund at abut sectr 0x4000. FAT Tests A FAT disk is read using infrmatin such as cluster size, and FAT tables. This infrmatin is read frm the cntrl sectr at the start f the FAT partitin. Simple tests are carried ut here t make sure that the parameters are within sensible ranges. Fr instance, a cluster size must always be a multiple f sectrs, such as 1, 2, 4, 8. If a cluster size f 3 r 17 is fund, this is invalid. The disk analysis rutine in the FAT handler will assist in reslving this prblem, but the straight frward wizard will nt wrk. It is als imprtant that the FAT sectrs can be read. The test will attempt t read bth blcks f FAT sectrs. Each blck shuld be identical, s it als cmpares them. Any errrs detected will indicate prblems with the disk. These may be vercme by reading the disk, ignring the FAT, r reading the disk and using FAT2. When reading the disk, the FAT handler, when it finds a failed sectr in FAT 1 will autmatically lk at FAT 2 t see if the matching sectr can be read. NTFS tests The mst imprtant part f a NTFS disk is the $MFT file. This stres all file entry details. The verify rutine des a simple physical read f this file, and a verificatin f the first MFT entry. At the end f the tests there will be a suggestin as t the next stage. Typically it will be Cntinue t Wizard. Other ptins can be Manual Recvery, r G t main menu. Manual Recvery will exit the wizard and select the Recver Functin. At this stage ne will have an indicatin f pssible prblems with the disk, as well as areas that are cnsidered t be valid G t main menu will exit the wizard and g t the main prgram menu - n further assistant prmpts will be given. p50

51 Physical Media Test When ding a data recvery n a hard drive it is extremely valuable t perfrm sme basic tests n the drive t determine the best way t prgress with the recvery. The Physical Media tests d this by reading different areas f the disk t try and detect if there are likely t be a significant number f failed sectrs. The tests are reading frm the start f the disk, the end f the disk, and then randm areas f the disk. On a gd disk, the result will be shwn as belw which indicates that n errrs where detected, and reading was fast. On this type f disk, the prgram will autmatically cntinue t the Wizard On a prblem disk, there will be indicatins f failed sectrs, r sectrs that were slw t read. There shuld never be indicatins f slw reading n first and final sectrs, but ccasinally disks will indicate a slwness n randm sectrs. This is acceptable. Each test will time ut after a minute, and if it des time ut, this indicates that there is a physical issue with the disk. Depending n the results, a chice can be made t image the disk first, r try a straight recvery f the data. Cntinue t Wizard This is the standard ptin if the physical test lks OK. If there are n mre than ne r tw errrs, and the reading is reasnably fast, then the prceeding t the wizard is the best apprach. If there are t many errrs detected, this ptin will be disabled. On may frmats, the next stage will be a quick evaluatin f the disk structure. Image Disk If the disk is very slw t read, r has many errrs the the best prcedure t fllw while recvering a disk is t create a disk image. By clicking n this buttn, the prgram will g directly t the disk image functin. p51

52 Cancel This will return t the Wizard entry screen Fake memry chips There have been several cases where data was apparently lst n a memry chip but the prblem is that the memry chip is a fake chip. ie It is marked as maybe 32GB, and when frmatted lks like 32GB. Hwever, internally it nly cntains 4GB f memry. When written t, all lks OK until mre than 4GB is written. On nes seen, the data is then wrapped arund maybe just 16MB r 64MB f data area. N errrs are seen n writing, but when reading back, in the example abve, upt 28GB f data will be lst. The physical media test will try and detect such chips. If fund, it is just bad news. Recvery can be attempted, but expect t lse all data after the start f the physical memry. p52

53 Failing disk drive It is cmmn fr a disk drive t be failing - ie it has a cnsiderable number f bad sectrs. A very high level f recvery can ften be achieved, but it is very imprtant that the disk is nt stressed any mre than necessary. Experience will als shw that typically the area f disk t fail first is the directry area, which is als the mst useful area f the disk. In nrmal disk reading, it is cmmn t read elements f the directry multiple times, partly t recnstruct directry structure. The safest way t prgress with such a file is t create a file image first, and the intentin is t read every sectr nly nce p53

54 Frmatted disk recvery It is cmmn fr a disk t be frmatted, but as lng as it is nt a full frmat (erasing all sectrs), mst data can still be recvered. This wizard functin wrks thrugh the stages required fr recvery. The stages f anaysis and recvery are as fllws Determine if current file system is as expected, if if the drive is currently FAT, was the riginal disk FAT If it is unknwn, r a different file system is expected an analysis f the drive is carried ut The analysis will scan the drive fr ld partitins, but in particulare will lk fr MFTs, ld FAT directries and ld MAC catalg entries The end result will be the partitin screen shwn belw and it is clear that a current FAT has in the past been a NTFS drive The next stage is t recver data in the frmat determined frm the abve. As the disk is n lnger the selected lgical frmat, it will be necessary t d mre analysis n the drive t determine the crrect parameters. There is an ptin t Skip prgram files. This will skip files such as.dll,.exe,.cab,.ini,.sys. Generally these types f files d nt cnatin user data and are nt required. Prgram features The prgram is designed t assist with frmatted disks, and nes that the perating system has been reladed. In thes cases the directry structure is ften lst and recvery results in many 'lst_dir' directries. Als many files fund are nt actually required s a filter is set t remve many files that are nt nrmally required n this p54

55 type f recvery. The list includes.dll,.exe,.msi,.cur,.fn,.xml and thers It als skips files fund in typical system and prgram directries, such as windws, prgram files, prgram files (x86) The intentin f the abve filtering is t try and just find useful file As an extra feature fr Frensic users, it is pssible t select (at the stage where the file system ptins are shw) an extra filter functin f remving systems files based n their MD5 hash value. Hash tables can be dwnladed frm NSRL and used t skip all knwn system files p55

56 Partitined disk recvery This functin is used when a disk has been repartitined, pssibly with a different perating system. It can be pssible t scan the disk t detect a file structure frm the previus partitining. An example may be if a FAT32 has been refrmatted as an NTFS disk. The basic tl fr recvery is the Partitin scan functin. This is a functin that scans each sectr f the drive and determines if it is a pssible start f a partitin. This lgic is different fr each type f partitin.# NTFS partitins There are tw main ways t detect the start f a NTFS partitin. This can be t find the partitin bt sectr, r t find the start f the $MFT file. One prblem with bth f these appraches is that many false psitives can be fund. Thus verificatin is required. Fr a BPB, it is imprtant that the cluster address in ffset 0x30 must pint t a $MFT sectr. If the BPB des nt pint t a $MFT file, then this ptential partitin bt sectr is ignred. The secnd apprach is t search fr all MFT entries. These are then parsed t detect the start f an $MFT. An $MFT entry has a pinter t itself, and frm there the lcatin f the partitin start can be determined. Knwing this value, the 5th entry in the $MFT file can be read and the lcatin f the '.' rt directry index file fund. This lcatin is tested t see if it des start with INDX. If it is crrect, then the pssible partitin start sectr can be set. If INDX is nt fund, the $MFT is treated as a false psitive, and hence ignred. p56

57 AVI Recvery AVI Wizard will recver files that have been deleted frm memry devices. It will als handle vide files that have becme fragmented. The prgram starts by scanning the cmplete memry chip and then recnstructs vide files in the fllwing sequence f events Finds file headers and assumes a sequential file If the sequential file fails, it will search fr the index, and then search fr each vide cluster If the sequential file fails, and n index can be fund, an index will be generated frm the vide data that exists If just indexes are fund, the file will be recnstructed frm the index There are tw types f index fr AVI files - CnW supprt bth types, but with a file size limit f 4GB - this will be supprted later p57

58 Frensic Data Recvery What is the difference between Frensic Data Recvery (FDR), and nrmal Data Recvery? There are many answers t this questin, s the fllwing summary is just ne slutin. Bth tasks are required t recver files when they have been lst, crrupted, deleted, r just cannt be read by the perating system. The desired result is a selectin f files that can then be read. Bth slutins can use the same technique f tlerant reading, searching fr lst directry entries, r just a raw file search using signatures - ften refered t as data carving. The difference cmes with the assciated dcumentatin and mnitring f hw a file was recvered. This can ften mean lgging the sectrs that made up the file, and als retaining the metadata frm any directry entry. Fr a secure recvery, it is advisable t create a MD5 (r SHA-256) hash value f the file data in rder t trap any subsequent, accidental r deliberate changes t the file. CnW Recvery will always lg an MD5 and a SHA-256 hash value fr all files recvered Frensic investigatin f a file is nt part f FDR. Thus ne is nt interested in hw a file has been edited, but all dates relating t hw and when a file has been written t the disk drive are very imprtant. CnW Sftware has a cmprehensive range f lgs which track all sectr numbers, fragments, dates etc. There is als a reprt generating functin t prduce an XML reprt. When d an FDR, it is essential that the data n tye drive is nt changed. Thus a Write Blcker shuld always be used, and identical cpies f the disk shuld be used, after the riginal imaging. p58

59 Recvery Functins Getting started - General data recvery Learning t use any sftware always takes time. Sme applicatins are very straight frward because their functin is knwn. Fr instance t write a simple letter in a wrd prcessr shuld be simple straight ut f the bx. Fr data recvery, the situatin is mre cmplex. This is because each piece f media can fail in different ways. N single apprach will always wrk. The fllwing guide is intended t assist users find their way arund the prgram, and bit by bit see what ptins are available and shuld be used. T use this as a tutrial, fllw each stage by clicking n the links. Each stage there are several ptins, and these are discussed t assist. There is als a chapter with extra, different tutrials. The sectin Recgnising sectrs will be f use fr any user nt very familiar with the elements that make up a disk Stages f data recvery 1. Cnnect suitable drive t cmputer with CnW Recvery sftware laded. Installatin and Media detectin links may be helpful 2. Ensure that the drive is being viewed - use View sectr t lk at a few sectrs 3. Run Wizard and select drive t recver data frm If wizard des nt wrk, use manual mde 1. Select Recver files icn 2. Fr a hard drive, it is wrth checking the partitins are valid 3. One f the fllwing Recvery ptins will be displayed NTFS recvery FAT Recvery hard drives and memry chips CD Recvery Fr disks that cannt be read lgically Certain disks may have been crrupted, r damaged t such an extent, that lgical reading is nt pssible. Fr these disks, the next slutin is the Data carving ptin. Fr disks with many physical errrs If is cmmn fr disks t fail partially. In this mde, many sectrs will read, r read after several retries. Sme sectrs will be unreadable. Trying t recver frm this disks can be very slw, in particular if there are failed sectrs within the directry area. CnW has several tls t assist in creating a wrkable disk image. T recver deleted files Accidental deletin f files is a very cmmn prblem. Recvery is nrmally pssible, p59

60 as lng as ther files have nt been written t the disk. Fr CD-R, recvery shuld always be pssible, but fr CD-RW it is dependant n what has been written t the disk after deletin. The first stage fr recvery can nrmally be the Wizard, and select the Recver Deleted File ptin. T recver frmatted disks If a disk has had a cmplete frmat (and nt a quick frmat) then yur data is lst. There are stries that using special equipment, with the budget f the CIA, that it is pssible t detect residual values f a previusly written byte. The argument, is that if a bit is changed frm a 0 t a 1, then it may nly g t 95% f the expected value. With the density f mdern disks, and the recrding methds used, I wuld suggest that it is nt actually viable t attempt t recver mre than maybe ne r tw sectrs. A typical JPEG phtgraph is abut 1MB, r 8,000,000 bits, which is prbably abut 12,000,000 flux transitins n a disk. That is a lt f wrk. Fr mre details, lk at If the disk has had a quick frmat, then nrmally nly the directries and sectr use tables are initialised. The ld data ften still exists and can be recvered. The best apprach t recver data varies slightly fr each perating system, but fr NTFS, searching fr all MFTs is a gd start. On all frmats, there is the ptin t recver unallcated space, but this des have the prblem that typically, filenames will be lst. T recver files frm unallcated space Unallcated space is the area n a disk that the perating system says is free, ie there are n files in it. On a brand new disk, this space will nrmally be blank, r just the values used by the disk initialisatin prgram. On a used disk, this space will ften cntain files that have been deleted, r pssibly mved with a defrag prgram. The recvery f files frm this space des depend n the perating system used, hence the nrmal recvery mde shuld be selected, and then the ptin t recver files frm unallcated space shuld be enabled. All files frm the unallcated space will be stred in a main directry f!recver. As there is n infrmatin n file structure, the recvery is basically in Data carve. Anther way t recver files frm the unallcated space is t scan the disk fr directry stubs, r MFTs (depending n perating system). This will recver files in a mre lgical way, but the ptin t scan the unallcated space will still apply after all ther files have been recvered. Raid Disks Raid disks can be recvered nce an image has been created - see Disk image fr mre details. Fr mre cmprehensive raid recvery, see the raid ptin, a chargeable ptin p60

61 Typical data recvery prcedures Althugh each type f data recvery may seem unique, frtunately there are patterns. This page is an index t sectins that describe each pattern in detail. They fall int grups fr each type f media, and each type f lgical frmat CD / DVD Camc rder disks FAT 12/16 and 32 Hw t recver fat disk when bt sectr and ne FAT is missing Missing directries and files n a FAT disk Hw t recver a FAT disk when bt sectr is missing Deleted FAT32 file recvery NTFS Files lst when NTFS reladed General Hw t recver crrupted partitins Hw t recver when a partitin has been deleted p61

62 View sectr n hard drive, flash memry r CD The view sectr is a very useful functin t get a feel fr the state f a disk. A significant feature f the screen display is that fr certain types f sectr, the cntents will be enhanced with a tl tip, ie a pp up message describing the infrmatin. The number f sectrs that will be described will grw as the prgram develps. The sectr number is entered in bx at the bttm f the screen. Any number may be entered, and the sectr will be displayed as quickly as pssible. T enter a number in Hex, prefix the number by 0x, eg 0x101 will display sectr 257. There are tw ptins, Cluster mde In this mde, blcks will be read as clusters, depending n the perating system being used. Thus n a FAT disk, cluster 2 is the start f data sectin. The blcks are then shwn as the cluster length, rather than the sectr length. Expand Expand mde is fr cmpressed NTFS disks. The data will be expanded, and displayed in expanded mde. The sectrs are expanded u cnditinally, and s a nn cmpressed sectr will expand t undefined results. Hwever, a sectr that has been cmpressed will expand crrectly, assuming the viewed sectr is the start f the cmpressin blck. Save... The save functins allws a sectr t be saved as a file. The files is a straight cpy f the sectr, s this is an easy way t dump hard drive sectrs. If a cmplete dump f a drive r disk is required, then the Image and raw recvery mde shuld be used Very slw reading p62

63 When a disk is failing, it is very cmmn fr a read t take a very lng time (several secnds) befre either cming up with a valid sectr, r a failed sectr. A sectr displayed with just 5AH is a way that is used t indicate a failed sectr. Occasinally, by jumping t a cmpletely different lcatin, and back, reading may be achieved quicker. Other appraches maybe t turn the drive ff fr a few minutes t cl dwn. Cpy functin The standard Windws cpy functin, Cntrl C, can be used t make a cpy f the sectr cntents. The area f the sectr t be cpied t the clip bard must first be highlighted, it can then be saved in anther dcument r with the Paste r Cntrl V functin. This can be useful if there is a prblem that needs reprting. Update Occasinally errrs can be seen that are due t incrrect values n a sectr. Recvery culd be pssible, but nly if the sectr is changed. A CnW rule is that n sectr n a disk must ever be changed, but this des nt apply t a disk image. If the hex values are edited, then the sectr can be saved t the disk image. Frensically, any change must be nted. There is always a questin asking if the sectr is t be updated, and this will enable the update t be abrted. p63

64 Disk imaging This ptin is used t read the media at a very basic level frm which either A cmplete image f the media may be made, Image can be built up incrementally The image mde can either be as a cpy f the disk fr security reasns, r because the disk has a large number f sectr errrs. If there are a large number f sectr errrs, a disk image may be cnstructed in sectins, with the ability t skip bad areas f the disk. The file extractin tls are the same as recvering frm any physical disk, with any perating system. The image file created is in effect a DD frmat (as used in Unix/Linux). There is always a ne t ne mapping f each sectr. Fr failled sectrs, the image file is padded with 0x5A ('ZZZZ') The displayed menu has a sectin where the media may be determined which may help in calculating the crrect size. The size f the scan in sectrs, may be entered by hand and this is typically used when ne sectin f the media has becme unreadable, fr instance the start f the end f the media. By default, the prgram will try and read the whle disk. The ptins allw extracting files in different ways, including allwance fr cmpressed, r partially cmpressed NTFS disks Raid Disks When the Raid enable is selected, the image file will be prduced in a striped frmat, allwing bth sectins f the raid t be lgically placed. Full details see Raid Disks Status When ding a drive scan, status details are displayed. This will include the sectrs read, and sectrs failed. If the data is being split, it will als give the number f files discvered. The prgress bar at the bttm f the screen will als indicate hw far thrugh the disk has been scanned. It will be discvered that smetimes the system appears t be extremely slw, and this is nrmally related t a high number f bad sectrs. Unfrtunately, there are nt many ways ver this prblem, but the fllwing suggestins may assist. It shuld be nted that it is always pssible t cancel the cpy, and the start again at the same lcatin First suggestin is t cancel cpy (but nt current sectr), and turn drive ff. Once cled p64

65 dwn it may be pssible t start again at the same lcatin The secnd suggestin is t skip a sectin f the disk. Nte where the cpy has reached, and cancel cpy. Start cpy again, but make the start sectr a high value. Write t the same utput file, and the prgram will pad the apparent gap with sectrs filled with 05AH. At any time later, it is always pssible t fllw a similar prcedure, and start again in the area that was giving prblems On an NTFS disk that is reading very slwly, it may be wrth while after reading the first few MB, t start the image at the start f the MFTs. This value is displayed in the Recver ptin menu fr NTFS. Please read the next sectin n recvery methds A curius bservatin f slw disk reading is that fr sme disks, it will smetimes suddenly speed up, and may even cntinue at high speed t the end f a disk. Patience can smetimes be rewarded with a lt f data, but at ther times, n significant prgress is made. p65

66 RAID disk recvery A RAID is a Redundant Array f Inexpensive Disks r smetimes Redundant Array f Individual Disks. There are prbably tw main reasns behind a RAID, speed and security. There are als many variatins f RAID giving different levels f security and speed. CnW Recvery currently handles RAID 0 which is a striped set f 2 disks. In this mde data is written in blcks, such as 128 sectrs t each disk in turn. The benefit can be increase in speed. The dwnside is there is n errr recvery built in, s statistically a RAID 0 is twice as likely t fail as a nrmal drive. A failure f a single drive, then ften means that the cmplete RAID has failed. RAID 1 is a cmplete mirrred drive. ie tw identical drives, and typically n speed benefit, but a single drive failure means n lss f data. Higher RAID systems have a mixture f redundancy and speed benefits and the design gals are t get cmplete security frm a single disk failure, but at the same time requiring fewer than duble the number f drives, as in RAID 1. Data is therefre split ver several drives in a way that any failure will allw all data t be recnstructed. This feature is nly supprted by the RAID ptin within CnW Recvery sftware CnW Sftware handles RAID 0 Striped disks via the Image disk functin. An image file is created with the RAID ptin enabled. Bth disks need t be read and it is imprtant that it is determined which is Disk 0 and which is Disk 1. It is als imprtant that the strip size is determined and set. Bth disks are then imaged t the same utput drive and data is placed in the crrect lgical lcatin. A small prblem with this apprach may be the necessity t have a temprary drive with the capacity t stre an image f bth disk drives. Once the image has been created, it is treated as a simple disk image - the RAID element has in effect been remved As with standard imaging, the image need nt be dne in a single g, thus areas f a bad disk may be skipped and data will still be placed in the crrect lgical lcatin. Thus a RAID with a errrs in ne area n ne drive can largely be recvered. Interleave size T recreate a lgical image f the interleave is critical. Typical values are 0x80 r 0x100 (128 r 256) sectrs. Determining the value des require lking at sectrs t wrk ut which physical lcatin they shuld be in and seeing it matches a pssible interleave value. The chice f disk is much easier, disk 0 will always stre the start f the disk, s expect t see a bt sectr at the start f disk 0 and nt at the start f disk 1. Fr an NTFS disk, the MFT ften starts at 0x60003F, s fr a RAID0 this will be 0x30003F. It is then a matter f lking at the values f each MFT p66

67 Hw t use incremental imaging t recver damaged drives Very ften a drive will partially wrk, r wrk very slwly. Thus areas f the drive will read, and thers may have failed, r read extremely slwly. The slutin is t use incremental imaging as described belw. A prblem with a drive that has failed sectrs is that attem pts t read the physical drive are exteremly slw. It culd take days r weeks t read, r attempt t read all the sectrs n such a drive. It is a cmmnly seen prblem fr 2.5" drive t read very slwly, ften due t head wear. Hwever, ften the drive des read valid sectrs after many retries. The slutin t the abve speed prblem is described belw. It is fairly cmplex and des require sme knwledge f disks, but can be a great help in recverying data in hurs rather than weeks. A key pint t nte when using an image file fr a disk is that sectrs can be missing, but every sectr must be in the crrect lcatin. This means that failed sectrs can be padded. When an image file is created, the user can select the start lcatin, and the end lcatin (in sectrs) that are t be imaged frm the drive. These sectrs are then added t the image file in the crect lcatin. If the sectrs t be added are after the end f an existing image file, the file will be padded and then the sectrs added. An example f this is there culd be an image file f the first 1,000,000 sectrs (500MB). If is the required t add an NTFS directry (MFT file) a typical lcatin wuld be 0x60003F, r 6,291,519. Thus a read starting at 6,291,519 and ending 7,000,000 wuld read in the MFT file (assuminmg it is nt fragmented and the data between 1 and 6MB wuld be padded. Hw t determine where t read n a disk Tnere are several stages that shuld be fllwed t determine where a difficult t read disk shuld be imaged. It des als depend n the type f perating system and type f disk. The instructins belw give guide lines fr different perating systems. One the steps belw the user will typically be swapping between the physical disk, and the image file NTFS NTFS is prbably ne f the easier types f disk t recver in this fragmented mde as the main directry is stred in the MFT file which is ften a lng, unfragmented file. CnW Recvery can als recver files with the necessity f using the Index files. 1. The first stage is t determine the lcatin f the MFT. As lng as the bt sectr can be read then an indicatin f the start f the NTFS partitin will be seen. Fr a single partitin drive this is ften sectr 63 (0x3f). This sectr will then indicate the lcatin f the MFT. S stage ne is t read the bt sectr (sectr 0) and the first few sectrs at the start f the partitin. 2. The secnd stage is t run the Recver functin (using the image file) and then see the lcatin f start f the MFT. One then needs t image frm the start f the MFT fr it's pssible length. Each entry is 1024 bytes lng, s nrmally 2 sectrs. Therefre, if the MFT entries field lks valid, ne will need t read twice the number f sectrs 3. The third stage is t determine where the files fr recvery are. This is dne using the recver functin, and Recver frm File entries. Make sure that yu select the 'Select Files' functin. At this pint the prgram will scan the disk fr all files and mst imprtantly create a lg entry. The lg can then be used t determine where a specific file is stred, r a grup f required files is stred. It maybe that p67

68 required files are stred in the 30GB area. This regin f the disk can then be imaged. 4. The final stage is t repeat stage 3, but this time, ne the directry has been display, select the files t be recvered, and recver them. The adavantage f using the abve sequence is that a failing sectr is nly read nce, and all sectrs in the image file will be read at high speed, irrespective f whether the sectr is gd r bad. An image may then be built up t cntain just the areas f required files. A real life example f this technique was a 60GB disk that imaged upt abut 30 GB, and then went very slw. By using stage 3 abve, it was pssible t determine that nly a few areas beynd 30Gb were required and these culd be targetted, and large areas safely mitted. FAT On a FAT disk, directries are stred in all areas f the disk. This has the advantage that a failure f ne area f the disk will nt necessarilly kill the cmplete directry and file infrmatin, as culd happen with NTFS, r HFS+. It des make lking fr directry areas much harder. MAC As with NTFS, the MAC HFS+ des stre directry entries in a file and the recver ptins menu will give lcatins f this catalg file. The imprtant part is t recver enugh f the data at the start f the disk t display the catalg file p68

69 Disks with single head failure Mdern disk drives have multiple platters and hence multiple heads. Smetimes a single head can fail that means areas f the disk will read crrectly, but ther areas will either fail ttally, r read extremely slwly, typically with lts f errrs. A drive head replacement may help in these circumstances, but this des require specialist hard drive repair facilities. If a partial recvery is acceptable, r the cst f head replacement t expensive, CnW Recvery will allw imaging f the disk drive in a way that the failing head can be ignred. The ptin is set up in the Cnfiguratin menu s that bad sectrs when detected are skipped, but skipped with a jump. It is wrth ding sme playing arund with the drive t try and determine the size f data t be skipped caused by a bad head. On ne drive, a 500GB drive, there appear t be 4 heads, and the length f each track was abut 192,500 sectrs. T create a disk image the prgram was set t skip errrs in n a single failure, and then skip 12,050 sectrs. The skip value is nt t imprtant. A small value will be slwer, but a large value culd lead t mre gd data being skipped as well. This value can be changed at any time during the imaging prcess by selecting the Cnfigure Icn. The resulting image will nt be 100% cmplete, but data can be recvered by sftware means nly. p69

70 Image file selectin Cnw Recvery will wrk with either a physical hard drive, r with a DD image file. This is a file where is there is a ne t ne mapping f each sectr t the image file. T select the image file, use the drp dwn drive select bx at the tp f the screen and select 1: Image file and Backup files. The screen belw will be displayed The brwse functin allws an image file t be selected. This can either be a DD type image, r a supprted backup file, such as a Micrsft MTF file The drive type actually selects the blck size. Fr a hard disk, the blck size is 512 bytes (r 0x200). A CD and DVD have 2048 byte blcks. Optical disks cme in several variatins, which may be selected. The Image file is in sectins (nt yet implemented) will allw fr systems that generate files, typically in DVD size sectins Shadw Drive The shadw drive is a useful feature when a disk has nly been partially imaged. This may be the case fr a disk with many failures. If this ptin is enabled, a physical drive can be set as a shadw drive. When the disk image is read, and the sectr is determined as unread, r failed, the prgram will try and read the shadw drive. If successful, the disk image will be updated, If unsuccessful, due t a ttal sectr failure, the disk im age will be marked t indicate that the sectr can nt be read. This prcess ensures that the drive is nt wrn ut by many sectr retries. Frensic Optins p70

71 Fr frensic packages, tw ther file types will be recgnised and prcessed. Virtual Disk Frmat This is an image frmat built up in sectins - refered t as Grains. The basic image is a sparse image, s nly allcated sectrs are saved. Encase E01 The E01 frmat is a cmmnly used name fr EWF frmat (Expert Witness Cmpressin Frmat). it has been adpted by Encase and is a standard frensic frmat. It cnsists f ne r multiple files, with r withurt cmpressin. As part f the frmat, each sectin has it's wn MD5 hash value and s is very secure and any crruptin in strage will be detected. p71

72 Partitins, analysis and recvery Prbably the mst imprt sectr n a hard disk is the bt sectr, r als called Master Bt Recrd (MBR). If this sectr fails, r is crrupted, mst PCs will nt read the disk at all. Thus n a disk, r memry chip where the bt sectr is invalid, when ding a recver, the errr message "First partitin nt recgnised, Run the analyse partitins functin" will be displayed, and the dialg bx belw will be displayed with??? rather than a frmat type. When running the Recver functin, if a disk has mre than ne partitin, an ptin will be displayed s that nly the required partitins are restred. Each partitin up t 8, will be displayed with detected frmat, start and end sectr n the disk. The values displayed are taken frm the bt sectr (see belw). If the bt sectr is crrupted, new values can be entered. Alternatively, the Analyse Partitins functin can be run. This will scan the whle disk, lking fr pssible partitin starts. A very significant feature f the CnW Recvery sftware is that it is nt necessary t write a new partitin sectr back t the disk in rder t recver data. Once parameters are edited, a temprary cpy f the bt sectr in memry is used. This means that the mast disk is nt changed (essential fr frensic investigatin) and if the disk has a cmpletely failed sectr 0, this des nt cause a prblem. The display shws data abut the disk as fllws Operating system. This is as read in the partitin table, and can be NTFS, FAT32 etc Relative Sectr. This the start f the lgical partitin. Often it is sectr 63 Ttal sectrs. This is the number f sectrs in the partitin. Fr many NTFS partitins there is an extra sectr at the end, a cpy f the parameter sectr Bt. This indicates that the marked partitin is a btable partitin Cly this is the cylinder number. As the actual parameter table has a limit f 1023 fr this value, CnW prgram displays the lgical value Head. This is the value f the head fr the start f the assciated partitin. The value will be Sectr. This is the first sectr in the track fr the partitin, it is nrmally 1, and has a p72

73 maximum f 63 The abve values may be changed, but fr recvery purpses, nly the Relative Sectr, and Ttal sectrs are used. If the relative sectr is wrng, there will be prblems restring data. The Ttal sectr cunt is nt as imprtant, and if t large will prbably nt affect the prgram. When the analyse functin is run, it will try and recnstruct the values described abve. Once the analyse has been run, it is pssible t d a test restre using the newly recvered values. It is nt necessary at this stage t write the new sectr t the hard disk. This als means that the dem prgram will wrk with a new bt sectr layut. If yu multiply the maximum cylinder, head and sectr numbers tgether, and then the sec tr size f 512 bytes, yu get t 8GB. Sme users may be familiar with this being a limit sme years f ag the maximum disk size that PCs culd accept. Bt Sectr r Master Bt Recrd The bt sectr is sectr 0 n a hard drive, and a typical screen dump f ne is shwn belw There are several areas t lk at n the dump. Mst f the sectr, frm the start t byte 0x1bd is cde that is run t start the PC up. This is nly imprtant fr a btable disk, and can be ignred fr straight frward data recvery. If it is required t re-instate the bting f the disk, this cde must be valid. The final tw bytes f the sectr are always 0x55 and 0xAA. These are check bytes that help ensue that the sectr has been read crrectly. Fr instance, it is ccasinally pssible fr a byte t be skipped, r read twice. In these cases, the 0x55 and 0xAA wuld nt be in the crrect lcatin. The hard drive CRC check shuld als fail, but that is much harder t see - thugh the PC shuld detect an errr. The imprtant part f the disk starts at byte 0x1BE, and it is these bytes that are decded by CnW prgram and displayed lgically in the table at the tp f this page. The brief sum mary p73

74 belw will describe each byte. There are up t 4 entries, each 16 bytes lng, fr each partitin. If a partitin is marked as extended, then the pinter pints t anther sectr with the same data structure starting at 0x1BE n the new sectr. This is a means where an unlimited number f partitins can be created. See Partitin Table Structure fr full details p74

75 Partitin analysis mde There are tw mdes t try and analyse the partitins n a disk. One is t recver the current partitins. The secnd is t try and recver a previus setup f partitins n a disk that has been repartitined. Recnstruct current partitins This is the quick mde. The prgram will start scanning the start f the drive until it finds a media partitin sectr. At this pint it will try and fllw the partitins thrugh the disk until the end if reached. If the partitins d nt chain, then the prgram will cntinue scanninmg every sectr - this is bvusly slw. If n partitins are fund, the prgram des try and detect the type f perating system n the disk. Fr instance NTFS and FAT disks will be detected. Search fr previus partitins This is mde where the whle disk is scanned fr pssible partitin starts. Obviusly this can be slw, but find all pssible partitins. Each pssible partitin start will be analysed but nly nes that pint t a valid FAT start r NTFS entry will be displayed. This way mst false entries will be ignred Stp searching when first partitin fund Many disks are knwn t have nly a single partitin. If this is the case, then checking this bx may save a cnsiderable perid f time, preventing the prgram searching fr ther pssible partitins. Test fr partitin There are flags that must be set t indicate which partitins are t be tested fr. Thus if nly searching fr a NTFS partitin, but setting just the NTFS flag, n FAT partitins will be detected. There must always be ne partitin type set, but any cmbinatin can be used. As the prgram scans thrugh the disk, the partitin fields will be updated. If it is felt that valid infrmatin has been added, then the scanning can be cancelled and values fund t date will be used. Often, partitin infrmatin is nly at the start f a disk, s there is little requirement t scan a cmplete 500GB disk p75

76 Partitin Table structure A partitin table is a structure f 16 bytes. There can be up t 4 tables in a bt sectr, and the first recrd always starts at lcatin 0x1BE. An example is shwn belw. 0001B CA EE BA Êîº6 0001C FE 7F D7 3F FF þ? ÿ Each table is the same structure - r may be blank Lcatin 0x0 0x1 0x2 0x3 Descriptin 0x80, this partitin is the bt partitin, 0x00 nt btable Address f first cylinder Address f first head Address f first sectr 0x4 Partitin type. This can have many values, but the list belw represent the mst cmmn values 0x00 Unused - means this partitin table is nt used 0x01 FAT 12 0x04 0x05 0x0f MBR FAT 16 - upt 32MB Extended partitin. This will pint t a new sectr, acting like a 0x06 0x0e 0xde FAT 16 0x07 0x0b 0x0c 0x1b 0x1c 0x63 0xa8 0xab NTFS FAT32 Hidden FAT32 Unix SCO Apple Macintsh Fr mre values 0x5 0x6 0x7 Address f last cylinder - ften nt valid fr large disks Address f last head - ften nt valid fr large disks Address f last sectr - ften nt valid fr large disks p76

77 0x8-0xb typcial value LBA f first sectr in partitin. Will pint t a Parameter blck. 0x3f is a very 0xc-0xf LBA f final sectr in partitin. Fr a single partitin disk this will nrmally be the end f the disk p77

78 Hw t recver crrupted partitins At first glance recvering a disk with a missing r crrupted partitin table can be a bit daughting. The steps belw will assist. It is very useful t knw hw the disk was partitined - thugh bviusly this infrmatin is nt always available. Typical setups are ften as fllws Single partitin f cmplete drive in FAT32 r NTFS Dual partitin f a drive, nrmally FAT r NTFS A drive that has a hidden recvery partitin. The recvery partitin is ften FAT16 r FAT32 A drive with extended partitins, and mre than 4 basic partitins A drive that has been re-partitined with similar, r very different parameters A drive that 'crashed' when running a repartiting prgram The cmplexity increases as ne ges dwn the list Partitins can be lcated in a few different ways By Master Bt recrd By media BIOS By finding start f MFT fr NTFS, r subdirectries fr FAT disks By hand On a gd disk, the Master Bt Recrd (MBR) cntains a table, starting at lcatin 0x1BE. This will cntain infrmatin n upt 4 partitins. When mre than 4 partitins are required, ne r mre f the pinters will be fr an extended partitin. In thery the number f partitins can be unlimited - CnW recvery handles the first 8 autmatically. Missing MBR (Master Bt Recrd) When the bt sectr (secvtr 0) is missing, r ttally crrupted, the first apprach t try is the Analyse Partitins functin. Recnstruct current partitins will search fr the first media bis recrd, and then try and scan thrugh the disk frm there. Search fr previus partitins will scan the whle disk, but will detect any pssible media bis sectrs. If just the MBR has failed, then recnstruct current partitins will wrk. If the disk has failed while being prcessed, such a repartitin prgram, it may be best t use the Search fr previus partitins. After analyse is run, r if dne manually, the partitin table must have the fllwing infrmatin, the partitin type, eg NTFS, FAT16 and the Relative sectr, which is the start sectr f the media BIOS. The length f the partitin is nt critical, and if in dubt make the number t large rather than t small. Once the valus fr teh bt sectr have been determined, it is pssible t writethem back t the bt sectr. Hwever, this is nt actually required fr the recvery prcess. The prgram will remember the values and allw the user t d a recvery, r a trial recvery withut making any physical changes t the disk. Fr frensic applicatins, this is extremely valuable. Fr disks where sectr zer has failed, it is nt necessary t have a wrking sectr zer. p78

79 p79

80 GUID Partitin tables The standard bt sectr is limited in the fact that it nly has direct supprt fr 4 partitins. Extra partitins are added by chaining new partitin tables. It wrks, but is rather messy. A new standard is the Extensible Firmware Interface (EFI) an Intel replacement fr the Master Bt Recrd (MBR) that is stilled n PCs. Current Apple OS/X systems use this new partitin layut. It is an ptin n Vista, and essential t create partitins that exceed t TB. The existing bt sectr nly has space fr 32 bit sectr numbers, the new system handles 64 bit sectr numbers - shuld be a few years befre that becmes a limitatin. The structure is that the MBR lks like a nrmal bt sectr, with a single partitin entry. The critical pint is the the file system is defined as 0xEE, rather than say NTFS, r FAT16. The first sectr is marked by the string "EFI PART". The fllwing sectrs cntain the specific partitins with a 128 byte recrd fr each partitin. Each partitin entry is identified by 2 16 byte GUID (Glbably unique indentifier). It then cntains bth start and end sectr number, and a text descriptin f the partitin such as "Apple_HFS_Untitled_1" CnW Recvery sftware reads this type f header and determines the disk type. The prgram currently supprts Apple HFS+ partitins and Windws Data partitins, as may be fund n Vista drives. See the sectin n recgnising sectr types fr mre details p80

81 Magnetic Media Recgnitin T aid with recvery f a disk, it is ften wrth knwing what type f perating system has been used. Fr a CD / DVD they are nrmally either ISO9660 r UDF. Mst memry chips are FAT (all variatin, FAT12, FAT16 and FAT32). While a hard drive is nrmally either FAT32 r NTFS r Linux If an ptical disk is being read, they can be NTFS, FAT, HPOFS r ne f many prprietary frmats which is beynd the scpe f CnW Recvery Sftware, thugh a Raw recvery may assist. Very ften, CnW Sftware will autmatically detect the relevant frmat, but there can be times when fr instance a disk has been refrmatted with a new perating system. In this case, it is ften useful t scan thrugh the disk t find sectrs that indicate exactly what the frmat was. With a gd disk, the lcatin t start is with the bt sectr, and this is decded by the Partitin functin. Hwever, this functin cannt immediately display partitins that have been verwritten, r ttally crrupted, a mre manual prcess is required. p81

82 Deleted file recvery A very cmmn prblem with all cmputer strage is accidental deletin f files. On mst perating systems, when a file is deleted the directry entry is marked as deleted, and the space is made available fr re-use. If nthing else is written t the disk, then there is a very gd chance f recvering the files. One analgy wuld be if a telephne directry was trn up, it wuld still be pssible t telephne the existing numbers. There are tw majr cnsideratins n deleted file recvery and these are verwritten files, and fragmented files. Overwritten files When a file is deleted, the space is made available fr new files. Any new file culd therefre use the space that a previus file - nw deleted - used. Depending n the file, this culd render the file ttally unsable, r just a sectin with unknwn data in it. CnW Recvery tries t detect when a file has been ptentially verwritten, and recvered files will be stred in an 'Overwritten' directry. Fragmented files The ptimum way fr any perating system t write a file is as a cntinuus stream. As the disk gets full, r very large file are written, it is ften necessary t write a file in several sectins r fragments, and hence we get fragmented files. Recvery is therefre mre cmplex. A FAT drive stres the start f a file in the directry, but then each cluster lcatin is stred in the File Allcatin table. This table is cleared dwn when a file is deleted, and s n recrd f hw the file was stred is kept. On recvery, it is ften nly pssible t assume that the file was sequential, and n many ccasins, this leads t a gd recvery. On a very large file, r very full disk, the success rate drps. NTFS disks have a majr advantage ver FAT disks described abve in that ften the first 10 r s fragments are stred in the directry, r Master File Table (MFT) blck. Thus a partially fragmented file can be recvered withut errrs. The structure f an MFT is very cmplex, and in sme cases and MFT may cmprise f mre than 10 separate MFTs, s very fragmented files can still represent majr prblems. Ext4 disks - it is nt pssible t recever deleted file except by data carving. All metadata is cleared when the file is deleted. p82

83 CD Recvery A CD may be restred in several ways, depending n if it is wrking crrectly, r has failed in ne way r anther. The prgram will try and determine the type f disk being read, but this can be ver written by selecting 9660, Jliet, UDF, UDF with Munt Rainier, r Audi disks There are tw basic mdes f restratin, Full Restre and Frm directry stubs Full Restre In Full Restre mde the prgram reads the disk in the a same way as an applicatin wuld, but is very tlerant f errrs. Files will be restred, and save in riginal subdirectries. Fr a multi-sessin disk, each sessin is saved in a separate base directry, Track1, Track2 etc. This has a feature where if a disk has been appended t, say 10 times, a file in Track1 may appear in every ther track Frm directry stubs This is mre f a recvery mde. The disk is scanned fr sectrs that are directries. Depending n the disk, the scanning can take a perid f time, but the prgress bar will indicate the amunt f the disk scanned. The infrmatin is then decded, and files recvered. Where ever pssible, the parents f subdirectries are determined. Where n parent can be fund, the fund, the files are placed in a dirstub0, dirstub1 directry. Scan all sessins This is an ptin fr UDF disks that have been written with packets, rather than separate sessins, r tracks. (It is als part f the frensic ptins, s nt available n all versins f the sftware). It will shw each sessin as a separate track. This way, p83

84 each sessin culd be restred separately, but mre imprtantly, fr a frensic investigatin, ne can see when files are added, r deleted. A nrmal restratin f the disk, will nly restre the final sessin. One warning is that this examinatin prcess is rather slw, as the disk directry is cnstructed many times. This can als be a useful ptin when the final part f the disk is missing r crrupted. All sessins, up t the final ne can then be recvered. Disk Parameters This sectin shws the number f tracks detected n the disk, alng with the maximum sectr number. As each sectr is 2K in length, this will give the m aximum number f bytes that can be restred. It shuld be nted thugh, that n multi sessin disks, a lt f data space is used as verhead between sessins, s the capacity f a disk with many tracks, if recrded in different sessins, will be much lwer than the Max sectr x 2K Unerase disk When the prgram detects a blank CD-RW disk, the unerase ptin is enabled. If a disk has been Quick Erased, there is a prcdure where data may be recvered - see Unerase CD-RW fr mre details. This is Frensics nly ptin, and s may nt be enabled n all versins f the sftware licence. p84

85 Hw t recgnise type f CD/DVD With a very crrupted CD r DVD it may be necessary t set the type f frmat manually. It is therefre essential t knw hw each frmat is recgnised. Frtunately, CnW Recvery sftware will nrmally determine the disk crrectly, but prblems can ccur when a significant part f the disk (typically the start) has been made unreadable. There are tw cmmn frmats fr CDs and DVDs. These are ISO9660 / Jliet and UDF. DVDs tend t be UDF, but this is nt always the case. There is als a middle case where a disk is bth ISO9660 and UDF. On these disks, the data is stred nce, but there are tw parallel directry structures pinting t the same files. ISO9660 / Jliet The first lcatin t lk n a CD is sectr 16 (10H). If the sectr cntains the string "CD001" then this is a ISO9660. A jliet disk is very similar, and typically, sectr 17 (11H) will have the string "CD001", bute the vlume name in byte ffset 1aH will be duble spaced uni-cde Sectr 16 fr ISO CD B 5F F BACK_UP_ F DVD_ D0 3B B D Ð; ;Ð F F2 A ò ò AB «" 0000A B 03 k 0000B C D E F Sectr 17 - Jliet CD B B a c k D u p D V D D0 3B B D0-25 2F Ð; ;Ð%/E A 4C C 1A L Lf AE 01 p " 0000A AE B 03 k 0000B C D E F UDF A UDF disk has several very distinctive features that can be lked fr. Often the first tw bytes are the mst relevant values n a cntrl sectr. The sectrs with tags 1-9 belw all fllw the Primary Vl descriptr. The sequence is nt imprtant, but the final sectr in the chain is always tag 8. tag 1 (ECMA167 3/10.1) Primary Vl descriptr 0x01 0x00 p85

86 tag 2 Anchr Vl Pinter nrmally at lcatin 256 tag 3 Vlume descriptr pinter tag 4 Implementatin use vlume descriptr tag 5 Partitin descriptr tag 6 Lgical vlume descriptr tag 7 Unallcated space descriptr tag 8 Terminating descriptr tag 9 Lgical vl integrity descriptr tag 256 Fileset descriptr tag 257 File identifer descriptr tag 258 Allcatin length descriptr tag 259 Indrect entry tag 260 Terminal entry tag 261 File entry tag 262 Extented attribute header descriptr tag 263 Unallcated space descriptr tag 264 Space bitmap descriptr tag 265 Partitin integrity entry tag 266 Extended file entry 0x02 0x00 0x03 0x00 0x04 0x00 0x05 0x00 0x06 0x00 0x07 0x00 0x08 0x00 0x09 0x00 0x00 0x01 0x01 0x01 0x02 0x01 0x03 0x01 0x04 0x01 0x05 0x01 0x06 0x01 0x07 0x01 0x08 0x01 0x09 0x01 0x0a 0x01 The first three sectrs f a UDF disk - ften after the Jilet sectrs fr a Bridge disk BEA E NSR TEA Anchr sectr 0x CE D7 F Î ð Bridge Disk A bridge disk has bth UDF and ISO9660 structures. p86

87 UDF Anchr Vlume T read a UDF disk lgically, several critical sectrs must be read, that then set pinters t the next critical sectr. The first such sectr is the Anchr Vlume Descriptr. The dcumentatin states that there shuld be at least 2 such anchr blcks in three pssible lcatins At sectr 256 (100h) At the final sectr f the disk 256 blcks befre the final sectr f the disk It is quite pssible t have a recverable CD r DVD with n valid Anchr blck, and s manual interventin is required. As the Anchr blck nly cntains infrmatin n where the Main Vlume Descriptr is stred, all that needs t be entered is the lcatin, and length f the main vlume descriptr. Alternatively, the Search functin can be used, this may be slw (hence the cancel functin). Main Vlume Descriptr The main vlume descriptr is a sectr that stats with the hex bytes and the bytes in ffset is the sectr number in little endian frmat Typical pinters t lk are the name in ffset 0x1a, and OSTA strings. If the search functin des nt find the relevant sectr, it m ay be wrth while lking thrugh sectrs by hand. Typically it will be in a lcatin in the lw 200H, r may be 40H If it is nt pssible t find a main vlume descriptr, then it is likely that ther critical sectrs will als be missing. p87

88 Unerase CD-RW With CD-RW disks it is pssible t erase them. Once erased, lgically they lk like a new blank disk. Physically thugh, ne can nrmally see that the disk has been written t by the different clur n the data side f the disk. This is a frensics nly ptin. It must be nted that when dealing with blank disks, the prgfram can take a lng time (maybe 30 secnds) t try and read a blank sectr. This can cause the prgram t appear t hang, s please d nt give up immediately. Mst prgrams will treat an erased disk as just that, and there is n way t recver the data. CnW sftware des have a way that nrmally wrks t in effect unerase the disk, and make the disk readable again. There are tw mdes t disk erasing, a quick erase, and a full erase. A quick erase just sets all pinters n the disk, in hidden areas t make it lk like a new disk. This mde can be recvered. A full erase will verwrite each sectr, and this means that data can never be recvered. This rutine changes elements f the disk s that it may read using CnW Recvery sftware. A small side effect is that the first 16 sectrs f the disk remain blank, and it cannt be read using the standard perating system. Recvery f erased CD-RW disks A prblem with an erased CD-RW is that it lks just like a blank disk, and it is impssible t determine what has happened t it withut ding the unerase prcess. It must be nted that the unerase used in CnW des actually write t the disk and s ptentially it culd damage a disk that has failed, but nt due t being erased. It shuld therefre be treated with cautin, but at the same time it may be the nly ptin. This functin, believed t be unique n cmmercial user sftware, can be slightly prblematic, but it des nrmally prduce the desired results, althugh ccasinally multiple attempts may be required. The Wizard n CnW will highlight disks that are pssibly erased. In these cases, the Manual Recvery mde shuld be entered, and n the CD recvery ptins menu there is a buttn fr Unerase disk, which is nly enabled when a blank disk is detected. When the functin is selected, a new screen is displayed with many ptins n. As mentined abve, the cnfiguratin f the disk befre erasing can nrmally nly be guessed at, and s the unerase may need t be dne in different ways until the crrect cmbinatin is fund. p88

89 It is necessary t try and replicate hw the disk was written first f all. Sme cmbinatins will display the errr message "Errr setting SelectMde" when the Unerase buttn is pressed. A gd starting pint is t use the variables shwn abve. The ne very imprtant parameter is the Data Blck Type. If the incrrect value is chsen, then the data n the disk will be 8 bytes ut f sync. Hwever, there is a test at the end f the unerase that will ensure the crrect value has been entered. If the value was wrng, then it will be necessary t Blank CD and select a different Data blck type befre ding a new Unerase functin. The result after Unerasing shuld be a message "Unerase cmplete and sectr read OK". This shws that the prgram can nw read a test sectr after the unerase peratin. The Nrmal CnW CD recver functins can nw be used, but the user shuld be aware that it is ccasinal very slw starting. Smetimes, there is a 'false' errr message saying that the unerase has failed. Befre ding anything, the disk shuld be tried, with the view functin and an attempt t read sectrs abve 16 (0x10) shuld be made. If this wrks, then a recver functin can be tried. The parameters that can be changed are displayed belw. As details f the riginal disk may be unknwn, there is an element f trial and errr Fixed packet size This mde is used n disks that have setup t be a read/write disk. Fr disks that are written as a standard CD, then the fixed packet size will nt be set. Packet size The nrmal value is 0x20 (32 sectrs). If fixed packet size is nt set, this value is nt used p89

90 Multi-sessin This is a flag used fr data will be added t the disk - it shuld be set t 3 Data blck type This is the type f disk that has been written. All three mdes will be fund n disks. Write type Sessin frmat The mst cmmn type f disk will be a CD-DA Errr messages Last RZne nt visible. If this is fund, re-blank the disk and try again This prgram is part f the Frensic Optin. If it is required t recver a CD-RW (r DVD-RW) then CnW d ffer a service at a fixed fee f 30 (r 40 fr DVD). Please inf@cnwrecvery.cm fr mre details. The same sftware ptin fr DVD-RW has nt been develped yet, s the nly slutin is the service described abve. p90

91 Multi-sessin UDF With UDF disks, files may be added, r deleted even n CD-R and DVD-R disks. The prcess is achieved by a Virtual Partitin, cntrlled by a Virtaul Allcatin Table. With a CD r DVD as sectr can never be changed but new sectrs can be added. A disk cntains a mixture f data area, and directry files. The virtual partitin make use f the nrmal directry files, but they are access thrugh a lkup table. This table is updated fr when a new grup f files is added r changed. Lgically the reading prgram thinks it is reading lgical sectr 'x' but the lk up table mans that this sectr can in effect be updated by pinting lgical sectr 'x' t a new physical lcatin. When reading a UDF disk, the first stage the reading prgram has t d is t find the current lk up table, r VAT. This is pinted t by the last sectr written n the disk, and s disk searching starts frm the end. An interesting feature f this mde f peratin is that by searching thrugh the disk fr these VAT pinters, the state f the disk after each sessin can be determined. Frensically it is pssible t see which files have been added, deleted r changed. p91

92 Camcrder Recvery Mini DVDs are typically used in Camcrders, Vide cameras etc. The typical failure mde is related t sessins nt clsing, r just general failure at the start f disk. Different types f camera d use slightly different lgical recrding methds, but frtunately, the basic standard is t recrd mpeg files, with sme cntrl files, IFO files. It is very cmmn fr a failed DVD nt t have any f these IFO files, but recvery is still pssible. There are three pssible ways t wrk n a Mini DVD that has failed Wizard Lgical Recvery Raw Recvery A mini DVD is nrmally recrded as an ISO9660 structure, r UDF with grups f files with the fllwing extensins, IFO, BUP and VOB. The file IFO and BUP are identical. The VOB file stres the mpeg data and therefre is the imprtant ne t recver. A VOB file is basically an MPEG file with additin infrmatin taken frm the IFO and BUP files. The maximum size fr a VOB is 1GB, and s n a lng mvie there will be multiple VOBs and matching IFO files. In additin there shuld als be a VIDEO_TS.IFO and VIDEO_TS.BUP, with an ptinal VIDEO_TS.VOB if there is a start menu. If it is pssible t recver all f these files, then a new vide disk can be created. If nly the MPEG can be recvered, it is necessary t rebuild the IFO / BUP files. This is perfrmed by a feature (currently under develpment) t rebuild vide files Wizard recvery Fr many camcrder disks, they will be detected by the wizard as Crrupted Vide Disks. If the screen indicates that several files are present, then a full recvery may wrk. Typically, it will be necessary t recver files frm unallcated space. Lgical recvery The Recver functin will allw recvery f files in a lgical way - as lng as the disk has the basic cntrl blcks still intact. If this fails, then Raw recvery will be the best ptin. Raw recvery The raw recvery mde is prbably the mst cmmn mde fr recvery f vide disks. It will scan the cmplete disk, and extract either a single large MPEG file, r many smaller mpegs, based n individual chapters. If the individual chapters are required, then the Separate vide file chapters ptin shuld be selected. Different camcrders wrk in different way, s it may be best t try a recvery with 'Separate vide file chapters' enabled and disabled. Raw recvery can be dne with a cmplete scan, but ften the start f the disk cannt be read. It is therefre advantageus t determine where the data starts. There are tw ways, ne is t use view sectr, and try different starting pints, eg 20000, then and try and find the start by trial and errr. The easier way is t us the built in functin, Search fr start sectr. Once the start lcatin is determined, and the ptins set (Split n pssible file starts and Separate vide file chapters) then a scan can be perfrmed. If after a perid f time the scan mves very slwly, and cmes up with a significant number f errrs, the scan can be cancelled, and the recnstructin started. p92

93 MPEG recnstructin If the raw recvery mde described abve has been used, then the files will be a series f MPEG files. These can be duble clicked and viewed Windws Media Player. Hwever, they can nt be written t a new DVD and played n a dmestic vide recrder. There are several ptins. There are many applicatins that can be used t create Vide disks frm MPEG files, and ften such features are built int DVD burning prgrams such as Cyberlink Pwer Prducer - 2 Gld. The CnW Rebuild vide files (when cmplete) will allw mpegs t be merged, and a vide disk image recreated. p93

94 Rebuild vide disk files Sme data recvery prgrams will extract MPEG files frm damaged DVDs, but CnW ges ne stage further and will recreate a cmplete vide disk image, with n extra tls required. This is a tl takes MPEG files, resequences them, and generate the relevant.ifo and BUP files. Mst data recvery prgrams will allw recvery f the basic MPEG and then require external sftware t cnvert these files int a frmat that will play n a standard DVD player. Smetimes Windws Media Player will display the recvered files, but at time it will nly display the first few secnds. The tl will allw fr ne r mre mpeg files t be jined tgether, and relevant cntrl files added. These files may then be cpied t a DVD and run n a standard vide player The first stage f recnstructing the vide structure is t use the functin Create Vide Disk frm MPEGs which is fund under the menu Tls. The prgram will create a new subdirecty VIDEO_TS and merge all the mpeg files int a series f VTS_01.1.VOB files, upt 1GB in size. There are then tw cntrl files, VIDEO_TS.IFO and VTS_01_1.IFO The merge peratin is very simple. Select the directry with the required MPEG files. The files must be in the crrect rder s it may be necessary t rename sme files t ensure they are in numeric sequence. By default, CnW Recvery will create files with a 4 byte numeric extensin, which will be srted as required. The first stage is t select the files t be merged. The select all buttn is the mst cmmn p94

95 way t d this. When Merge Files is selected, all files are merged int a sequence f chapters. If mre than 99 files, files are merged in grups t keep the ttal number dwn t 99. The files are then stred in a new directry, VIDEO_TS. Creating DVD disk Having created the DVD image it can be tested by duble clicking nvideo_ts.ifo and typically Windws Media Player will display the file. T create a phyiscal disk, the files must be cpied t a DVD using ne f many DVD writing r burning packages. Sme sftware pacakages (such as Rxi) detect that the files are a vide disk and will nt let files be writtens as a data DVD. Fr these pacaks, it is necssary t use a DVD duplicatin rutine. Examine the DVD writing sftware manual fr mre details p95

96 FAT Disk recvery This ptin is displayed fr all FAT disks, ie FAT12, FAT16 and FAT32. By duble clicking n any f the parameter bxes the sectr will be displayed. There are three main restre mdes pssible fr FAT disks, and then several ptins relating t these mdes. Full Recver. This is prbably the mst cmmn mde fr restratin. The prgram will attempt t restre the files as in the nrmal perating system. Hwever, it is very tlerant f crruptin and will ften restre many gd files frm the disk Recver frm directry stubs This is a mde where the whle partitin is searched fr pssible subdirectry stubs. This a sectr that fllws the pattern f a subdirectry, r even rt directry. The prgram will then extract each file. Where pssible, the prgram will try and determine the path f the file. If it is nt pssible, a new subdirectry dirstub0 will be created. Recver frm Fat In this mde, the prgram will read the FAT, and restre files frm the chain. Thus chains f files will be restred, but n attempt is made t extract filenames. This shuld be viewed a s fairly last resrt measure, but can ccasinally rescue files that wuld nt rther wise be fund. Recvery ptins Overwrite existing files In this mde, utput files will be autmatically verwritten if the already exist. When this ptin is disabled, files will be renamed but adding an extentin, eg.000,.001 t the name p96

97 Recver deleted files This is a mde where files that have been detected as deleted will be restred. Althugh this ptin can ften wrk very well, there are tw ptential prblems. The first is that when a file is deleted, the space it ccupies is made available fr re-use. It is therefre pssible that the riginal file is verwritten by a new ne. The secnd prblem is that when a file is deleted, the FAT is als cleared, s n details f a fragmented file is retained. If the file is nt fragmented, then a gd recvery can be made. See ntes fr FAT32 deleted file recvery Ignre FAT On sme disks, r ther media, the FAT is either crrupted, r deleted. One symptm f this prblem is when files are restred, but truncated t 16K r 32K When the ignre FAT ptin is enabled a new dummy FAT will be created. This assumes that all files are sequential, and n a lightly used disk, with shrt files, a very high success rate can be expected. With very lng files, n a full disk, files may well be crrupted Scan disk t check fr sectr lcatins This is a very specialized ptin. On a disk that has been physically recvered, it is pssible fr sectrs t be in the wrng lcatin, ie areas f the disk have apparently mved. When this ptin is selected, the whle disk is scanned, and directry entries are detected. Each directry entry has a pinter t itself, and s it is pssible t determine if the sectr is in the crrect lcatin. A table is then built f pssible sectr ffsets, and znes n the hard disk where these errrs are fund. It is nt always pssible t detect the exact bundary f the sectr shifting, but n this type f errr, this ptin des imprve the restre rate cnsiderably Recver unused space This is an extremely useful ptin, that will scan unused sectins f the disk, and try and extract files. If it cmes acrss a valid start f a file, it will prduce files based n the signature fund. A gd example culd be lst pictures, r jpegs Recver Slack space - Frensic ptin Slack space is the space that is at the end f a file, when the file length is nt an integral length f a cluster. As an example, fr a disk with a cluster size f 4K, when a file f 1K< 9K, r 201K is written there will be 3K f slack space at the end f that file. The data in the slack space can be very varied, but culd be the cntents f memry when the file was written, r what was n the disk befre, r a mixture. Fr frensic investigatin, it can give very useful clues t what the user may have thught had been deleted frm a system. Fr recvery purpses, it culd add a bit mre t a crrupted file. Analyse disk parameters FAT disks have a fairly typical range f values. Fr instance there can nly be ne r tw FAT maps. A cluster size must always be a multiple f 2. If the prgram detects values that d nt make sense it will suggest running the Analyse disk parameters functin. This functin scans the disk and lks fr subdirectries. By finding at least tw subdirectries it can wrk ut many f the parameters required t recver the disk. These parameters will be laded nt the screen, and can be edited if required. Occasinally sme trial and errr may be required, r direct examinatin f the prpsed sectrs. Errrs A typical errr is fr files recvered t be truncated. Often they may be just 4K r 16K in length. The nrmal reasn fr this is that File Allcatin Table (FAT) has becme crrupted. Smetimes this will be detected when starting t read the disk with a message indicating that dubius sectrs have been discvered. T recver frm this type f errr just tick the Ignre FAT bx and run the recvery again. Mst files n a FAT disk are sequential, and s a crrupted FAT can be guessed, but if the file is very lng, r fragmented the file may be recvered at the crrect length, but there may be crruptin p97

98 FAT Disk parameters The disk parameters are the values that FAT disks define them selves with. Thus any cnfrming FAT disk, r any capacity, may be read by setting these parameters up. CnW sftware allws fr 4 partitins, and each partitin will have it's wn set f parameters. The parameters can either be displayed in decimal r hex, depending n persnal preference. A very useful feature f CnW sftware is that the default parameters can be verwridden fr special recvery purpses. Fr instance, if yu received a crrupted disk where the main directry was in the wrng lcatin, the start directry parameter culd be set t see the directry. As these values are nt written t the drive, incrrect values will nt damage the drive, but files may be recvered crrectly. The best way t initially set up the parameters if the autmatically selected values are wrrng, is t use the Analyse disk parameters functin. Parameter descriptins Cluster size. A cluster n a FAT disk is the smallest number f sectrs that can be allcated t a file. On a FAT 16 disk, there are nly pssible clusters, and s fr any disk abve 30MB, a cluster has t be greater than 1 sectr. The chsen cluster size fr a disk is a cmprmise between speed and wasted space. A cluster size f 8 means less huse keeping, but a small file will always ccupy the 8 sectrs. T determine the cluster size it is necessary t lk thrugh the disk and find the start f small files. The gap between these files will ften be the cluster size. A cluster size is always a pwer f 2, s nly 1, 2, 4, 8, 16, 32 and 64 are valid values. Cluster 2 lcatin. Usable data area n a disk always starts at cluster 2. Fr a FAT12 and FAT16 disk this is the sectr after the end f the rt directry. All cluster lcatins are therefre based n this value. If fr instance a disk recvered files, but the first sectr f each file was incrrect, this culd be caused by the Cluster 2 value being ne ut. FAT Start and length. The large majrity f FAT disks have 2 FATs (File allcatin Table). They are always at the start f the disk, after any bt and lading prgrams. The tw FATs are always sequential and s the length f the first FAT will enable the lcatin f the secnd FAT t be calculated. Directry start. Fr FAT12 and FAT16 disks, the directry start can be determined by finding the end f the secnd FAT. The length f the directry is then the space beween the FAT end and Cluster 2. Fr FAT32, the rt directry is lcated anywhere n the disk, and like subdirectries, it's allcatin is determined by the FAT. It can therefre be fragmenetd, and f any length. Fr recvery, all that is required is the sectr f the first lcatin. Sectr cunt. This is nt a critical value, but is used t try and prevent accessing areas utside f the partitin. If in dubt, enter a larger value, rather than a smaller value. It shuld be nted that the sectr values are abslute n the disk, and nt relative t the partitin. p98

99 p99

100 Hw t recvery FAT disk when bt sectr and ne FAT is missing A cmmn prblem with disks, r memry chips is when the start f the disk is verwritten. The fllwing ntes shw hw t recver such a disk. Stage 1 The first stage is t identify the type f disk fr the prgram t prcess. If there is n bt sectr, when the Recver functin is selected, the partitin analysis screen will be displayed with a message requesting that analysis shuld be run. Once the analysis functin is run, the perating system shuld be displayed n the screen - tp left hand crner f the dialg bx. Fr many disks, it is pssible t cancel the analysis, and still get the crrect perating system. Fr a FAT disk, it will display either FAT32 r FAT16 Stage 2 After the partitin details have been set up FAT ptins menu will be displayed, typically with all figures set at zer. These values need t be filled in, and an element f trail and errr may be required. Cluster size and Cluster 2 lcatin The first functin t use is the "Analyse disk parameters" functin. This will try and determine the cluster size, and the lcatin f Cluster 2. It des require there t be at least 2 sub directries n the disk, s there may be prblems n the dd memry chip with n subdirectries. Frtunately, mst cameras d stre files in subdirectries, s this functin will wrk. The cluster size is the minimum number f sectrs that are allcated t a file. With a large disk, there can be many hundreds f thusands f sectrs which wuld be a large jb fr an lder style cmputer t track. (FAT was develped with MS-DOS in abut 1980). T make the jb simpler, sectrs are allcated in grups, r clusters. Typical values may be 4, 8, r 16. On FAT16 disk, there can nly be clusters. S fr a 1GB disk, yu wuld need 32 sectrs per cluster. A very imprtant value n a FAT disk is the lcatin f cluster 2. This is nrmally calculated by allwing fr the fllwing bits f infrmatin Bt sectr Reseverved sectrs Operating parameters system sectr FAT map 1 FAT map 2 Directry - n FAT12 and FAT16. FAT32 rt directries can be lcated anywhere Cluster 2 On a disk with missing bt sectrs etc, this value may need t be entered by hand, but the analyse functin will ften calculate it fr yu. FAT start and FAT length It is pssible t restre files withut a FAT, but this will give prblems with very large files, r when the files are fragmented. CnW Recvery will perate with just a single FAT (there are nrmally 2). The FAT is always stred near the start f the disk and will nrmally start with the hex bytes F8 FF fllwed by numbers that typically increment by ne. he numbers are 2 bytes lng fr FAT16, and 4 bytes lng fr FAT32. They are als little endian. p100

101 Smetimes the nly way t wrk ut the value fr the FAT is t lk thrugh the start f the disk fr nicely rdered numbers. If the FAT start value is entered fr what is actually the secnd FAT, the prgram will still wrk. If bth FATs are knwn, but FAT 1 is crrupted, the check bx fr Use Fat 2 can be checked. Directry start The directry start is and imprtant parameter. When ever pssible, the directry start shuld be set t the start f the Rt directry. Where this is nt pssible, if the prgram lks at any subdirectry start, it will then attempt t restre the cmplete tree frm that nde. Directries are based n 32 byte entries, the first 11 bytes giving filename (in 8.3) frmat. The remaining bytes stre lcatin, file size, date etc. A directry may als cntain ther entries which are the lng file name descriptin. Details f this are beynd the scpe f this dcumentatin, s please lk in links fr pinters fr further reading. A subdirectry entry, is the same as art directry, except the first 2 entries are always ". " and ".. " p101

102 BIOS Parameter FDC descriptr fr FAT The BPB is the first blck f a FAT partitin and describes all the critical details f hw the disk is laid ut. There are variables that are system dependent ften based n size f disk EB 3C 90 4D F E ë< MSDOS F4 F8 F3 00-3F 00 FF `ôøó? ÿ B7 - E E 4F 20 4E 41 ) áqxno NA D C9 ME FAT16 3É E D1 BC F0 7B 8E D9 B E C0 FC BD 00 7C ŽÑ¼ð{ŽÙ ŽÀü½ E 24 7D 24 8B C E8 3C C 83 EB 3A 8N$}$ Á è< rƒë: Details fr FAT12 / FAT16 Bytes 0x0B-0x0C x200 r 512 bytes per sectr Byte 0x0D 01 1 sectr per cluster. Pssible values are 1,2,4,8,16,32,64 Bytes 0x0E-0x0F reserved sectrs FAT starts at end f reserved sectrs. Byte 0x10 02 Number f FATs - 2 is nrmal Bytes 0x11-0x x200 r 512 rt entries t the directry Bytes 0x13-0x14 60 F4 0xF460 number f sectrs Byte 0x15 F8 Media type F8 fixed disk FB remveable disk Bytes 0x16-0x17 F3 00 0xF3 Sectrs per FAT Bytes 0x18-0x F 0x3F Sectrs per track - with mdern disks this has n real meaning Bytes 0x1A-0x1B 00 FF 0xFF Number f heads, as abve f n real meaning any mre Bytes 0x1C-0x1F x20 Hidden sectrs. This is the number f sectrs frm the physical start f the disk. ie, It shuld be the address f this sectr Bytes 0x20-0x The ttal number f sectrs. If the value fits in Bytes0x13-0x14 this field is blank If the number f sectrs is greater than 16 bits, this field is used. Bytes 0x26-0x2A 29 B7 E1 51 0x51E1B729 Vlume serial number Bytes 0x2B-0x35 NO NAME Vlume Name Bytes 0x2c-0x3D FAT16 File system, such as FAT12, FAT32 Bytes 0x3e-45 Resevered fr future use p102

103 Additins fr FAT32 Bytes 0x24-0x27 Bytes 0x2c-0x2F Sectrs per file allcatin table Cluster number fr directry These are the values that are used in the Recver FAT functin p103

104 Missing directries and files n a FAT disk Recvery f files n a FAT disk des depend n gd directry files existing. If a directry file is brken, r has becme crrupted, the files in that directry - r subdirectries f that directry, will be lst. With CnW Recvery it is pssible t scan the disk fr all directry trees, and the extract the files frm them. The ptin t use is 'Recver frm directry stubs'. In this mde, the prgram will scan frm the start f the disk t the end f the partitin lking fr any sectr that is the start f a subdirectry. It will then extract all files frm it. Where pssible, it will als try and determine the parent f the directry, but this is nt always pssible, and in these cases, a new subdirectry will be created within the 'dirstub' directry. Each new directry will have a name such as dir258 r dir4398 p104

105 Hw t recver FAT disk when bt sectr is missing The partitin bt sectr is used t define all parameters n a FAT disk. It will include cluster size, FAT lengths, and directry lcatin, alng with the directry length. The media BIOS sectr is nrmally the first sectr n the partitin. When this sectr is missing, the details it nrmally cntains must be filled in. A very gd start is t use the Analyse Disk Paramters functin. This functin will scan the disk and calculate certain values based n the fllwing. Cluster Size By finding tw subdirectries, it is pssible t wrk ut the cluster size in sectrs FAT Start A FAT nrmally starts with the hex cdes F8 FF. A FAT is als always near the start f a disk, s nly the first 1000 sectrs are searched fr a FAT FAT Length If btn FATs can be fund (in the fist 2000 sectrs f the disk) then the FAT length can be calculated DIR Start Fr a FAT12 r FAT16 disk, the directry starts just after the secnd FAT. Fr FAT32, the rt directry can be placed anywhere. Cluster 2 Lcatin Cluster 2 is the lcatin that data strage starts. Fr a FAT12 and FAT16 disk, this is the lcatin after the directry. Fr a FAT32 disk, is is nrmally the lcatin after the secnd FAT map and may als be the start f the rt directry. Frtunately, it is pssible t calculate this lcatin frm finding the lcatin f any tw subdirectries. With much f data recvery, the autmatic analysis may prduce the crrect results, but at times, they may need t be tinkered with. p105

106 FAT 32 deleted file recvery With a FAT32 disk that cntains deleted files recvery is nt always ttally reliable. Never the less, CnW Recvery prgram des d much mre analysis than many ther sftware prgrams but belw are described fundamental issues. When a FAT disk file is deleted, tw main things happen The file entry is marked as deleted, by setting the first character in the file name as a 0xE5 The File Allcatin Table is cleared On Fat 32, the high rder cluster pinter values are als cleared. A FAT directry always uses a cluster number pinter t indicate where the file starts. Fr FAT 12 and FAT 16 this a 12 r 16 bit number, stred in tw bytes at ffset 0x1a and 0x1b in the directry. Fr FAT32, the pinter is 32 bits, with the extra tw bytes (16 bits) stred at ffset 0x14 and 0x15. It is these final tw bytes which are (fr sme reasn) als cleared when the file is deleted. Therefre with a FAT32 deleted file, nly the lwer 16 bits are available t determine where the file starts. CnW Recvery sftware des nt give up at this pint, it will examine the file extensin and fr many cmmn file type, it will therefre knw hw a file shuld start. Fr instance, a Zip file always starts with the characters PK. By knwing this, pssible file starts can be examined, based n the lwer 16 bits f the cluster number and there is a gd chance that the required file can be fund. Hwever, withut human interventin, this can nt be 100% reliable, but it is quick, and autmatic. The secnd prblem with any FAT recvery is that the file allcatin table is als deleted. The initial apprach is t assume that the file is sequential, and ften this is crrect, and s valid files are recvered. CnW are wrking n enhancements t this prcedure which will increase the likely hd f nly getting gd files by nly recvering files in clusters marked as unused. Sme extra fragmented files will therefre be recvered intact. Which recvery mde t use? The FAT recvery screen has tw useful recvery mdes which may prduce different results Full Recver Recver frm directry stubs Fr a disk that has just had sme files deleted, the Full recver will wrk well. Deleted files will be recvered and written t the utput directry, prefixed by!deleted Fr a disk that has been used a lt since files have been deleted, the Recver frm directry stubs is mre likely t detect and recver all files. This is slightly mre exhaustive that the Full recver, as it des nt rely n an intact directry structure. Typically it will find files and subdirectries that can nt be placed in a tree, and s files there will be many dirstub dummy directries created. The lg functin will indicate which files had been deleted by the 'D' in the flag clumn. When the disk is being scanned, the display will indicate the number f Deleted FAT32 files that will be recvered. These are nes that the prgram has searched the hard disk fr t lcate the start f the file, f the crrect type, in a knwn empty lcatin. p106

107 p107

108 FAT File allcatin table validatin and crrectin With a FAT disk, the lcatin f every cluster in a file is determined by the file allcatin table. There are in fact tw such tables, and n a gd disk, bth tables will be identical. The mst cmmn type f failure is fr either sectrs t fail, r parts f the table t be verwritten. In these cases, the secnd table can be used. An unusual failure is when sectrs are partially crrupted, ften by data bits failing, smetimes seen in memry sticks. This can lead t an apparently gd table, but ne that is nt pssible t use. The errrs can cause the file t chain t incrrect sectrs, r lp t a single cluster. CnW Recvery sftware makes several tests n the FAT and will attempt t fix many pssible errrs. Types f errrs that are detected are as belw Duplicate cluster values Variatins between FAT1 and FAT2 Clusters that pint t themselves Cluster strings that d nt terminate The mst cmmn (default) fix fr these errrs is t set the pinter t the next cluster. Fr a sequential file, this is the crrect answer, but fr a fragmented file, it is just pssible that a fragment jump culd be missed, thugh this wuld be a case f duble bad luck. Fr each change, an entry is made in the Frensic Reprt giving details f the mdificatin. p108

109 Recver FAT32 disk when it has been refrmatted as NTFS There are cases f a FAT32 disk being refrmatted as NTFS. This means that much f the file structure is lst, and als the FAT can be verwritten r crrupted. Frtunately, as lng as t much data is nt written with the NTFS structure, many files can be recvered. There are several stages in this peratin, as decribed belw Start the prgram, and skip the wizard. It is nw necessary t indicate that the disk is t be treated as a FAT32 disk, rather than an NTFS disk. This is dne using the Partitin functin, and selecting the perating system as FAT32, rather than NTFS. Nw select the Recver functin, and the FAT ptins screen shuld be displayed. There may be several errr messages displayed as the FAT paramters will nt be knwn. Select the functin Analyse disk parameters. The analyse functin may take sme time as it is trying t find ld FAT32 directry entries. Once fund, it will ppulate the FAT parameters as fr the riginal FAT disk. T recver the FAT files, the best ptin is prbably Recver frm directry stubs, alng with Ignre FAT. The prgram is nw set up t recver the riginal FAT32 files. Because the FAT is almst certainly crrupted, it has t be ignred, and s files that were riginally fragmented will be crrupted. The success rate des depend n may variables, in particular hw much data has been written with NTFS, which wuld verwrite ld FAT32 files. The directry structure may als be rather limited, and there will be Lst_dir directries as the parent nde may have been verwritten. p109

110 exfat Micrsft has released a new versin f FAT32 called exfat, extended FAT. It is designed mainly fr prtable drives using cmputered with limited cmputing pwer, such as cameras and hand held devices. The main advantage is that it n lnger has a 4GB file size limit and has better peratin with disk drivers larger than 32GB. The frmat has many similarities t FAT, but the majr difference is in file allcatin. There is a bitmap used fr cluster allcatin. There is a FAT t handle fragmented files, but if a file is nt fragmented, the FAT is nt used. The benefit is that when writing t a disk, a FAT des nt have t be updated with every cluster written, and the perfrmance increase can be dramatic. It is nw very rare t find a fragmented exfat file, which menas that recvery shuld be easier, even when much f the disk has been damaged. 32 GB is a limit that Micrsft has tried t implement n FAT32 disks fr perfrmance purpses, even thugh drive happily wrk with 1TB f data. ie, the limit is just the maximum size that Micrsft will frmat the drive t, thugh there are many free untilies t vercme this restrictin The CnW Recver rutine will recver deleted files and als scan unallcated area fr any lst files p110

111 Linux and Unix recvery Linux and Unix disks are nt very cmmn n their wn, but are ften part f a NAS (Netwrk Attached Strage) system. This culd be a single drive, r part f a RAID 0 r RAID 1 fr small systems, and RAID 5 fr larger, mre secure systems CnW Recvery will detect the fllwing types f Unix Ext2/3 Ext4 ReiserFS XFS When detected, the fllwing screen will displayed The mst imprtant sectr n a Unix disk is the Superblck. There are three basic mdes t recver Linux disk by Full recvery uses the existing directry structure t discver all the files. If the directry structure is damaged, a full recvery will nt be made Scan fr directry stubs will search fr each knwn inde and recver files this way. It is very pssible that rphaned files will be fund and these will then be stred in directries with a dummy file name Raw Indes is (currently) fr XFS and Reiser nly. This scans the cmplete disk, blck by blck fr pssible indes. It then recnstructs where ever pssible the file system, even when indes have been deleted and therwise remved. The prcess can be slw, but it des result in files being fund that is therwise impssible with mst types f recvery sftware. Recent results with a test Reiser FS disk recvered abut 80% f the riginal files that had been deleted. NB mre files appear t have been recvered, but there many duplicates. When the frensic ptin has been purchased useful detail is added t the frensic lg. This includes expected numbers f indes, lcatins f grups etc. XFS deleted file recvery p111

112 It is ften stated that it is nt pssible t recver deleted files frm XFS. This is largely true as unlike NTFS, there is n 'I have been deleted' flag. Instead the critical indes are partially blanks t make them lk free, and the tables t state where the indes are, and if used are als cleared. The CnW apprach is in five stages Scan the cmplete disk fr all indes Regenerate the blanked indes t give file size, and file type Scan all indes t generate directry structure Recver all files, and check file signature Verify when pssible, the file length This prcess will recver files frm very damaged XFS disks, and still retain file names, dates and very largely, the cmplete directry structure. Reiser Disks Mst Reiser disks are part f the HP Media Vault system. They can appear as a RAID, r just a single disk. It is gathered that the system was ften sld with a single drive, and then anther drive culd be added, nrmally as a JBOD cnfiguratin. The prpsed RAID-0 ptin was never implemented. Fr RAID setup see the RAID drives sectin. The disk may be read in three ways, Full recvery, scan and raw. With Full recvery, the first stage is an analysis f all the leaf indes t try and establish a directry structure. The Scan and Raw mdes g t a lwer level and d nt try and read the disk based n the directry structure, thugh will try and recnstruct the directries. A useful feature f the prgram is that it will still wrk even when the main Superblck header is missing. This header is nrmally at sectr 0x80 f the partitin, and is recgnised by the string ReIsEr2ER at lcatin 0x34 f the blck. Ext4 deleted file recvery When an Ext4 file is deleted (and the rubbish bin cleared) the inde is blanked ut. This means there is n infrmatin n file size, date, r mst imprtantly file lcatin. Put very simply, recvery f deleted files with file name is impssible. HOWEVER - with the raw mde it is smetimes pssible t recver files with the crrect size and extensin and date, but still n name. The raw mde will scan the cmplete disk fr ld indes and make use f them. The result f this scan can be varied - it detects all indes that are nt part f the nrmal file system and s file may be fund mre than nce. As names cannt be attached, the files are checked fr signature and then saved in relevant directries. The file size and date are crrect. Recver All r Recver Selected Nt all cnfiguratins can perate with Recver selected. If Recver All is used and nly;y certain files are required, the recmmendatin is t use the file filter t select files based maybe n name, file type r date.. It is intended t supprt recver Selected fr all Full Recver mdes f peratin, but scanned mdes will rely f the file filter. p112

113 Macintsh Drive Data Recvery Macintshes use a file system call HFS and HFS+. CnW Recvery, althugh it is a PC prgram has several tls and mdes f peratin t help recver files frm disks that have becme crrupted, r suffered partial failure. When a Mac disk is selected fr recvery, the fllwing ptin screen is displayed - data is btained frm the vlume header The screen allws fr three partitins t be recvered, and the basic entries fr each partitin are displayed and may be edited. The entries are as belw Vl Start This is the first sectr f a lgical vlume. Fr an HFS+ vlume, lgical sectr 2 always starts H+. Sectr 2 is the vlume descriptin blck. There are ccasins when the H+ sectr is missing, r crrupted. In these cases the alternate backup cpy is examined and used if apprpriate Blck size This is the lgical blck size that is used t allcate data, ie the amunt used t write a 1 byte file. It is always a multiple f 512 bytes. Fr HFS disks, there can nly be 64K such blcks n a disk. Dir Cunt This is the number f directry entries stred n the partitin File cunt This is the number f files started n the partitin Cat nde size The catalg n a Mac disk is basically a file with fixed length recrds, r ndes. The size f the nde is critical in recvering the disk. Typical sizes fr 80GB disks are 4096 r 8192 bytes (0x1000 r 0x2000). It is nrmally similar in size t the Blck size, and will always be a multiple f 512 bytes Cat Start The cat start is the starting lcatin f the catalg file Recvery mdes There are three basic recvery mdes that can be use. Full Lgical Recver will read the disk in a similar way t the perating system, but p113

114 is very tlerant f any errrs. Recver frm directry scan. This will read the catalg file and try and recver each entry in a leaf nde. This mde will trap any file n a disk that has a brken directry tree. It is a very useful mde t use when there are failed sectrs in the directry area f the disk. It is cmmn n a damaged disk fr files t be saved int 'dummy' directries with names such as dir_9865. Recver frm directry ndes will scan the cmplete disk fr pssible catalg entries. This mde wuld be used when there is cnsiderable damage in the catalg area f the disk. The scan can be slw as it will examine the cmplete disk. Hwever, it des nt rely n a valid catalg tree extents infrmatin Scan fr Partitins The scan fr partitins functin will scan the cmplete disk and try and determine if there are any pssible starts t partitins. Any such starts are displayed in the bx under the Scan fr Partitins buttn. If the entry is duble clicked, it will be placed int the clumn fr the first partitin, and the ther parameters will be updated. Scan fr catalgs The scan fr catalgs will scan the cmplete disk and islate the prbable starts fr a catalg. If the value is clicked, the entries in the first partitin (the first clumn) will be initialised s that data frm the selected catalg can be read. Verify... Prcessing Resurce frks On Apple disks, HFS+, files ften cntain bth data and resurce frks. There is als an imprtant part f Metadata stred in the directry that indicates the applicatin that shuld pen the file. PCs tend t wrk just n file extensins, but Macs have a 'hidden parameter t assist, and s the file name is nt actually imprtant. On OS X, there is a methd f sharing this infrmatin n a standard PC disk. The methd is called AppleDuble frmat. Put simply, fr every file there is an assciated file with the same name, but prefixed._. Fr example fr fred.dc there will als be a file._fred.dc This extra file will be at least 82 bytes lng, and lnger if there is an assciated resurce frk. By using these files, the Mac n OS X can treat a FAT disk in the same way it handles a native HFS+ disk, and n infrmatin is lst. OS9 uses a different methd - nt yet implemented in CnW sftware. The type f utput required n a disk is chsen by the flag OS X n the ptins screen A Macintsh will nt read an NTFS disk, s if data is t be transferred t a MAC, a FAT32 must be used. Many external USB drives cme as NTFS, and Windws will nt refrmat a drive as FAT32. It is therefre necessary t use an external prgram t frmat a drive as FAT32. One such prgram that has been tried is fat32frmat.exe that can be dwnladed free f charge frm the web. Writing t an external FAT32 drive is very slw unless the write cache is enabled. On grunds f perfrmance, make sure the utput drive prperties are set fr perfrmance and nt quick remval. Shrtcuts and Hypertext links Many times when cpying files recvered by CnW t a Macintsh, the Macintsh cancels with an errr message f 'The peratin cannt be cmpleted because yu d nt have sufficent priviledges fr sme f the items'. This has been fund t be due t prgrams missing, r hypertext links missing. It has been fund n bth a netwrk cpy, r when p114

115 the Mac is reading a FAT r NTFS disk lcally. It is ften fund when the Macintsh being used t cpy, is nt the riginal system machine. T vercme this, CnW examines the resurce frk and remves and 'slnk' r 'hlnk' n the resurce frk. Files nw cpy withut stpping. It des mean that sme links will n lnger wrk, but it will ensure that all data is cpied. p115

116 MTF.BKF files A very cmmn backup frmat is the native backup prgram within Micrsft NT, Windws 2000 and XP. It is typically used t write t tape, but the Micrsft Tape Frmat can als be used t create a single backup file, with the default extensin f.bkf. CnW Recvery sftware will recver these files, ften as a tw part prcedure. The first stage is t recver the riginal.bkf file, and then pen that file as if it was a disk image. ie use the Disk Image drive selectin t select the backup file. The recvery prcedure will scan the backup file and display all files and directries. It shuld be nted that it is very cmmn fr all subdirectry names t be backed up, even when there are n files in the subdirectry. The rutine will wrk n backup files that are nt cmplete which is a typical issue when the backup has been interupted. p116

117 NTFS Recvery Fr NTFS there are several appraches that can be taken t restre files. There is n crrect ne t use, but they ften have different uses depending n hw the disk has been damaged, r what type data is being restred. Ntes at the bttm f this page give suggestins f mdes t use fr different types f failures. There is n practical limit n the size f an NTFS partitin, and with an EFI disk header, it can be larger than 2TB By duble clicking n any f the parameter bxes the sectr will be displayed. Full Recvery In this mde the prgram tries t restre the file in the same way as the standard perating system. It is very tlerant f errrs, but if fr instance the rt directry structure is missing, the restratin may fail. In this case, use ne f the ptins belw, Recver frm file entries This ften the mst useful mde fr restring files frm crrupted disks. It des assume a reasnably valid Master File Table (MFT) and it will read each entry bin the table and try and restre the assciated file. When selected, a secnd ptin will be displayed where the range f MFTs can be entered. This can be useful if a sectin f disk is causing the restratin prcess t hang r crash. In theses cases, it wuld be pssible t start and end the scan in sectins. An additinal ptin is t Scan all MFT entries, when the whle disk is read testing fr pssible MFTs. If the Cancel buttn is pressed in this scan, the scan is stpped, but ptinally it is pssible t cntinue with the restre stage. This if it is knwn that all MFTs are in the 1,500,000 blcks, the scan can be canceled anytime after that, and restre will cntinue. p117

118 Recvery frm MFTs is in tw sectins. First, knwn gd MFTs are recvered, and save in the directry specifued by the utput path. The secnd scan is fr MFTs that have therwise been lst. These are stred in a subdirectry!recver_mft. Select MFT Range When restring frm MFTs, it is pssible t select the range. If this ptin is nt selected, the all ptential MFTs are analysed, and files read. Restre deleted files NTFS marks a file as active r deleted, by using a flag in the MFT. When restring the disk and selecting the deleted file ptin, the MFTs r directry is prcessed twice. The first pass, nly gd files are restred. The secnd pass, deleted files will be restred, but as knwn used sectrs can be seen, the file can be marked as verwritten, and stred in a separate directry. Overwritten files may be gd, but shuld be treated with cautin as at least sme f the file has been detected as verwritten. Deleted files are stred in a directry!deleted Recver unused space Recver unused space will d a raw scan f all sectrs that have nt been used. The data is saved in a directry call!recver_carving, and as in nrmal carving, will be in flders fr each file type. On an NTFS disk, the carving will test fr cmpressed NTFS sectrs and prcess as required. Recver Slack Space - Frensic ptin Slack space n an NTFS vlume is fund in tw areas. First, the space at the end f each file cluster, due t the fact that disk space is allcated in clusters, f say 2K length, but files are allcated space in bytes. A file f 13K, wuld therefre require 14K f disk space, leaving the final 1K as unknwn data. This is slack space, and can be useful within a frensic investigatin. Fr data recvery applicatins, it is nrmally ignred. Cluster slack space is stred in a file called Slack_clust.slk. Each fragment is enclsed by tags with the structure <<clust:ssss-cccc>>...<</clust>> where sss is the first sectr in the clsuter, and cccc is the lgical cluster number The secnd area f slack is at the end f each MFT. A shrt file, nrmally less than 3K can be stred in an MFT. This MFTs can cntain m re than just directry infrmatin. If the recver slack ptin is selected, all slack space frm directries is stred in a file called Slack_Dir.slk, and placed in the utput directry. Each entry is prefixed by the string <<mft:mmmm-xxxxxx>>...< </mft>> where mmmm is the MFT number and xxxxx is the sectr number f the MFT. The data entry is terminated by <<\mft>>. Display MFTs On an NTFS disk the sectrs fr an MFT frm part f a file. Typically, all the sectrs are cntiguus, but n a highly used, r full system, the file can be very fragmented. When Display MFTs is used, a list f starts and run lengths is displayed, as belw p118

119 The start lcatins (abslutin n the disk) and run length (in sectrs) may be displayed in either decimal r hex. When the input file is an image file, then it is pssible, by using the Add runs t memry image, t scan the selected hard drive and add the relevant sectrs t the disk image. Analyse disk... This is a functin t assist in lcating MFTs, and their size. Fr full details, see Search fr MFTs Disk parameters There are 6 parameters, fr upt the ttal f 8 partitins. It is these values that determine hw a disk is read lgically. With a wrking drive, these will be filled in autmatically, and will nt need changing. Hwever, fr a failed drive, they may need t be cnfigured, r adjusted. File can ften be recvered frm a disk that failed duing partitin resizing by setting these values t ne f the lgical partitin sizes fr the disk. Scan start This is the start f the lgical partitin. A typical sectr image is shwn belw, with NTFS in bytes 4 t 7 This value is critical, and fr a single partitin disk is ften 63 (0x3f) End Scan This is sectr lcatin f the end f the partitin. The value is nt critical, and s if nt knwn can be set t that f the size f the disk, r slightly larger. p119

120 MFT cluster start The clsuter start is the cluster number within the partitin fr the first MFT entry. Shwn belw is a typical first MFT The lcatin is wrked ut frm the Start Scan entry, and is typically 0xc0000. This is the value in bytes 0x30-0x33 f the Start scan sectr, saves as little endian, hence C 00 An MFT entry always starts with the string FILE0 r FILE* - the difference is due t tw versins f NTFS. The rt MFT has the string $MFT within the sectr as this is the (hidden) file name fr the MFT file, ie the main NTFS directry details. An MFT entry is always 1024 bytes lng, s 2 sectrs in length. S all MFTs will either start n and dd r even sectr number. MFT Start sectr The start sectr is the physical sectr the first MFT is stred n. This is calculated by the cluster start * cluster size + Start Scan. Fr a typcial single partitin drive, it is 0x60003f. The Analyse Disk functin will help determine the value fr this entry, and the cluster number. MFT entries This is the expect number f MFTs. Mst files and directries require a single MFT, thugh sme files with lng file names, r very fragmented require multiple entries. The value in this field is nt t imprtant. If in dubt it shuld be set t a value t large. A value f will allw fr ver 200,000 files and culd be a gd starting value. If the value is 0, then set it t a suitable as described earlier. Cluster size This is an extremely critical value. It must be a multiple f 2, eg 2, 4, 8 and fr mst disks abve a few GBs in size, the value is 8 Alternate Data Streams (ADS) The very large majrity f PC users will never be aware f alternate data streams. They are a hidden part f a file that will nt be seen with any standard DOS r windws tl. Hwever, they are part f a file, and nrnmally stripped ff n recvery. Hwever, with the crrect tls these files can be used t hide data n a drive, and s CnW Recvery will extract these data frks. p120

121 CnW will prduce a file fr each data stream. Fr alternate streams, the file name will be appended with the string -#-xxxxx where xxxx is the stream name. Hw t recver after different mdes f failure When perating system has been reladed, and all data files lst p121

122 BIOS Parameter FDC descriptr fr NTFS The BPB FDC descriptr defines all the parameters required t lgically read an NTFS partitin. It is stred at a lcatin pinted t be the Partitin Table recrd, and typically it is sectr 0x3F (63). The FDC starts at byte 0xb, and althugh similar t a FAT FDC has differences. The example belw is described in detail EB E ër NTFS F F 00 FF 00 3F ø? ÿ? F D / C D sƒó F A B B4 54 ö t& & T FA 33 C0 8E - D0 BC 00 7C FB B8 C0 07 ú3àžð¼ û À p122

123 NTFS MTF range When restring frm file entries, the prgram will scan the range f Master File Tables (MFT) that it has determined. Smetimes, this may cause a prblem, if a particular entry is very crrupted it may cause the prgram t lp, r crash. This type f prblem shuld be reprted t CnW Recvery, but in the man time, it may be pssible t restre parts f the disk by setting the MFT range t be less than the full range. Thus, the user decide t restre just the first 1000 entries, r the entries in the range 4,500 t 6,000 rather than the cmplete disk. p123

124 Search fr MFTs Sme disks are extremely slw t access. In this case searching fr MFTs culd take years rather than hurs. The search fr MFTs des a faster search lking every pssible 512 lcatins fr a pssible MFT entry. This des assume that a run f MFTs will be detected, but it is pssible that a run culd be missed. It is therefre nt a functin that shuld be used if a cmplete frensic reprt culd be required in curt. By finding MFTs, this is als the basis f a simple analysis f the disk structure, as it will als determine start f partitin, and cluster size. The values are displayed in Decimal r Hex, depending n the value set in the main NTFS recver screen. The abve infrmatin is filled in autmatically by the prgram, there is flexibility t change it. In particular, the starting lcatin f the search is determined by Sectr Start. This feature can be used t start searching n an area f the disk knwn t be, fr instance, the secnd partitin Run Search The search increment is the number f sectrs t jump between searches, s the display abve wuld relate t every 256 (0x100) pssible MFTs, fr a nrmal 512 byte disk. (Sme ptical disks are 1024 bytes). A large search increment may skip ver a sectin f the disk cntaining MFTs, a very small increment will take a lng time t search. When the disk is searched, tw sectrs are actually read, s that it des nt matter if the start is dd r even. Once a blck f MFTs are fund, the prgram then searches backwards t the first MFT in the range. The status list bx shws the start f any MFT run that has the first entry f $MFT Start sectr and End Sectr These values define the range f searching. Typically use the default values, unless ne knws where t lk, and ne wants t save time. p124

125 Scan fr all valid MFTs The $MFT is a file, made up f MFT recrds. Each recrd starts with the string FILE0 r FILE*, and is 1024 bytes lng. The first entry will always have a filename f $MFT. The functin scan fr all valid MFTs will scan the cmplete disk fr any run f MFTs that starts with $MFT. Fr many applicatins, nly the first ne is required, and fr a single partitin disk, there shuld nly be ne. Fr a disk that has been repartitined, a full scan may well pint t where ld MFT runs have been fund. Apply Values If the scan has brught up pssible MFT runs, these may be applied t the main recvery prgram. If mre than run has been detected, it is necessary t select the ne required. It will then cnfigure these values int Partitin 0 f the disk. Thus if there are multiple partitins, it will be necessary t run this rutine several times fr each partitin. Cancel The cancel buttn has tw mdes f peratin. If the prgram is scanning, it will cancel the scan. If the scan has finished (r been cancelled) then this functin will exit, and nt update the main parameters p125

126 Files lst when NTFS reladed It is a fairly cmmn prblem that many PCs these days are shipped with a recvery mde fr the perating system that will relad a cmpletely clean cpy f the perating system, and nt retain the files. Frtunately, this relading des nt nrmally include a re-frmat, s the files d still exist, but cannt be accessed. T recver the files, ne way is t track dwn all the ld MFT entries. The new installatin f the perating system will create a new MFT file, ie the index t all files, and the new MFT will be fairly shrt, ie just lng enugh fr the files currently n the disk, maybe 10,000 files. T recver the lder files, it is necessary t find the riginal MFTs. As all indexing f the lcatins f the MFTs is prbably lst, the nly way t wrk is t scan the whle drive. Fr this reasn, n the NTFS ptins screen, ne needs t select bth the radi buttn and check bx Frm File entries Scan all MFT entries. When the Recver All, r Select Files buttn is pressed, the whle drive will be scanned. If a scan f the whle drive is nt required, the End Scan value can be reduced frm it's default maximum value. In the same way, the start value culd be increased. This setting f start and end is als useful if necessary t skip sme f the media due t cmplete, r excessive sectr failures. When scanning, the display will indicate prgress, as well as the number f MFTs and Bt sectrs fund. If Cancel is pressed n the scan, the scan fr MFTs will be cancelled, and the prcess will cntinue with file recvery, based n the number f MFTs detected t the pint the cancel buttn was pressed. File recvery mde wrks in tw passes. The first pass will recver all knwn gd files, ie nes frm the current NTFS disk. The secnd pass will then recver all files that have been lcated frm the scanned MFTs, as well as deleted files. The reasn fr this dual pass is s that file can be detected that culd have been verwritten, r partially verwritten. p126

127 Files that are recvered, as part f the secnd pass are stred in a directry!recver Files that are thught t be partially verwritten, are stred in a directry verwrite, r verwrite\!recver. Overwritten files are ften crrupt, but can always be tried, as they cntain the infrmatin / file data required. Files recvered, but nt valid, r subdirectries wrng The mst likely explanatin fr this is that the drive partitins are incrrect. Lcatins f files, as stred in an MFT is relative t the partitin that the MFT is in. The starting pint t fix this will be t run the partitins prgram and search fr previus partitins p127

128 Cannt read first mft, cpy failed The first MFT is a critical sectr. There are actually tw such sectrs, and bth are searched fr befre this errr message is displayed. The way t recver frm this prblem is as belw In Recver functin, the fllwing ptins must be selected, enabled Frm File entries Scan all MFT entries The prgram will then scan the whle disk fr MFTs. It then des tw stages f recvery which may lk a bit dd if the first MFT is missing. The first stage is t try and recver all files that exist in the full MFT file - which in this case may nt exist as a file. The secnd stage is then t recver all files relating t an MFT. Prblems that can exist with this mde is that ccassinally directry paths can nt be reslved fully, s files m ay appear in invalid, r incrrect directries. CnW are wrking n this prblem. p128

129 NTFS with cnfused partitins When a partitin mdifying prgram fails, an NTFS disk may be left in what may be best described as a cnfused state. ie it may be pssible t find where the MFT file is, but it des nt tie with the files. The reasn fr this, is a repartitin prgram may mve the lcatin f the MFTs, and smetimes mve the lcatins f prgrams. If this prcess fails in the middle, there may in effect be tw grups f MFT entries, pinting t tw grups f files. T recver the files, it may be necessary t recreate the partitin infrmatin fr the initial partitin settings, and then anther set f parameters fr the secnd partitin settings, and MFT lcatins. The disk is then recvered in tw stages This sectin gives guidance n t recver such a disk. The first stage always is t establish where the actual MFTs are lcated. Fr this there are tw tls within CnW Recvery t assist. The first tl is the Partitin analysis rutine. If partitins have valid headers, this functin will assist in searching fr partitin starts, and hence pinters t MFT files, ie the disk directry infrmatin. If the partitins d nt have valid headers, then it will be necessary t set the partitin t be NTFS in the partitin analysis sectin, and g t the NTFS Recver menu and use the Analyse disk functin. This will search thrugh the disk t find the start f MFTs. At this pint we may have the start sectr f the MFT, ie a sectr that starts with FILE and part f the way thrugh has the string $ M F T. This is the value that has t be entered in MFT Start sectr. Hwever, n recvery ne may get lts f files, and valid filenames, but nt valid files. This prblem is due t the start f the partitin being wrng. T establish the start f the partitin can be time cnsuming, but very satisfying when yu get the crrect result. The start f the partitin is determined in 2 stages. First run the recvery prgram and get file names and sizes. Secndly, run a raw recvery f an area f the disk t btain many files that have knwn sizes and extensins. Typically a jpeg file is very gd fr this. Then ne can match a jpeg file with a knw size between the directry determined lcatin, and the raw recvery lcatin. A bit f simple maths with the indicate hw the value fr the start f the partitin shuld be altered. This sunds cmplex, but is nt actually t bad, it just takes careful thinking. As the master disk is never changed, and data is recvered nt a different drive, multiple attempts will nt crrupt yur data any further. CnW is wrking n ways t autmate this prcess. p129

130 Alternate Data Stream NTFS has a feature, similar t Macintsh resurce frks, ie a area f the file that is assciated but separate. Hwever, it is largely invisible t all users. One significant interest will be fr frensic investigatrs as the alternate data stream (ADS) can be used t hide data, in a way that it will nt be visible t standard tls. The way that the ADS wrks internally n NTFS disks is fairly simple, and all cntained within the MFT structure C BB FILE0» ( C G ` H AC C1 CF BF 9E FE CB 01 - D4 7A 13 B3 A0 FE CB 01 ÁÏ žþë Ôz³ þë DD A1 FE CB 01 - AC C1 CF BF 9E FE CB 01 Ýh&& þë ÁÏ žþë p A T B AC C1 CF BF 9E FE CB 01 ÁÏ žþë C0 AC C1 CF BF 9E FE CB 01 - AC C1 CF BF 9E FE CB 01 ÁÏ žþë ÁÏ žþë D0 AC C1 CF BF 9E FE CB ÁÏ žþë E F C 00-6C 00 6F 00 2E h e l l. t x ( C This is visible C E 6F F text, but nt t F 20 6C 6F 6E 67 0D 0A lng X P h i d d E A0 F8 FF FF e n % øÿÿ A B C P D0 1A A E E h i d d e n F FA FF FF - FF FF FF FF C 00 # úÿÿÿÿÿÿ y The MFT abve shws a file with 2 ADS in additin t the main, resident data. The standard data run is at lcatin 0x108 and actually cntains a string f resident data. If viewed in Windws, the file will lk like a 24 (0x18) byte file with the data "This visible text, but nt t lng". NB the principle is identical fr bth resident and nn resident data. The next tw data runs at lcatin 0x148 and 0x1a0 have streams named, hidden' and 'hidden2'. The lengths f the data is 0x11 and 0x1a bytes, but in these cases the data is nt resident, as indicated by the 0x1 in bytes 0x151 and 0x1a8. CnW will prduce 3 files frm this MFT named as belw hell.txt hell.txt-#-hidden hell.txt-#-hidden2 40 bytes lng 17 bytes 26 bytes p130

131 Recvering when a new /different perating has been laded Sme times a disk is lst because a new perating system is laded. This is nrmally accidental, but malicius cases are als knwn. The majr prblem with data recvery is that the disk is prbably wrking OK, and lks OK, but has nt gt any relevant user data. The prcedure t vercme ths situatin invlves recnfiguring the partitin table t lk fr the lder type f perating system, and prbably recnfigure the media partitin data parameters. This is nt as cmplex as it sunds, and with CnW Sftware, each attempt can be tried and tested, s sme element f trial and errr can be used. If a case such as this is cnsidered pssible, it is mre imprtant than ever that the disk is wrked n as a data disk, and nt try t run any prgrams n the disk. An example culd be if smebdy has installed Linux ver an NTFS partitin. If the partitin data is displayed, then a valid Linux disk will be seen, and n sign f the existing NTFS disk. As lng as the Linux has nt verwritten actual files, there is a gd chance f data recvery. There are tw basic stages t be perfrmed Set the partitin t crrect perating system Set the perating system details Set partitin fr perating system Frm the main data screen, select Partitins. Fr the purpse f this example we will assume that the riginal disk just had a single partitin with NTFS. This is a very typical cnfiguratin, but certain manufacturers, such as Dell actually partitin the main drive int 3 partitins t allw fr certain data recvery prcedures. (This means that the main data partitin des nt start at the start f the disk.) Fr the first partitin, select the perating system t be NTFS, and the relative sectr shuld be 63 r 0x3f. The value 63 is true in ver 95% f cases, fr the first partitin. The ttal number f sectrs shuld be taken frm the highest ttal number f sectrs displayed in the list. The value is nt t critical, but setting it t high will slw dwn pssible recvery, and t lw may miss sme files. The Cly, head, and sect values are nly displayed, and nt actually used. They need nt be set t any particular value. It shuld be nted that these new values will be remembered by the prgram, even thugh they are nt written t the disk Operating system details When Recver is selected, the NTFS Recvery screen is displayed. Often in cases with the perating system verwritten, there will be n meaningful infrmatin n this screen, and it will be necessary t lcate the MFTs and media partitin sectr. One bit f useful infrmatin is that many NTFS disks use the same basic parameters and the fllwing paramters can be tried - the values are in Hex Start Scan 0 End Scan Size f drive, a fairly large number MFT Start Cluster 0xc0000 MFT Start Sectr 0x60003f MFT entries 0x20000 p131

132 Cluster size 0x8 There is a functin buttn, Search fr MFTs. This will scan the disk fr first run f MFTs. It will try and verify that the MFT is part f a main directry, and nt as ften happens, just an MFT sectr that has been mved smewhere. This value can then be entered int the main screen. p132

133 Deleted Partitin It is a cmmn errr t accidentally delete a partitin, and in ding s, all files are lst. CnW sftware will help yu recver yur files. There are few stages, and if n data, r perating system has been added, a cmplete recvery will be pssible. The first stage is t determine the riginal partitin, and full details are in the Partitins Analysis and recvery sectin. If this successfully recreates the master bt recrd, then a nrmal recvery functin can be dne n the disk, fr bth NTFS and FAT. If it is nt pssible t detect the partitin infrmatin, then it is necessary t frce the partitin type t the ne required. This is nrmally NTFS, but it shuld be nted that several large PC manufacturers d include small FAT partitins at the start, and smetimes the end f a disk. The user may think the disk is NTFS, but there can als be FAT partitins. The relative sectr, and ttal sectrs need t be filled in with 'reasnable' values, alng with the perating system. When Recver is then selected, each recvery functin has an analyse mde that can be used t determine the partitin values. p133

134 Hw t find and recver lst files Often with a hard drive a file r flder may g missing. This culd be peratr errr, r a sectr has failed within a directry tree. The fllwing tls and prcedures may assist in recvering such a file. If a disk is fairly new the Wizard gives an indicatin f the number f sectrs f a disk that have been used as a percentage f the whle disk. Thus if the wizard says a 100GB disk is 80% full and nly 20GB f files can be fund, it is pssible that there 60GB lst r hiding. Hwever, an, r well used disk will slwly write n all sectrs f the disk, s this figure shuld be used with cautin. Recvery is dependant n the media and perating system used s the instructins belw are system dependant. FAT lst file recvery On the FAT recvery menu there are a few very useful ptins. Fr deleted files there is an ptin buttn t recver deleted files. This will cpy the files that have been deleted. Often the full filename will be restred, but n shrt file names, the file name may start with a '!' as the first character f the file name is use t indicate that it has been deleted. When files r directries are missing, the 'Recver frm Directry Stubs' can be very useful. In this mde the whle disk is scanned fr subdirectries. It will therefre pick up directries that have therwise been discnnected frm the main directry structure. This can be caused by a sectr failure r a glitch when updating directries. As this prcedure is a brute frce methd, there may be cases when ttally irrelevant directry stubs are detected, r the same ne fund mre than nce. NTFS lst file recvery NTFS is well structured t recver any file that has therwise been lst. Each file has an entry in the MFT (Master File Table) and s by searching the disk fr all MFT entries, mst files can then be fund. Each entry in the MFT starts with the letters FILE0 r FILE*, and there are als sumchecks t add t the search criteria. On nrmal reading f a disk, the MFT is navigated using Index files, and if ne f these is crrupted r damaged parts f the directry tree will nt be fund. By using the recvery ptin 'Frm directry stubs' the disk will be searched fr MFT ndes. There are tw ways this can be dne, either by lgically reading the $MFT file which is quick, r fr fuller recvery, the whle disk is scanned. When the 'Frm Directry Stubs' ptin is used it is cmmn fr a file t be fund withut a parent directry path. In this case a dummy subdirectry is created, all assciated files are stred in a unique directry. As with FAT, the NTFS recver ptin menu has the Recver Deleted Files buttn. When recvering files, these will be placed in a main subdirectry called 'DELETED' p134

135 Recvery frm a drive with many bad sectrs CnW Recvery sftware will recver frm disks that d have a high number f bad, r failed sectrs. The best way t prceed is t create an image file, prbably in stages. The fllwing stages shuld be fllwed. The disk image shuld be started, and if pssible the cmplete disk imaged. At varius pints the imaging may stp, but if it stps fr mre than 5 r 10 minutes, it is prbably preferable t start skipping sectrs. This can be dne using the Cnfigure/ Hardware cnfigure ptins, and prbably set the drive up s that if 10 read errrs ccur, then skip 100 sectrs. This will allw skipping in sectins. If the system keeps pausing fr lng perids, try increasing the skip value, t maybe 1000, r 10,000 sectrs. If this keeps hanging, cancel and try the next prcedure. The directry image shuld be cnstructed T cnstruct the directry image it is necessary fr the disk image t have enugh infrmatin t determine the basic disk structure. Fr all disks this nrmally means a valid sectr 0, (Bt sectr), r ne created by the Partitin sectin f CnW. It is als necessary t have a the start f the partitin imaged, and the start f the directry r catalg. The fllwing values are nly typical values fr single partitin systems, but are ften crrect NTFS disk - partitin start, sectr 63 (0x3f). MFT start, 6,291,519 (0x60003f) MAC HFS+ - vlume start 262,208 (0x40040) If the abve sectrs are part f the image file then when Recver is selected, there is a buttn n the screen fr View MFT r View Cat. When selected, it will display the lcatin f all directry starts and lengths. At this pint, the failed hard drive shuld be selected, and the functin 'Add runs t disk image' will nw access the hard drive and update the disk image file. After this stage there will be a disk image with the basic sectrs required t navigate the files n the disk. p135

136 Final stage If a recvery is required, it will nw be pssible t d a 'dummy' recvery using the image file. p136

137 Data carving ptins ptins Data carving is prcessing data based n file cntent rather than using a file system. The disk, r the area selected will be scanned and when a pssible file start is fund, and new file will be generated, and placed in a subdirectry based n file extensin. When pssible, the file will be analysed further t generate a meaningful file name, r file date. There are 4 sectins t the data carving prcess Area t carve Type f carving Optinal string search (Frensic nly) Prcessing NTFS cmpressed disks Area t carve The carving prcess can either carve the cmplete disk (by default) r just select a specific area. One reasn t limit the search culd be if the final area f a disk is knwn t be blank. It can als be used t just carve a particular partitin. The sectrs nunbers are entered (in hex r decimal). The search fr first r final wrking sectr is typically used fr CDs r DVDs t establish the are f the disk that can be read n unfinalised disks Carving ptins Separate Vide Chapters p137

138 This mde is used t prcess vide disks - in particular mini dvds. When it finds an MPEG file, it will then determine if a new chapter has been started, and then start a new MPEG file. Withut this ptin, a DVD culd end up prducing just a single MPEG and this makes navigatin (next chapter, etc) difficult. Prcess fragments This is a very pwer ptin when dealing with JPEGs and AVI files frm a disk that has been fragmented. At the end f the riginal disk scan a list f pssible fragmented files is displayed. At this pint they can be selected fr prcessing, and hpefully recnstructin the fragments fund. Split n blank disk This will treat blank sectrs, ie thse filled entirely with zers as the end f a file. Sme files d have data that is blanks, s this ptin shuld be used with cautin. Recvery start file number If it is necessary t restart the data carving prcess, by default the file naming will start recver0000.xxx. By setting the recvery start number t a higher value, the file naminmg can be set t start fr instance at 10000, rather than 0. This means that multiple carving runs can save all the files in the same directry area, withut a pssible naming cnflict. The number is always decimal. Skip verify An imprtant feature f CnW data carving is that it verifies files, and with cm mn file types it will try and create a mre meaningful file name, r add the date etc. Very ccasinally this can g wrng and maybe cause the sftware t crash. T avid this, the verificatin can be disabled. This autmatically als lcks ut any pssible file defragmentatin. When ever pssible, files shuld be verified. File filter The file filter ptin can be used t select (r skip) certain catagries f files Cluster mdes When the cluster mde is enabled, the prgram will nly lk fr pssible file starts at the start a lgical cluster. When there are 8 sectrs t a cluster this means that it will nly lk every 8 sectrs, and this will help reduce the number f false file starts. The prgram will autmatically set the lcatin and size f the clusters, but these values can be verridden. Fr NTFS disks that have been cmpressed, the test f NTFS cmpressed clusters will test each cluster t see if cmpressed. If it has been cmpressed, the prgram will read 16 clusters and try and decmpress the data. On a nn fragmented disk, the results will be gd, but n a heavily fragmented disk, the results may be very variable. Fr mre details n clusters see Disk Clusters Search String The search string ptin will search fr entered strings when scanning the disk. There is an ptin d just a search, and nt save any files at the same time. This is a frensic lg ptin. Multiple sets f search strings can be saved n the system is separate tables. T create a new table, enter a name in the bx abve 'Add new table..'. At that pint a new table will be created and strings can be added. There is n limit n the number f strings, but the speed f searching is influenced by the length f the shrtest string being search fr. The lnger the string, the quicker the search. p138

139 Raw files The fllwing frmats are nes that are detected when running in Raw recvery, r image mde. The files are largely detected by the signature at the start, and then n sme files, there is als further prcessing. The list belw grws n a regular basis, and if any extra frmats are required, please a sample file t us at inf@cnwrecvery.cm and if pssible it will be added t the system. File extensin Type f file Ntes abc ai Flw chart data base Adbe Illustratr aiff Audi file Length is determined frm header ani atn avi Animated pinter file ATN files Audi visual files, mvies bmp BMP bitmap files The length f the file recvered is determined by the header cab CAB Cmpressed files as distributed by Micrsft DOC Micrsft Wrd dcument There are many ther dcuments that use DOC as an extensin exe Micrsft executable file Many files, such as DLL OCX have the same signature jpg JPEG image file The file is parsed and length determined if the file is valid mv Mvie file Fr sme versin f MOV files the length is determined frm the header TIFF Image files The file length is crrected frm data in header ZIP PK-ZIP files Will be verified p139

140 A very useful tl is the ability t search the cmplete disk fr a pssible string(s). This ptin is nly enabled with the frensic package. The search can be set up t wrk with multiple strings, and mixed types f string. ie a string may be either straight characters, uni-cde, r bth searched fr. The disk will searched at the same time as data carving takes place, if required, just a simple search and n saving f data. Every sectr / cluster is searched fr the string, which can be any cmbinatin f characters, nt just printing characters. When a match is fund, the sectr number is added t the lg. If the Stp n each match is enabled, a dialg bx will be displayed with the sectr number. The lg can be viewed at any time, and srted n the status clumn t see if any matches have been fund. A search cluster can be viewed by clicking n the entry in the lg. A pssibly unique feature f the CnW Recvery search is the ability t search bth standard and cmpressed NTFS clusters. T enable this mde it is necessary t set the fllwing flags n the Image Optin display Read in cluster mde Test fr NTFS cmpressed clusters It is als necessary t set the start cluster sectr number, and the cluster size (typically 8). As each cluster is read it will be tested t see if cmpressed. If cmpressed, it will be expanded and searched Uni-cde and straight searching The ptin fr uni-cde search can be used n it's wn, r with the standard search. Bth little end and big endian strings are searched fr Limitatins with raw disk searching At first glance, searching sectrs r clusters seems a fl prf way t find a string, but there are limitatins that must be understd befre using the results as frensic evidence. The tw areas are fragmentatins and lgical file structure If a string being searched fr is at the end f a cluster, it is pssible that the file is p140

141 fragmented, and s the end f the string may be n a different cluster, nt adjacent t the first. In this case, the string will nt be fund. Frtunately this is a fairly rare event. If the search string is 24 characters, and the cluster is 4K, then the chance f missing a string is abut 0.5% (1 in 200). Fr a shrter string, the chance is misising it decreases, but then the chance f finding a string that is nt relevant increases. The secnd case where a disk search may fail is due t the data in a file nt being as expected. It will be clear that if a string is cntained within a Zip file, it may nt be fund as the file will nt be pened. The latest Micrsft Office files are infact all cmpressed, and s strings will nt be detected by a raw image search. Slightly less bvius is that sme prgrams will in effect save every versin f a file, (making Unds pssible) and s the riginal string will be saved, but any edited versin will be dne with pinters. A raw search may find the riginal, but nt a small edit f it. The edit culd be a crrectin in spelling r a few wrds that are part f the search string. These may nt be detected. Optimising multiple search strings It is extremely useful t beable t search fr multiple strings in a single pass. Searching des have a cmputing verhead s it is useful t knw that the length f the shrtest string will affect the verall search speed. This means if yu want t search fr 'zz' it will be slwer than a string which is lnger. Summary The raw search functin will nrmally find a string if it exists, but ne has t aware f limitatins. T help reduce these limitatins it will be best t run multiple searches. p141

142 Recvering files frm image frmat Once an image file has been created with CnW Recvery sftware, it is nrmally pssible t recvery files frm it. The reasns fr creating an image can include the fllwing An exact cpy f the disk, as riginal disk t be returned An exact cpy f disk, s that riginal disk is nt changed r crrupted in anyway. A cpy f gd sectins f a damaged r failing disk Fr gd cpies, then recvery will prceed in the nrmal way, nce the image file has been selected as the input drive. This will include redefining partitins etc. T recver files frm a damaged disk can require extra stages, r peratins. Lgical recvery Lgical recvery will try and recver the file files by reading in the cnventinal way, either with a full recvery, r in a mde such as Frm Directry Stubs. If the image is very crrupted, then this recvery mde may fail r hang befre all the files are recvered. If using NTFS, then it is wrthwhile using the mde f Recver frm MFTs, and select the MFT range. It may then be pssible t extract the file in several attempts, missing ut sectins where recvery fails. Raw recvery Raw recvery is perfrmed by using the Image mde, and selecting Split n files. This shuld be cnsidered a last resrt mde, as typically file names are nt recvered, but nly file types. Hwever, if the main reasn fr recvery is t extract phtgraphs, this can be a very successful mde. Many phtgraphs d nt actually have a meaningful file name, and s there is nthing t lse. At times, the recvered file name will include the date the pht was taken, but this infrmatin is nt always cntained within the JPEG file. As in lgical recvery, it can be useful t select the range f the disk t be scanned. Raw recvery des have a majr limitatin in that it will jin tgether fragmented files. Fr phts, they are nrmally fairly small, and s d nt get fragmented. Fr a multi GB file, the chances are extremely high that there will be sme fragmentatin, and this will result in a crrupted file. The types f file that are recvered are described in the Raw files page. The number f files des increase n a regular basis. Shadw disk When an image files is selected, there is als an ptin t enable a shadw disk. The reasn fr this is when an image file has been created, but has missing sectins. An image file shuld have as cmplete a directry area as pssible, but then nly the areas where files are stred need t be added. By using the shadw disk, areas f the disk that have nt been imaged, will be read frm the shadw disk. The shadw disk will nly be accessed nce fr each required sectr, s a failed sectr will nt be read many times. This will mean that althugh recvery will nt be cmplete, it will nt be exceptinally slw. p142

143 Fragmented file prcessing When the Prcess Fragments ptin is enabled, nce the disk has been scanned, the ptin bx belw will be displayed. This will run autmatic data carving rutines. The bx indicates the number and type f files that culd be prcessed. ie it will try and determine the lcatin f each fragment f the file, and recnstruct the file. This prcess has a variable success rate, and can be slw, but will ften recnstruct files that have therwise been ttally lst. T assist in this peratin there are tw very critical values that need t be set which indicate the riginal size and lcatin f clusters n the disk. See the sectin n disk clusters fr mre details. The example abve is frm a small memry stick, and s a cluster size f 4 has been detected. Fr mst current hard drives, the mst cmmn cluster size is 32 r 64 ie 16K r 32K. The ptin bx abve des have a link t the lg which can be viewed t help assess the crrect cluster sizes. On a small disk the calculatin f cluster size and ffset is ften crrect. On a large disk, and in particular ne that has been heavily used, it is cmmn t require manual setting f the cluster sizes. It is ften very useful t examine the file starts f the files t be prcessed, such as JPEGs. If all such files always start with the same sectr ffset, and multiple f increment sizes, then this is the best value t use. JPEG Optins p143

144 AVI JPEG fragmentatin can be cmplex, and s there are tw additinal ptins t assist with such files. The rety cunt and cntrast value. There is n crrect setting fr these values, and smetimes trial and errr will be required. The JPEG rutine wrks by searching fr a pssible cluster that cntains cmpressed data. This is then appended t the current partial pht and the result tested t see if this is still a valid partial pht. Each ne f these is a retry value. The mre retries, the chance f recvery imprves, but the prcess becmes slwer. As nt all phts can be recvered, as the fragments may n lnger exist it is imprtant t have a cut ff pint f pssible clusters. The default value is abut 2,000 tries. Once a cluster has been appended t a partial pht, tests are run t see if the pht is still valid by lking fr a jump in the image. Visually this is easy t see when the bttm f the pht des nt match the tp. CnW wrks n the same principle but as a help, the cntrast f the pht can be added. Fr images with a very lw cntrast (pastel clurs etc) the rutine will lk fr a very clse match between sectins. Fr phts with lts f cntrast and images, a higher level may be required. If the cntrast level is set t high, then a mis-match f phts may ccur. If the level is set t lw, n matches will be be made. This an area f cntinuus develpment s later prgram updates may manage better results. AVI is a cmmn vide standard, ften used n cameras (rather than camcrders). Sme cameras recrd the data in such a way that the vide data is physically stred first, and then the header infrmatin is stred in sectrs after the main data. Nrmal carving will fail, but the CnW fragmentatin rutine will detect this and crrect the data. MP4/3GP MP4 cvers a whle range f similar files fr vide, including many used n mbile phnes, and.mv files. The defragmentatin perates in sevral different ways depending n what data is available. The files start with a 'ftyp' segment fllwed by a 'mdat' and 'mv' segement. Hwever, the rder f the segments is nt fixed, and s may be ftyp-mdat-mv r ftyp-mv-mdat The mdat segment cntains the vide data, and the mv segemnt all the cntrl data and meta data. A file will wrk with a partial mdat, but must have a cmplete mv. The mv segment cntains many pinters that are used t try and select the crrect fragment frm pssible mdat clusters. In a similar way, a mv fragment can be discvered and added t the file, with padding as required t ensure it is in the crrect lcatin. Develpment is underway t create missing mv segements when ttally missing. Fr mre details n 3GP prcessing, click here. AVCHD and MTS Wrd AVCHD is a ppular high definitin vide frmat used with many new vide devices. The data files are.mts. Such files can be viewed using Windws 7 media player. Typical data carving generates many MTS fragments, and this prcess will jin many tgether. Hwever, fr a camera memry chip, the prefered methd is t use the dedicated wizard functin Wrd prcessing is fr pre Wrd The sucess rate is limited when a device cntains many wrd dcuments as it is very easy t btain a false psitive match. Zip and DOCX p144

145 Current Office 2007 and later files are in effect ZIP files. These can nw be prcessed and very high success rate has been achieved. p145

146 Jpeg images and metadata The JPEG standard is mre than just cmpressed images. There are several sectins in the standard that allw fr applicatin specific headers. These headers are used by many prgrams, such as phtshp, and by the camera directly t stre infrmatin, r metadata abut the files. In raw recvery mde, CnW will examine this metadata and add fields t the recnstructed filename. p146

147 Fragmented Files CnW has several tls t assist with fragmented files when data carving. Sme are part f the standard data carving, and thers are special wizard functin, mainly fr vide recvery. A cmmn prblem with Raw recvery is that files are may have been fragmented. On a camera memry chip this is ften due t phts r vides being deleted n a ne by ne basis, rather than a cmplete clearing r refrmatting f the chip. When files are deleted separately, the space they used t ccupy is used n new phts. Each pht is a different size, s smetimes a new pht will ccupy multiple gaps, and is a fragmented file. Fr nrmal reading, the file allcatin table (FAT) takes care f this fragmentatin and s it is nt a prblem. Raw recvery f a file is necessary when the FAT, r directry infrmatin is missing r crrupted. On camera memry chips, it can als be because all files have been shifted a few sectrs, nrmally due t a sftware glitch smewhere. T enable this ptin, yu need t check the bxes Split n pssible file starts an Prcess fragments. The rutine is currently fairly slw, and nly wrks when file fragments are actually sequential n the drive / memry chip. It wrks best n camera memry chips. Once the Prcess Fragments has been checked, a nrmal recvery f files is dne, fllwed by autmatic fragment prcessing. The prcess can be cancelled at any time. There will be times when fragments f files will exist, but certain fragments have been verwritten. These images are impssible t recver. The aim f CnW Recvery, is t recver files that culd have been read if there was a valid FAT. This will include files that have been deleted, but nt verwritten. p147

148 Typical success rate f recvering fragmented jpegs will be apprx 25-75% f images that first appear incmplete, thugh it is media dependant. It shuld be nted that very few recvery prgrams attempt t recver fragmented files when perating in raw r image mde. Fr fragmented vide files the best slutin is t use ne f the wizard functins, ie 3GP/MP4 r AVCHD. These are ptimised fr cmplex recvery f deleted disks p148

149 Fragmented AVI files The tw mst cmmn files n a camera memry chip are JPEGs and AVI files. Typically, memry chips d nt get fragmented, but if the chip is full, r individual files have been deleted, then fragmentatin can ccur. As lng as the FAT file system remains intact, there is nt prblem. If the chip is deleted, r frmatted, then all details f file fragments is lst. Using signature analysis, many files will be recvered, but the fragmented nes will be lst. An AVI file has a very strict structure, and it des rely n the final 16 bytes f the file being intact, and in the crrect lcatin. In ther wrds, a 99% cmplete AVI file will nt read - althugh a repair wuld be pssible. Once the CnW sftware has dne a recvery f all files n a memry chip, the files are tested t see if valid. At this pint, it will try and recnstruct nn valid AVI files. The AVI recvery prcess has tw pssible appraches, prbably unique t CnW Recvery sftware Apprach 1 AVI recvery The first apprach t recvery f fragmented AVI files is t search the disk fr the index sectin f the file (idx1) stred at the end f the file. Once this has been lcated, a list f each file chunk is knwn, alng with it's size and lcatin. It is then pssible t test pssible clusters f data t ensure they fit with the index. By wrking this way, it is extremely unlike t get a false psitive match fr a AVI cluster Apprach 2 fr AVI recvery Nt every disk will cntain a full AVI file, as sme fragments may have been verwritten. In this case, if it is nt pssible t recver the cmplete index, a new ne will be created based n the amunt f the sequential avi data that can be read. The file will nt be cmplete, but it can be viewed. Fr mre details, see the sectin n Fragmented JPEGs. and ensure that the Prcess Fragments is enabled. p149

150 Data Recvery Tutrials This sectin is designed t assist users with cmmn data recvery prcedures. It gives a step by step guide and highlights certain appraches that can be used with different types f data recvery. Fr many data recvery requirements, the wizard will guide the user thrugh all stages until files are recvered. Fr mre cmplex recvery requirements, it is necessary t use the 'Manual' mde. This page pints t many cmmn scenaris fr data recvery. It is always wrth while starting with the Wizard, as it will d a simple media test, and a simple lgical structure test. These tests will give a very gd indicatin f whether the media is physically sund, and lgically sund, r if there are detected prblems. Stage 1 With any recvery it is essential t knw if the media being read is physically OK. If the Wizard test cmes up with physical errrs, r there is any cncern abut the drive, then it is best t make an image f the drive. The majr upside f this is that bad sectrs are nly read nce, and s the recvery prcedure is much much faster, and if the drive is failing, then as much data as pssible is preserved fr lgical recvery. The dwnside is that a data area, the size f the drive is required t make an image. Thus a 320GB drive will require anther drive f at least the same physical size. The image is made as a file, and s can be n any lgical strage device, such as a lcal drive, USB drive, r an external RAID. Fr details n imaging, see the chapter n Image and Raw Recvery Stage 2 The next stage is t determine, if nt knwn, exactly what type f media is being handled. Fr disks it is nrmally an NTFS, FAT, r HPFS (Mac) disk. This is typically cntrlled by the bt sectr, and partitin table Partitin and bt sectr prblems Partitins and analysis FAT, NTFS and Mac Recvery f lst files n an therwise wrking disk NTFS recvery General NTFS recvery HP Mediavault HP Mediavault Camcrder Recver frm vide camera with a hard drive Pht recvery Pht recvery frm a memry chip Disk imaging Image failing drive p150

151 General NTFS Recvery There are several cmmn prblems with NTFS disks. Mst are related t failed sectrs in the bt area, r at the start f the MFT. All can be recvered frm, ften with a high degree f success. If there are mre than a few bad sectrs, it is always wrth imaging the disk first. Stage 1 - NTFS Recvery ptins T start recvery, in the main menu select Recver and the NTFS menu will be displayed, as belw. It is imprtant t review the values that have been filled in. The display abve is fr 4 partitins, but many disks are just a single partitin, in which case nly the first f the 8 bxes will be nn zer. The mst imprtant values t enter are the Cluster size, and the MFT start cluster, which can be used t create the MFT start sectr. One way t fill these in is t run the Analyse Disk functin that will scan the disk t find the first lng run f MFTs. The number f MFT entries is nt critical, s can be set t a reasnable size number, eg r 0x If the abve values are wrng, n damage will be dne t the disk drive, but data may nt be extracted, r nt recvered crrectly. Stage 2 p151

152 The next step, nce the parameters have been set is t determine the recvery mde. There is n crrect answer, but the tw main ptins are Full Recvery r Recver frm file entries. The Full recvery is nrmally used when the file system is intact. In this mde, the recvery prgram emulates the perating system, and will fllw the directry tree. A cmmn errr that is displayed when using this mde is a message that the INDX is nt fund. The slutin fr this is t use Recver frm file entries. If Recver frm file entries is used, there are then tw useful ptins. Scan all MFT entries. This is a mde where the whle disk will be scanned fr MFTs. This can be slw and if it is canceled part way thrugh, the entries that have been fund can be used. Select MFT Range. This ptin has tw uses. Firstly, if it is knwn that the file has an MFT within a certain range, it is nt necessary t read th whle disk. Secndly, a limited range fr recvery can be selected. This culd be after the prgram has a prblem, hangs etc trying t recver frm a particular MFT. If fr instance thee is a prblem when recvering a file with an MFT f abut 1,000, the a new attempt culd be made starting at say The ptin can als be used when it has been necessary t cancel part way thrugh a recvery. Recvery can then be started where it was terminated. Stage 3 - ptins Fr each recvery mde, there are several ptins that may be applied. The mst ppular will be Recver deleted files. NTFS marks a MFT with a flag t indicate that the file has been deleted. It des nt guarantee that the data is still available, as the data area may have been verwritten, but it des retain the lcatin and details f the file. CnW sftware will place all such recvered files int a directry call Deleted, but the directry structure will remain intact. p152

153 Recver vide frm camcrder with a hard drive Many camcrders tday use an internal hard drive, rather than remvable DVDs. These hard drives are typically FAT32 and s recvery is fairly straight frward. Prbably the mst cmmn reasn fr data lss is accidental use f 'Delete All'. The main area that needs care with when dealing with a vide camera directly is accessing the drive. Fr many cameras, when they are plugged int the USB prt, they shuld appear as a lgical drive. If it is nt pssible t access the drive as either a lgical drive, eg Drive F: r a physical drive, eg Phys-2 then CnW Recvery sftware will nt beable t assist. The best advice at this stage is t create a image cpy (Use Image raw functin) s that any accidental use f the camera will nt lse any mre files. There are tw prcedures that can be fllwed t extract yur vide files Deleted file recvery Mst vide recrders use FAT32 as the disk file structure. The first apprach t take n recvery is t read the disk, and enable recvery f deleted files. This is the preferable apprach as filenames will remain intact. If sectins have been deleted, and then new nes filmed, the resulting files may nt be cmplete, r fragmented, in which case sme errrs may be expected. Hwever, the vast majrity f vide will be recvered. Raw Image recvery The Raw Image apprach shuld be tried if the deleted file dies nt recver all the relevant files. Once the files have been recvered, as MPEGS, it may be necessary t cnvert and merge them t make a viewable vide disk. Details are in the chapter n Camcrder recvery. p153

154 Recvery f lst files n an therwise wrking disk A cmmn prblem with many disks can result frm 'peratr' errr. A typical scenari is when a disk is repartitined, r refrmatted. The end result is a wrking disk, but with sme r all files missing. CnW Recvery can help. One apprach is a lgical read fllwed by an Image Raw t find files in unallcated space and a deduplicate. There are tw straight frward stages t this prcess. Stage 1 Read the disk with the standard recver functin but select the 'recver unallcated area'. In this mde, the prgram will first read all the files and internally recrd the lcatins that they are stred in. The secnd stage is that it will perfrm an Image Raw, and extract files, but ignring any area f the disk that has been previusly read. The result is the!recver directry just cntains files frm the unallcated area f the disk, which will represent all pssible missing files. NB, there will bviusly be prblems if the riginal files have been fragmented. Stage 2 It is very cmmn t find ld cpies f files within the unallcated area. This is where the deduplicate functin is used. By selecting the lg and the DeDup functin, all duplicate files will be remved. The prgram wrks s that in preference it will remve any file that was read frm the unallcated space, and retain files read in the main file system. The final result is that nly ne instance f any file will remain. It shuld be nted that sme prgram files are actually stred in multiple lcatins, s d nt run this functin n a wrking disk image, but nly when trying t prcess data files. T assist in recvering may be just phts, the file filter is a useful ptin. It can be selected s that nly JPGs are recvered. This prcedure is ttally cmpatible with the methd utlined abve. p154

155 Pht recvery A very imprtant type f data recvery is t recver phts, typically frm a camera memry chip. Failures can happen fr several reasns, but the mst cmmn fr camera memry chips is crruptin when the chip is transferred t a PC fr reading. It is very cmmn fr critical FAT infrmatin t be verwritten, r crrupted. Pht file names It is frtunate that phts d nt require a file name t be useful, and the majrity f users just rely n the sequential name the camera allcates t each picture. It is always best t try and read the memry chip lgically, and s repairing the FAT and cntrl infrmatin may be required, r alternatively, just an Image raw read will recver phts. In bth cases, it is pssible that a pht may have been created in multiple fragments, and this needs t be slved. The ther reasn fr recvery is due t accidental deletin. Slutins t all these prblems are described belw. Pht Wizard The easiest recvery slutin is t use the Wizard functin. The wizard will analyse the memry chip and determine the best way t recver the phts. When in the recvery prcedure, thumbnails f phts will be displayed t give cnfidence that recvery is pssible and prgressing. Fr the dem, the thumbnails will be displayed, but n phts are actually saved. Raw recvery and data carving Use the data carving rutine and this will find all JPEGs, and save them in a jpeg directry. T assist with disks that have thusands f jpegs, the directry is limited t 5,000 images until a new directry is created. T help with identifying images, when ever pssible, CnW will add the pht date and camera t the file name, alng with a unique incrementing number. p155

156 Imaging failing drive Many disk drives fail in a small area, r becme very slw t read. Fr these drives it is best t create a disk drive image as sn as pssible. The tecnique belw is designed t put as little stress n the drive as pssible. Hwever, there is always a danger that the drive culd fail ttally at any time. If the data is very critical it may be the time t cnsider a hardware drive repairer, rather than risk this sftware slutin. Stage 1 The first stage is t try and establish hw valid the drive is. A very simple apprach is t select the drive and use the View functin t lk at areas f the disk. Can it read sectrs near the start? Can it read sectrs near the end? A sectr that takes a lng time t display indicates it is near failure pint. A sectr that displays 5A 5A 5A ZZZZZZ has failed, and cnnt be read. Stage 2 Determine the type f disk. Main disk types are FAT (nrmally external drive), NTFS (main Windws disks) and HFS+ (Macintsh). They all have slightly different ptim um ways t be imaged. Stage 3 Set up CnW t save the disk image. Fr this yu will require a lgical drive with enugh space fr a file f the length f the disk t be imaged. Thus t save the image f a 1TB drive, yu will prbably require a 1.5TB NTFS drive - r a netwrk drive with adequate space. Stage 4 The mst useful sectr t image is the bt sectr, sectr 0. If this sectr can be read, start a full image. Stage 5 Watch the imaging and see if it ges slwly, r lts f errrs are detected. If s, it is the time t cnsider cancelling and wrking n incremental imaging. Slw is when it can take several minutes t increment the sectr number n the screen, this nrmally updates every few secnds NTFS disks The mst imprtant first sectin t image is the $MFT. Fr single partitin disk, this will start at 0x60003F fr XP and 0x fr Vista and Windws7/8 Mac Disks The typical starting pint is 0x This is als the area where there is ften much failure n Mac disks Fat Disks There is n typical directry space n a FAT disk, thugh stage 6 may help with the rt. Stage 6 Hw t find where the full directry is stred. At this pint in the prcess it is necessary t switch between reading the physical drive and the image file. By reading the image file p156

157 n stress will be put n the drive. Select the image file as the input and then select Recver. An ptins bx will be displayed that will give the start f the directry / catalg. Fr NTFS and MAC there is als an ptin t display the directry lcatins. This will be the next area t attempt t image. Stage 7 Finding the lcatin f files. This will indicate what area f the disk shuld be imaged. Fr this prcess t give accurate results, the disk image shuld be the size f the actual disk (ther wise attempts t read past the end f the disk will give meaningless start sectr values in the lg). T pad the file, the final area f the disk shuld be imaged, even just the last 10 sectrs will wrk. The padding may take time n a large disk. p157

158 Vide file recvery A majr class f data recvery is f vide files. There several reasns fr this - sme listed belw Vide is created n mbile devices Often FAT32 file system Often uses remvable media Operatr errr can happen Devices can be drpped Media is mved between devices and cmputers Devices may have been finalised Any f the abve can result in vide being lst r crrupted. CnW Recvery sftware has tls t recver vide frm all media types and file types. The links belw high give methds f hw t recever frm different types f media Recvery frm Mini-DVD Recvery frm memry devices Details f hw MP4 files are stred n FAT32 devices MP4 disk layuts Vide recvery frm mini-dvds Mini-DVDs are still very ppular fr vide cameras. They will recrd 30 mins t 1 hur depending n reslutin n a single 80mm DVD. The DVD can either be a DVD-R r DVD-RW. Prblems ften arise when the disk is remved befre it is finalised. The ther majr prblem is when the DVD-RW get frmatted by mistake -ften peratr errr. The CnW tls fr this are in three parts Data carving t find chapters Merge chapters int a single DVD cmpatible file structure Burn a new DVD These stages can be dne by hand - r rather better there is a mini-dvd wizard functin t perfrm the first tw stages, and then ptinally als burn a new DVD. Mini DVD systems nrmally use MPEG-2 t recrd their vide. The benefit f MPEG is that even fragments f vide can be viewed with requiring and special meta data files. Thus even a badly crrupted r damage disk can ften be recvered t a level that vide can be viewed. Hwever t view files n a vide player, the MPEGs have t prcessed and indexed. They are then saved in a specific directry structure as belw VIDEO_TS VIDEO_TS.BUP VIDEO_TS.IFO VTS_01_0.BUP // backup f vide_ts.if // index inf fr the cmplete disk // backup f vts_01_0.if p158

159 length VTS_01_0.IFO VTS_01_1.VOB VTS_01_2.VOB // index inf fr all vide cells and chapters // the vide inf - in effected merged.mpeg files // cntinuatin, a VOB is nrmally less than 1GB in File names are always upper case. The CnW tl will merge mpegs and create the files described abve p159

160 Vide recvery frm memry devices Mst current vide cameras use memry devices fr strage. These can have a capacity frm a few GBs upt 32GBs, thugh this figure will prbably duble every year r tw. Memry chips are ften reliable, but have tw majr prblems FAT32 chips when deleted lse all fragmentatin details Chips can be crrupted when mved between devices - eg camera t main cmputer With memry chip vide, there are several types f vide file frmats and several variatins. In particular, there are multiple ways that data is stred which ften results in fragmented files. The main types f vide frmat are as belw MPEG - see ntes n mini-dvd AVI 3GP, MP4, Quick time frmat AVCHD - high definitin The 3GP frmat is very ppular with phnes, AVI with cmpact digital cameras, and AVCHD with new high definitin cameras and vide recrders. They all need recvering in different ways, and CnW has many tls t assist, in particular with the fargmented files. Cnw can als recver frm sme MP4 files that have nt been finialised. p160

161 MP4 disk layuts With a FAT32 disk device, the lgical frmat f a file is lst if the file is deleted. T recver r recnstruct the file it is useful t knw hw it was riginally rganised n the disk. A vide camera has limited memry and s ften the lgical structure f the vide file, and the physical layut n the disk are different. T make matter wrse, there are several ways that cameras slve the prblem. CnW recvery sftware has tls t help when files have been deleted - simple data carving is ften nt enugh. An MP4 file basically has three sectins Header (ftyp) Vide data (mdat) Index infrmatin (mv) The header is always first, and each f the ther sectins starts with a length, then data. There is als a padding atm, called 'free'. This allws the abve sectins t be placed n cluster bundaries. The reasn fr what lks like the rather dd layuts is the way vide is created. The majr part f the file is the vide stream, which can be maybe a few GBs lng. A typical apprach therefre is t recrd this directly t the media. T make the file playable, a header has t be added, and als all the index and meta data (mv) fragment. Lgically these can be written t the disk when the data stream is cmplete, and by manipulating the file allcatin table, the lgical sequence can be changed t be different t the physical sequence. When recvering via data carving, this prcess has t be reversed, alng with checks t ensure that the crrect header and mv fragments are added t the selected mdat segment. The table belw describes several variatins that have been seen frm phnes and vide cameras. The cameras listed nly represent pssible examples and will never be an exhaustive list. Recvery frm these frmats shuld be pssible by selected the 'prcess fragments ptin' in data carving. CnW has allcated shrt cut names fr these frmats that are displayed as part f the wizard functin Samsung HMX-H300 CnW Name : Lgical structure n disk FTYP-FREE-MDAT nly a single cluster, last 8 bytes are the MDAT length and header MDAT data - just raw vide data, padded at end with a FREE MOOV starts n a cluster bundary, and is just meta data and index Physical layut MDAT data - padded with a FREE FTYP-FREE-MDAT MOOV ie the data has been recrded first, then the FTYP header and MDAT length added. Final cluster(s) is the mv data Kdak Zx1 Pcket Vide Camera CnW Name : Physical layut n disk FTYP - FREE MDAT MOOV - FREE Lgical structure fr reading p161

162 FTYP - FREE MOOV - FREE MDAT ie data is initially recrded first, fllwed with n knwn length, then by length and MDAT, then MOOV. Lgically, the MOOV is stred between FTYP and MDAT. The recvery wizard rerders the clusters accrdingly GPr, GPr Her 3+ Black, vide camera CnW Name : FTYP_MOOV_FREE_MDAT Physical layut n disk FTYP, MOOV in first cluster MDAT MOOV, FREE after the MDAT atms Lgical structure FTYP MOOV FREE MDAT GPr Her-3 Black editin makes recvery hard due t recrding lw and high reslutin at the same time, alng with a thumbnail jpeg and infrmatin text file - a recvery nightmare! Files can be fragmented in ver 100 fragments. GPr Her 4 Silver Physical layut n disk FTYP,MDAT, - in the first cluster MOOV Lgical structure FTYP MDAT MOOV As in GPr Her-3, the data n the camera memry chip has tw vide streams multiplexed n cluster bundaries. The file n the memry chip may be in sequence, but is nt sequential. Fuji Film FinePix XP50 Cann EOS 700 CnW Name : MDAT_FTYP_MOOV_FREE Physical layut n disk MDAT FTYP, MOOV in same cluster rest f MOOV fllwed by FREE Lgical structure FTYP MOOV FREE MDAT Clpix P330 CnW Name FTYP_MDAT_MOOV Physical and lgical sequence the same, but can be fragmented.mov CnW Name : M4_MDAT_MOOV Lgical structure MDAT MOOV This is rather uncnventinal as it has n FTYP atm.mov file p162

163 CnW Name M4_FTYP_MDAT_MOOV Lgical structure FTYP MDAT - at the start f the next cluster MOOV - mv may cntain padding with free areas Each atm fllws the previus atm with n padding f cluster alignment. An unfinalised file may be missing the initial ftyp, and all f the mv atm. T recver the data, the disk must have sample f a wrking vide frm the same camera. p163

164 mp4_scan The file mp4_scan.$$$ is a diagnstic file fr internal use with CnW Recvery sftware. It is stred inn the cnwdata\temp directry, and s deleted each time the prgram starts. The file stres the result f the disk scan, lking fr varius MP4 type atms. Once the disk has been scaned, the results are then analysed t determine the type f vide that the memry chip cntains. It is then pssible t determine the riginal rder f the data, and hence recnstruct the vide files. The structure f the mp4_scan.$$$ is subject t change (and s nt published) but des cntain infrmatin such as sectr number, atm type, atm length, and ffset f atm within the cluster. By ing CnW the file, it may be pssible t determine new disk layuts. This is mst relevant fr memry chips, rather than hard drives that cntain vides. The fllwing descriptins are fr the types f vide that CnW currently recgnises. The names are unique t CnW as CnW is nt aware f any industry standard. p164

165 MP4 brief file structure The MP4 file is a cmplex structure, largely defined by the Quick Time structure published by Apple. This page ia brief descriptin f sme f the key pints in a file that may assist with recvery. The verall file structure three main elements, FTYP, MDAT and MOOV. This sectin just cncentrates n the MOOV segement. The MOOV fragment is made up f atms, and the imprtant nes are described belw, with deatils f what functin they perfrm. The atms largely fall int tw catagries, fixed parameters fr the file, and specfic pinters fr each frame f data and audi. T recnstruct a mv fragment, bth sectins are required, but the exact lcatin f each frame is essential. There is a Track atm fr each data stream, typically the first stream is vide and the secnd audi trkh Cntains infrmatin such as file times, duratin, speed etc. mdia Media Data atm stc StartChunk ffset atm. This is a very imprtant table. It pints t start f each vide (audi) chunk. Knwledge the cdec being used is required t recgnise a start. It culd be a string, r maybe just a length. stsc Sample t chunk atm stsz Sample size atm p165

166 GPr vide recvery The GPr camera is a very ppular device fr actin vide, including diving, parachuting, cycling and even n remte cntrl helicpters. The vide is recrded n SD memry chips, and typically are 32GB FAT32, r 64GB exfat. The FAT32 and exfat means that when deleted the exact lcatin f each file fragment is lst. Fr many systems, files are stre sequentially s this is nt a prblem, but fr GPr, the camera recrds tw streams f data at the same time, a high reslutin vide, and a lw reslutin vide. Hence, the files are always fragmented. There are als differences between the Her-3 and Her-4. Lking a physical memry chip, a Her-3 has the data in the sequence f MDAT - FTYP (n a new cluster)-moov. On the hard drive, the lgical sequence is FTYP- MOOV-MDAT Many s called data recvery prgrams try and assciate the FTYP-MOOV data with the fllwing MDAT, and nt the previus ne GPr Her-4, Silver stres data slightly differently FTYP-MDAT-MOOV This is the same as the lgical structure, but the MDAT data is all fragmented. A pattern that may be seen n bth type Her fr the MDAT culd be as fllws <H><H><H><H><L><H><H><H><L><H><H><H><H><H><L><L><H>... where <H> is a cluster f high reslutin vide, and <L> is lw reslutin vide. The clusters are just a fixed size, and have relatin t the start r end f a vide frame. It is frm this 'mess' that CnW has t recver the vide data in separate streams. The CnW apprach is t use the MP4/GPr Wizard functin. This scans the cmplete device and lks fr strings f data that maybe starts f vide and audi frames. It als lks fr pssible MDAT, FTYP and MOOV strings (knwn as atms). The next stage is t recnstruct the files based n infrmatin stred with the MOOV atm. There are several pssible interactins fr the recnstructin, but when a vide has been recvered crrectly, a thumbnail image will be displayed. This wrks in dem mde t give cnfidence that all will wrk. Other sftware packages CnW des nt like t be negative abut cmpeting sftware packages, but when it cmes t vide recvery there are many (big name) prgrams that indicate they have the vide file, but when a user cmes t view it, the screen just remains blank. CnW nrmally recvers these files, and if there is ever a prblem, will lk at the vide memry chip until the data can be recvered. CnW has an SFTP server t allw fr large file transfers. p166

167 p167

168 HP MediaVault data recvery HP Media Vault is a ppular RAID system, with ne r tw disk drives. The majr prblem is at times the cntrller fails, and data can nt be accessed by a nrmal PC. Versins f HP MediaVault There are tw generatins Media Vault. CnW will prcess generatin 1 which is Reiser based. This has mdel numbers such a MV2010, MV2020. Generatin 2 is based n LMV disk structure, with mdel numbers such as MV2120, MV5140, MV5150. This is nt currently supprted by CnW sftware. Structure f MV Generatin 1 The structure f the MediaVault is a Linux prcessr with data stred under ReiserFS. The cnfiguratin can be a single partitin, as a RAID-1 r a series f disks, JBODs, with multiple data areas. A simple tutrial n reading the disks is in tutrials sectin f this manual. Fr initial evaluatin, the wizard functin fr 'Crrupted and drive and deleted files' des basic analysis f HP Mediavault disks. It will indicate if the drive lks as if it is ne f a pair. Failing that, if recvery is attempted n a single drive, it is likely that an errr message that says the Rt directry can nt be fund, may be displayed. Reiser File System Reiser FS is a rather different file system t mst cmmn file systems. What we are used t in NTFS, FAT and ther Unix systems is that a file starts at the beginning f a cluster and fills up clusters. The final cluster thugh may have between 1 and the actual cluster size f data. Thus there is nrmally wasted space n the disk. With small files, and a large cluster size (eg 16K) every file will always ccupy 16K. NTFS manages slightly better in that a shrt file, maybe 500 bytes can be stred within an MFT entry, but it still means a file always ccupies 1K f data space (the size f the MFT recrd). The Reiser apprach, althugh Unix related with indes etc is t fill every blck(cluster) and nrmally nly 8 bytes may be wasted. The design is such that the file system is very fast. Reiser 3 was the last versin f the file system, and Versin 4 is currently n hld as Mr Reiser is spending sme time in secure accmmdatin. Tw issues that the Reiser make recvery difficult are data carving and deleted files, and this is described belw. Reiser and Data carving Data carving wrks by testing the start f a sectr (r cluster) fr a recgnisable file signature. it then, typically assumes that data will fllw sequentially. Fr Reiser, ften the start f a file may be the middle f a cluster, and s t detect it means examining the cntents f each cluster. Althugh pssible, this has nt been im plemented within CnW (yet). Reiser and deleted files When a file is deleted in NTFS, and FAT, the directry entry is marked as deleted. If n data has been written t the disk, then the file can nrmally be fund, and ften recvered (subject t fragmentatin). With Reiser, the inde assciated with main file/directry set t null values, and s the type f file r directry is lst. CnW sftware thugh has a recvery rutine that will determine the riginal values f an inde based n certain p168

169 remaining parameters. This is nt an exact science, and s nt all files will be fund. Hwever, it scan the disk drive and find many files, and where pssible generate crrect file names, and ften the crrect path. Because the basic directry structure is missing, ne small prblem is that files can be recvered multiple times. It can therefre lk as if fr instance 100GB f data can be recvered frm a 40GB disk. This may be annying, but data recvery is pssible. HP Mediavault Tutrial The HP Media Vault cmes in a few flavurs. This page is t assist any user with either the dem r licenced cpy t recver data frm the disks. (Fr the dem, all prcess are the same as rtghe licenced versin, but n data will actually be stred). Stage 1 Cnfigure hardware The first stage is t cnfigure CnW t read the disks and als determine if it is a RAID-1 r JBOD r separate disks. The easiest way t physically read the disk is in a USB caddy, r fr multiple disks, 2 caddies. The questin f RAID-1 r JBOD can nrmally be determined by the capacity f the Media Vault. If the capacity is the same as ne f the disks, then RAID-1 is the mst likely answer. If the capacity is twice the size f the disk, then JBOD was used. Apparently, RAID-0 was cnsidered, but never implemented. Fr RAID-1, nly ne disk needs t be cnsidered, and s nly a single USB interface required. There is als a cnfiguratin f tw single drives where the secnd drive is nt lgically related t the first drive. In this case the RAID ptin is nt required. Stage 2 Set up RAID if a JBOD If it is thught that the disk is a JBOD, then the RAID ptin must be used. This is a chargeable ptin, s please cntact CnW fr details if nt already purchased. Fr the dem system, just enter 'RAID' as the registratin cde. The registratin screen is part f Cnfigure in the Recvery functins and ther ptins functin. Please read the sectin in the RAID setup n HP Media Vault fr details f setting up the JBOD. Hpefully, it will be dne autmatically with the analyse tl. Stage 3 Cnfirming setup This stage is ptinal, but ften wrth while t make sure that the disks are the crrect frmat, and if relevant that the RAID is crrectly cnfigured. Using the Recvery functins and ther ptins feature, the main menu will be displayed (ie this is nt the starting wizard). The drive r the RAID must be selected at the tp f the screen and the View functin selected. This will display sectr 0, the first f the disk. Fr a RAID-1 disk, it shuld display the hex F F 6D E Bradcm NAS Ver F 6E E D sin 1.1 MBR Tag Fr a JBOD, viewed with 2: - RAID, the first sectr will display D D BrcmSeMagicStr p169

170 and in sectr 0x80 f a JBOD, the data will start - this is the super blck A9 1E 0F B8 3E A A P > ƒz C 39, E CC 03 Ì E N ReIsEr2Fs E 1E A > 1J An example f a stand alng disk 1 - nte the size at ffset 0x28 0x3A251DE0 is rughly that f the size in sectrs f the ttal disk, 500GB Sectr A C A 25 1D E0 BP :%à An example f a stand alne disk 2- - nte the size at ffset 0x28 0x5743D224 is rughly that f the size in sectrs f the ttal disk, 750GB Sectr F 42 4C D2 24 BL WCÒ$ Stage 4 Ding a recver The final stage is actually recvering the data. Fr this stage, use the Recver functin (in the main part f the prgram). On sme cnfiguratins, the prgram may bring up the Partitin screen with several partitins. In this case, select the line with Reiser FS. If Reiser FS is nt shwn, select Analyse partitins... and then select Search fr existing partitins. Within a few minutes, a Reiser partitin shuld be displayed, and at this pint, the scan can be cancelled. Select the Reiser FS partitin. Press OK The next menu is the Unix Optins menu. This allws fr different types f recvery t be made, and the lcatin where the files are t be saved (nt relevant in dem mde). There are three main recvery mdes Full recvery, this will try and read the file system in a cnventinal way, and recver files and directries. It is tlerant f file system errrs, but will nt find rphanded directries etc. This the fastest recvery functin Scan directry stubs. This mde will scan all knwn indes fr directry stubs. Hence it will find rphaned files frm damaged r crrupted disks. Raw indes. This nde is the slwest, but can be extremely effective. The cmplete disk will be scanned, sectr by sectr t try and find any indes. This will then be nted, and the Scan directry stubs functin called. This mde will find any lst files, and can als detect many deleted files. Hwever, it shuld be nted that the directry structure may nt be fully intact, thugh file names will be crrect. Once the mde has been selected, press Recver All r Select files. Files will be saved in the utput directry specified, and will retain the riginal directry structure. Stage 5 Verifying files The easiest way t verify files is with the lg. A very gd inficatin that a file is crrect is t check the signature. Fr many cmmn files these are knwn, and s shuld match, r at least match the family. Fr instance,.exe,.dll and ther similar files all have the same p170

171 signature. If n signatures match, there is likely t be a prblem. The dem des nt actually save any files, s the lg is the best guide as t what may be recvered. The display will shw all files and directries as they are scanned. Fr mre cnfidence, duble click n a lg line and the selected file will be displayed as a hex dump. (This des require the riginal disk t still be selected). p171

172 Frensic tls T d any frensic investigatin, ne must be able t access the media, and recver files frm the same media. Investigatin ften ges further, trying t establish when files where written, which files have been deleted, r mdified, and als what is n the disk, but cannt be seen by the standard perating system. As a frensic investigatin tl, CnW Recvery has a significant feature in that it will lgically recver files frm therwise damaged r crrupt media. This will give the investigatr many files that cannt nrmally be seen n the disk. In additin, files in unallcated space can als be recvered. Althugh CnW Recvery sftware des nt attempt t analyse file cntent, it will detect files that have been renamed t try and disguise the cntents, in particular, mst image files can be recgnised by a signature rather than a (false) filename. Hw each type f disk is analysed tends t be different, and s each type is described in sectins belw. Hwever, cmmn tls are based arund the lg which gives useful infrmatin n File name File size File dates, creatin, mdified, accessed Lcatin f directry sectr Lcatin f data sectr Number f fragments File extensin File signature MD5 hash value (Frensic ptin nly) The Frensic Reprt (Frensic ptin nly) des give details n peratins and tests, alng with many errrs detected. This generated in XML s that it may be included in a specific reprt n a particular disk. A significant feature f using CnW Recvery sftware fr recvery is that it des nt use standard functins t recver files. The prgram is design t be tlerant f disk errrs, and hence als tlerant f deliberate changes t try and hide data. Fr instance, changing a bt sectr will nt necessarily allw a user t lck an area f the disk ut. In this instance, it is als pssible t mdify certain parameters fr a restre functin s that fr instance a large area f a disk culd be examined. The frensic ptin will include recvery f slack space fr FAT and NTFS disks. Fr NTFS disks, this includes slack within the directry. CnW Recvery frensic investigatin tls CnW recvery sftware can assist in tw main aspects f frensic investigatin. These are recvering files, and tracking hw and when they were written, changed r deleted. Each type f media has it's wn 'style' f infrmatin, s investigating a CD-R will be different t an NTFS hard drive, r a FAT memry stick. Fr rewritable media, there is ften the issue p172

173 f slack and unallcated space t be cnsidered. A write nce CD can be sim pler, but multiple sessins add t the fun. Fr all types f media, there are several areas that need cnsideratin, but these can vary n type f investigatin. Imprtant pints thugh are listed belw All file names File attributes Dates that files were created, mdified and accessed File signatures Hash values File integrity Which file a sectr is part f These features are all stred in the lgs fr each recvery jb dne. The abve pints are generally device independent and represent just the data. File names. The name given t a file is ften a gd guide t the file cntents. File names are made f several parts, the directry path, file name, and file extensin. Mst peple have sme structure f where they stre files, and ften this is the default fr the applicatin that wrte the file. If users want t hide files, then placing them in different directries, r using different filenames can mean that a quick glance at the media will verlk such files. They can als be marked as Hidden files within the perating system File attributes Prbably the mst interesting attribute fr investigatin will be the Hidden attribute. A nrmal hard drive has very few hidden files, and they are nrmally prtected perating system files. CnW Recvery will always cpy all files, irrespective f their attributes. The file attributes are stred in the lg s hidden, and system files can be detected. Other attributes such as cm pressed, r archive are nt nrmally very interesting frensically speaking. Dates and times Dates and times can be very interesting t examine. Exactly which dates and times are stred can be media dependant, but typically created, mdified and accessed are interesting dates. The creatin date is when the file was first created The mdified date is when the file was last mdified The access date was when the file was last accessed All these dates cme frm the PC clck, and are viewed in lcal time. There can be issues where the mdified date is earlier than the creatin date, which at first glance sunds rather dd. It can arise if a file is mved frm ne medium t anther, eg cpied frm a flppy t a hard drive. Then the new file n the hard drive will have a creatin date f when the file was cpied, but a mdified date f when the cntents were last changed. If smebdy is trying t cver up a change, it is pssible t change the system clck, and mdify a file, and pssibly then change the system clck back again. T d this cnsistently is actually very difficult and this type f attempt may well be sptted by incnsistencies in dates, and maybe dates in lgs, r when writing external media such as CDs. File signatures Many data files have a unique sequence f bytes at the start f the file. This can be used t see if a file is the crrect type fr the extensin applied. Fr instance, all jpeg files start with the hex bytes 0xFF 0xD8 - after which there can be many variatins. Thus if a file has a.jpg extensin, and nt the first tw bytes, then either it has been p173

174 renamed, r there is an errr. Frensically, the ppsite way arund can be f great interest. A jpeg file culd be renamed.dat in an attempt t hide it. CnW Recvery sftware always checks a signature n each file and it wuld therefre detect such a file as jpeg and this infrmatin wuld be stred in the lg. File validatin In certain mdes a file validatin rutine can be run. Althugh it cannt handle all knwn variatins f files it can indicate if the file is valid r crrupt. This shuld be treated as a guide, and nt as evidence Which file a sectr is part f If infrmatin is fund in a sectr it is useful t knw which file it is part f. The search functin in the lg will allw the sectr number t be entered, and it will display the file (r files) that the sectr is fund in. Multiple files will smetimes be fund if ne f them has been deleted, and the disk area reused. p174

175 Discver deleted files With many frensic investigatins, a very imprtant aspect is t discver files that have been deliberately deleted. Frtunately, deletins thrugh the perating system typically just mark the file deleted, and make the space taken by the file available fr new files. The investigatr then has several tls t discver the files, recver the files, and at times, can even wrk ut when the files were deleted. Stage 1 The first tl t use is a standard recvery rutine, but selecting the 'Recver' deleted files that appears in the recvery menu. If there have nt been many peratins n the disk, since the files were deleted, this will recver the deleted files, almst certainly crrectly. As mre file mvements n the disk have taken place, the chance f a file being verwritten increases. It shuld be nted that fr FAT32 files, deletin ften remves the riginal lcatin n the disk, but CnW sftware has functins t assist with this. Stage 2 When directries are deleted, the directry is marked as a deleted file, but there is always a danger that this entry will be reused, and s a lgical parsing f the directry culd miss a cmplete directry branch. T vercme this, it is best t try multiple appraches t reading the disk. Fr NTFS, use the ptin Recver frm file entries which will scan fr all pssible files and directries. When a parent directry is nt fund because the directry has been deleted, a dummy directry name will be created. Fr FAT disks, the ptin Recver frm directry stubs shuld be used. This will scan the disk fr all subdirectry entries. One limitatin is that if the subdirectry has been deleted, there is n way t tell hw lng the directry is, and s at times fragments f the directry may be mitted. Stage 3 Sme files, when deleted will in effect escape frm the file system. Fr these it will be necessary t use the recver Unallcated Space ptin. This is used nce the disk has been read, and then all the clusters that have nt been access will be analysed fr pssible files. Being raw recvery, there are very few checks n the files, apart frm fairly cmprehensive file signature checking, and smetimes lgical verificatin f the files. Analysis Once files have been recvered it is ften wrth investigating when they were deleted. Fr FAT disks, n such infrmatin is stred, but fr NTFS disks there are dates stred which will indicate when a file was last changed which is stred in the Attribute time. Anther useful piece f investigatin t wrk ut n an NTFS disk what file verwrte a directry entry. If the NTFS recver rutine cannt recreate a cmplete directry path, then it will create a lst_dir_xxx entry where xxx is the number f the expected MFT. By lking thrugh the lg fr the MFT with the value xxx, ne can see what has been written, and when, t delete the directry. p175

176 ISO9660 and Jliet investigatin When investigating ISO9660 and Jliet disks there are several areas that may be f interest. CnW Recvery sftware will assist n giving details f the media, and als each sessin that has been written t the disk, alng with dates and files. p176

177 UDF frensic investigatin UDF is typically used t recrd nt CDs and DVDs. Hwever, it can be used n any media, and this includes Imega Rev Disks. There are several principal versins, V1.02, V1.50, V2.50 and V2.60. Full specs are dwnladable frm the web. Large elements are als based n Ecma 167 standard. UDF can be used n bth write nce, and read/write disks (eg CD-RW). Frensically, write nce disks are interesting because it is pssible t in effect delete files, r edit files. Being write nce, this is dne by a slight f hand, which is virtual directries. Each time a writting sessin is finished, a table is stred at the end f the current data, which sets a lgical map t the directry. This is the methd that new directry entries may be made having new pinters t extisting, r new files. Each new directry culd be cmpletely different, r nly a minr change t previus directries, but can incrprate new files, r delete existing files. CnW Recvery sftware can recnstruct each sessin, shwing which files were written, and when. In rder t view each sessin, the ptin bx Scan all sessins shuld be selected - this is actually nly enabled fr UDF disks. The prgram will then search thrugh the disk sequentially and find each UDF VAT (Virtual allcatin table) and then will d a disk directry fr each sessin. On a well used disk there may therefre be the equivalent f maybe 80 tracks. Each track culd be recvered n its wn s file differences culd be seen. If all files are recvered then a significant amunt f disk space may be required. At the end thugh, the DeDup functin culd be used t remve identical instances f any file. p177

178 NTFS frensic investigatin NTFS is prbably the mst cmmn disk frmat nw used n a PC. In recent years it has becme the default frmat, replacing the much simpler FAT32 frmat. It is a cmplex frmat supprting features such as cmpressin and encryptin. There is scpe fr users t hide data, and als scpe fr CnW Recvery sftware t recver data that is therwise invisible. The tw mst useful mdes t investigate NTFS disks is t a full recver, and a scan f MFTs. The full recver, in particular when used with deleted files ptin, will shw all the files n the hard drive, including recently deleted files. The scan MFTs will pick up all current files, and als files that have been left frm a previus frmatting f a disk. It can be very useful when an perating system has been reladed, a many f the riginal files can still be recvered. An additin mde t the scan MFTs functin is t scan the cm plete drive fr MFTs. This will pick up mre files, but smetimes the 'left ver' MFTs will have rather dd subdirectry paths. Features t assist with investigatin Slack file recvery - fr bth files and directries Hashing f all files Full dates stred in lgs fr creatin, mdificatin, access The ability t discver which file a sectr is used in Reads deleted files Checks file signature - useful when a file has been renamed t hide a file Recvers files even when the directry structure is incmplete Will scan disk fr islated / rphaned MFT entries Lgs may be srted in any date rder Raw image scan f disk fr unallcated space recvery MFT Parse - view elements f the MFT Recvers registry files, eg NTUSER.DAT, lgfile, $usnjnrl Third party tls There are many third party tls t help with a disk investigatin, sme free, sme chargable. Sme examples belw. Can be dwnladed frm the web. CnW des nt have any cnnectin with these tls, and the infrmatin is just infrmatin RegRipper - Will expand the registry int a readable text reprt JhntheRipper Passwrd recvery p178

179 MFT Parse The $MFT files is a list f all files n the pcurrent disk (r partitin). The structure f each MFT recrd is well dcumented, but cnatins many binary numbers and s can be difficult t interpret. CnW can be used t view an MFT sectr, and when the muse pinter is held ver any part f the hex dump, apprpiate fields will be explained. This will include file sizes, dates, as well attributes and pinters. The same infrmatin will be stred in the lg when a file is recvered, but the manual mde will assist with frensic investigatin dwn the level f bits and bytes within the MFT recrd. It can be seen in the screen dump abve that the cursr is ver the File mdified date field, and s displays date and time. The main sectins f the MFT are all decded, as fllws 0x10 Standard Attribute Header 0x20 Nn resident pinters 0x30 File name 0x50 Security descriptr 0x60 Vlume name 0x80 Data run pinters and file size 0xA0 Index allcatin 0xB0 Bitmap 0xD0 EA infrmatin 0xE0 EA 0xF0 Prperty Set 0x100 Lgged utility stream Fr the main header, typically the first 0x38 bytes, the fllwing fields are displayed MFT header pinter t fix up : 0x30 Fix up cunt : 03 $Lgfile sequence number Number f times MFT has been reused Hard link cunt Real size f MFT recrd Allcated size f MFT recrd MFT value : 0x00 - this is the reference f the MFT in the $MFT file Status flag indicating that themft is fr a file r directry, and if used r deleted Fix up value, and it verifies that the value in ffset 0x1fe and 0x1ff is crrect, r incrrect p179

180 Fr standard Infrmatin, recrd type 0x10 the fllwing fields are displayed Creatin date File mdified date MFT changed time File read time File sttribute, such as Read Only, Cmpressed, Hidden Fr File name recrd type 0x30 Creatin date File mdified date MFT changed time File read time Fr data run recrd type 0x80 and 0xA0 Offset t data runs Allcated size f file Real size f file Initialised size f data stream Cluster start f data runs Length f first data run in clusters - nly the first is currently expanded p180

181 DVD Prperties This tl allws the user t lk at, and analyse parts f DVDs that are nt nrmally seen. The functined are perfrmed by the Read DVD Structure cmmand n the disk drive. The screen has several push buttns which are enabled if the actual disk drive enables the functin. Nt all disk drives enable all functins. The display is a Hex dump, and it will be necessary t cnsult a drive reference manual t interpret the functins. Fr users with the frensic ptin, many f the fields are decded, and stred in the Frensic Reprt lg, and als included in the XML reprt. Basic descriptins are shwn belw. Data Lead in Gives details f the disk type, number f layers as well as start and end f data area RMD in last brder Gives details f the disk drive that wrte the disk. This includes drive manufacturer, mdel and serial number. With this infrmatin it is pssible t identify the actual drive used t write the disk. Frensically, it is therefre pssible t tie up a DVD with a phyiscal drive. Start RMD p181

182 Data Carving Data carving is an imprtant tl when attempting t recver files frm either unallcated drive space, r frm a disk that has becme very crrupted. It is based n the CnW disk imaging rutine, but ges several stages further and will attempt t autmatically recnstruct files that are fragmented. It can be slw, but if a file is critical, it is well wrth while, and quicker than trying t prcess by hand. Very few data recvery prgrams can recver fragmented files when the perating system details have been lst r crrupted - CnW ften succeeds with this prcess. Frensically it lgs the start f every file it finds, and the fragments when wrking n a recnstructed JPEG. Recvery based n signature alne ften wrks extremely well, but if a file is fragmented, then the recvered file will nt be valid. The apprach that CnW Recvery takes is t d a standard raw recvery, based n signature and headers t track dwn sequential files. These files are then verified, and when the verificatin indicates a cmplete, and valid file, the space they ccupy n the drive is marked as used. This helps reduce the number f sectrs that have t be searched fr ther file fragments. Thus the prgram builds up an internal map f areas f the disk where fragments may be fund, and areas where the data is knw and in effect allcated. The actually recvery f files t be n a file type by file type basis. In raw recvery, the perating system gives n assistance as t where the fragments are stred, althugh the abve prcedures assist in helping lck ut areas. Hence data carving des rely n a lt f trial an errr. Success rate des ften depend n the mix f files n a disk r memry chip. If a single JPEG is fragmented, and all ther files are XML files, jining fragments is easy. If there are a lt f Wrd Dc files, all fragmented, it is very easy t get false matches T recnstruct a file, first the starting stub is required. This is typically fund by a signature, fr instance a JPEG file always starts 0xFF 0xD8, 0xFF and the a 0xE0 r 0xE1. After the inital header blcks, a JPEG file is made up f sectrs f cmpressed data. The recvery rutine can therefre ensure that the pssible sectrs t add are cmpressed data, and then verify if the additinal data still makes the inmcmplete JPEG file cnsistant. This prcess is cntinued until a cmplete file is cnstructed, r it is determined that this prcess is nt wrking. CnW Recvery sftware has autmatic rutines using data carving methds fr files such as JPEG and AVI files. This list will grw n a regular basis. JPEG Carving JPEG carving is paricually useful with camera memry chips. Once a raw recvery is perfrmed with a memry chip, ften there are several images that d nt pen. If they are fragmented, then the prcess fragments functin will nrmally recnstruct between 25% and 75% f these images. The rutine wrks best when different fragments f the image are sequential, thugh nt cnsecutive. If sectins f the file are missing - because they have been verwritten - n data carving will wrk. CnW des nt attempt t insert data t fix the image. AVI Carving AVI's have a structure that is very tlerant t carving. They are als tlerant t sectins f crrupted data as lng as critical pinters are valid. CnW sftware will therefre jin fragments tgether t make a valid rutine. Develpment is taking place s that when the end f an AVI cannt be fund, a suitable trailer recrd will be added s that the recnstructed AVI will pen and play. p182

183 DOC carving Wrd dcuments d nt respnd t simple data carving techniques very well. There are several pinters in the file that can be used but the recvery rate using autmatic rutines is nt very high. PSD (Phtshp) carving PSD files d have a lt f recrds, all with embedded lengths, and a simple 4 byte tag. It is therefre pssible t step thrugh the file validating, and predicting where the next tag must be. Knwing that tag must be at a certain lcatin within a cluster, it is nrmally pssible t lcate the crrect cluster p183

184 Manual Data Carving Fr investigatin, autmatic data carving is bviusly the quickest methd, but at times it is necessary t perfrm manual peratins t bgtain the best results. Typical ccasins where autmatic carving has significant prblems is when a certain type f file has been fragmented, and there are many mre similar files f the same type. A gd example might be an Excel r Wrd file which all have key pinters t recgnise file sectins, but it is very easy t accidently match fragments frm multiple files by mistake. The manual carving system allws fr viewing and wrking with clusters, a file can be built up, r edited. The ptins is part f the Frensic ptin nly. T edit a file, the lg must be displayed and the Verify Clumn clicked n. The Data carving ptin bx will be displayed. p184

185 Data Carving with an Excel File T recnstruct an Excel file des require a gd knwledge f the Excel structure. The PDF dcumentatin is abut 350 pages lng and can be dwnladed frm Micrsft at The fllwing ntes may assist with carving Excel Files. It is assumed that the first header blck is available, with an example shwn belw D0 CF 11 E0 A1 B1 1A E ÐÏà ± á E FE FF > þÿ FE FF FF FF þÿÿÿ FF FF FF FF - FF FF FF FF FF FF FF FF t ÿÿÿÿÿÿÿÿÿÿÿÿ FF FF FF FF FF FF FF FF - FF FF FF FF FF FF FF FF ÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿ The blck pinted t at ffset, 0x01 in this example is the Rt Entry F 00 6F E R t E n t r y Pinters always start after the header blck, s blck 1 is byte ffset 0x400 The pinter at lcatin 0x4c is the allcatin table and in this case it is 0x FD FF FF FF FE FF FF FF 8A ýÿÿÿ þÿÿÿš A B C The secnd pinter, 0x74 is the next part f the allcatin table, that will typically start with 4 byte values, 0x81 0x82 such as ƒ ˆ FE FF FF FF FE FF FF FF - FE FF FF FF FF FF FF FF þÿÿÿþÿÿÿþÿÿÿÿÿÿÿ This will be fund at lcatin 0xEA00 in the file In the example abve, the cluster size is 4 (0x800 bytes) s the Rt entry and first FAT pinter will be cntained within the header. Hwever, the secnd FAT pinter shuld be in cluster 0x1D, but as this was nt the case it has t be searched fr, by entering a lcatin f EA00 and the values 0x81 0x82 p185

186 The starting pint t search frm is the start f the file, 0 r 1 is OK. This string culd be fund in many Excel files and s it is useful t knw the length f the file. As there are nly 2 FAT pinters, the chances are that the secnd pinter will nt be entriely full. If all 128 entries are used in the 0x200 byte blck, then this entry prbably belngs t a lnger file. In this case the Search Again functin can be used t find a better entry. In this example, it was a deleted FAT file, s the file length was knwn t be 0x11800, r n mre tha 0x8C clusters. With the terminating cluster pinter being 0x89, this lks a very gd match, and s shuld be saved in cluster 0x1d f the recnstructed file. p186

187 File Validatin The file validatin rutine will attempt t validate files fr certain knwn types. The results will either be File Passed, r the dialg bx belw will be displayed. The errr is frmat dependant and will try and indicate where the file failed in validatin. The lcatin, if knwn will als be set (in bth decimal and hex). At the same time, the display will be set in the file view mde, and the fail cluster will be displayed. p187

188 XML XML Frensic Reprt The frensic reprt prduces a cmprehensive summary f any recvery. If gives details f all peratins perfrmed n a disk. In a typical case a frensic recvery may cnsist f disk imaging, and als recvery in pssibly mre than ne methd. All these results can gruped int a single, cmprehensive reprt. The reprt is saved as an XML dcument (and XSL style sheet) s that it can be edited, and custm ised in Wrd, r just viewed using a Web viewer, such Internet Explrer. T cpy the reprt t a different PC, it is essential t als cpy the fr_reprt.xsl in the style subdirectry. The jb name and peratr are entered n the first CnW screen. It is a gd discipline t set this up fr each new jb. Hwever, as jbs can be selected by hand in the peratins list bx, this is nt essential. The details included in the reprt are as belw Disk reprt The disk reprt is a very simple summary f the jb. It includes the data and time f the peratin, disk frmat, and recvery mde. The media type (eg disk file image) and the media serial number. Disk imaging Fr disk imaging, the start and end sectrs are displayed, alng with the MD5 hash value. This can be very useful if the image was nt cmplete, and part f an incremental backup. Disk recvery details This sectin gives the basic details n the recvery. It includes which ptins were used, and basic file system parameters, such as cluster size and MFT start lcatin. Extensin t signature match This sectin displays all file extensins fund n the disk. It then crrlates them with the file signature fund. Fr a gd cnditiin disk, fr a knwn file such as.jpg ne wuld expect all files t have a knwn signature. If this value is nt the same it indicates either a different file type, r that the files have been crrupted (r maybe deleted). p188

189 This reprt will high light files that have incrrect signatures fr the extensin. It culd be a deliberately renamed file in an attempt t hide it. Thus if JPEGs were renamed.doc, there wud be a lt f.docs with failed signatures There are three psible results f this test Signature match - the extensin matches the signature f the file Signature different - the extensin des nt match the signature fund. ie a file signature has been fund, but nt fr thisi extensin Signature unknwn - the extensin des nt have a knwn signature Deleted file verwriting When a file is deleted the area can be verwritten by a later file. This part f the reprt will test each file where the signature and extensin d nt match and find if anther file has been written ver the start f the deleted file. If s, the deleted file name, verwriting file name, and the date f the verwritting file will be displayed. T help keep the reprt a sensible length,.tmp files are nt tested Signature t extensin test This reprt is similar t the reprt abve, but starts frm the file signature rather than the extensin. Again, it will be useful in finding renamed file extensins. If JPEG files were renamed.doc, then this reprt wuld shw a lt f JPEGs with incrrect signatures. Keywrd details If keywrds have been searched fr the Keywrd details give a brief summary. It will shw the key wrd, alng with the number f files it has been fund in, and the ttal number f instances. p189

190 NSRL Hash tables The NRSL publishing extensive hash tables f knwn files. T assist with frensic recvery it can be useful t eliminate any knwn file that has nt been changed. There is n pint checking a Micrsft system file if it is eactly as it came ut f the bx. By checking the hash value it can be cnfirmed that the file has nt been altered in any way. T generate a CnW recvery table it is first necessary t dwnlad the 4 zipped ISO image files frm the NRSL web site. These are shwn as disc_1, disc_2, disc_3 and disc_4. Currently they are named RDS_229_A (B/C and D). CnW will then read frm the ISO image and unzip, and extract just the required MD5 hashed. This is fllwed by a srt prcedure and then cleans up the temp files. The final stage will cpy the srted MD5 hash values table t the crrect directry fr selectin within the file filter. The data stred is srted binary recrds, each recrd 0x10 (16) bytes lng. NB, the prcess des require abut 5GB f free disk space. This tl is part f the Frensic ptin package. p190

191 Disk scan The disk scan functin (frensic ptin nly) will scan a disk, sectr by sectr and indicate where data has been stred. There are several categries f data it will detect, and can be selected by the user. The serial number is the drive serial number as set by the manufacturer. This shuld be a unique number. The drive reference is made up f the drive name and serial number. This is used by default fr the reprt name. The types f sectr detected are Blank sectr - there is n data in this sectr Bad sectr, was unreadable Partitin starts - this was a sectr such as a partitin sectr, r BPB Directry files, eg a MFT entry, r FAT directry File start - has fund a recgnisable signature Text data. The data is largely text Cmpressed data. The data is largely cmpressed. This culd be fr JPEGs, vide files, ZIP files, and smetimes prgrams,.exe,.dll etc When the check bx is selected, r changed, the display will be updated. This way the clur f each data type can be seen clearly When the cursr is clicked n the chart, the left hand bx is filled in with pssible file start data. In the example abve it shws XML and WP4 amngst thers. The number is the hex value fr the sectr analysed. As an ptin feature when scanning, the a disk image can als be created. Unlike the standard disk image functin it des nt pad files when the sectr range des nt start at p191

192 zer. It means that this methd f imaging is nt suitable fr incremental imaging. As the functin makes a lt f use f parallel prcessing, it is fast. Create reprt When the disk is scanned, the basic results are stred in the lg - mainly in the frensic sectin. Als an XML reprt is autmatically generated. It is stred in the lg directry, typically c:\cnwdata\reprts. The reprt can be viewed using Internet Explrer and the assciated style sheet (disk_reprt.xls) is als required. The reprt displays the basic infrmatin and (sn) will display images f the distributin f each type f sectr fund. p192

193 Virtual disk image CnW Recvery will read Virtual disk images, as part f the frensic ptin. The Virtual disk image is selected as an image file and is recgnised as the start sectr has a signature 'KDMV', ie VM DK as little endian. The rutine in V3.62 handles disk images upt 2GB in length. This limit will be increased in later releases. The frmat wrks by having a lk up table that allcates space t the data. Thus the VMDK inage file may be cnsiderably smaller than the disk image it represents. The file frmat is defined by the standard VMware Virtual disks (frmat 1.1) p193

194 Frensic analysis tips Once a disk has been read, if is ften required t d further analysis. The fllwing ntes are just a few pssible tls that culd be used t assist analyse certain files and lgs. The nes mentined are free and are included just because they have been used and seen t be useful. There is n relatinship between CnW and the cmpanies mentined LgFileParser - dwnlad frm This prgram will prduce a range f.csv files fr the lg and User Jurnal It wrks with files that CnW will recver and called and lcated as belw LgFile typically c:$lgfile RegRipper The prgram will expand int text files the structure f several system files, such as the registry (NTUSER.DAT) p194

195 File Selectin The file filter is a grup f functins t enable nly certain files t be recvered, r t skip files nt required. Overview File extensin selectin Date selectin Directry selectin File name selectin File selectin based n MD5 File size selectin Imprt list f file names Cming sn - file cntent selectin The File filter is an ptin f mst recvery functins, eg FAT, NTFS, Data carving etc Overview The file selectin menu allws users tp select files as they are being restred based based n several criteria, such as date, type f file, file name etc. A file sectin may be made up f several different tests, s it culd be based n a mixture f data, and file extensin, and at the same time skipping very shrt files. Users can create many file selectin prfiles, and the use the relevant fr each type f jb. T create a new prfile, just type the name required in the bx underneath Create New Prfile. Once there is a name, then Create New Prfile may be used t initialise the file filter, and enable new entries t be made. The peratin is in tw sectins. First a detailed selectin has t be made, by selecting the relevant cnfiguratin functin, such as Date Cnfigure... The actual functin then has t be p195

196 enabled by checking the relevant check bx. In this way, filter rutines may be built up and used in different ways. Thus it culd be pssible t have ne requirement t select n directries and dates, but anther jb just wants the same directries, but n dates. p196

197 File extensin selectin A very useful feature when recverying files is t recver just the required nes, based n file extensin. With this, catagries f files can be either recvered, r skipped. Tw simple examples culd be t recver all phts, r recver all files that where nt prgrams. T recver all phts, either the JPEG ptin culd be selected, r All Images culd be selected. In many cases, the result will be the same, but All Images will als recver BMP files, and ther knwn image frmats, such as specialised camera frmats The Select all buttns are fr quick selectin f varius types f files. The actual extensins they select are listed belw Select all images JPG and JPEG BMP GIF TIF and TIFF Select all mvies AVI MPG and MPEG MOV Select all prgrams EXE COM DLL OCX Select all sund MP3 MP4 WAV WMV The lwer list bx is used t enter any ther extensins, up t 15 characters in length. T add a new extensin, use the Add extensin buttn, and then enter the text. p197

198 Date selectin These ptins will allw files t be selected by dates n any f creatin, mdified r accessed dates. There are 4 mdes that data selectin may be used, fr each, r all f the three date types Date selectin is based n days, any hurs r minutes are ignred.. Date earlier than. When this flag is selected a file is selected if the date is earlier than the left hand date in the dialg bx. Ie if the date displayed is March 23rd, then any file dated March 22nd r earlier will be cpied Date later than. When this flag is selected, a file is selected if the date is later than the Late date, date. This is a late date is selected as March 31st 2003, all files f April 1st 2003 r later will be selected and cpied p198

199 Directry selectin ptins fr data recvery This ptin is t ptinally select the directries t restre, r skip. Any number f directries may be entered, and wild cdes used t help define the directries. It can be very flexible, and it is nt necessary t define the cmplete directry path, r file names. The use f \ and * are as fllws, best described by examples. All strings are case insensitive, but directries are shwn in capitals just fr ease f display T cpy r skip all files frm a rt directry ROOTDIR \ROOTDIR T cpy r skip all files beneath a directry WORKINGDIR WORKINGDIR nb, it des nt start with a \ T cpy r skip files beneath directries cntaining the string CAT *CAT* T cpy r skip all files beneath directries starting with DOG DOG* A directry name can be series f subdirectries, such as \ROOT\SECOND_DIR\WILD* p199

200 File name selectin Files may be selected based n file name. With this ptin, the directry is irrelevant, althugh it will wrk in cnjunctin the directry selectin rutines. File names can use standard wild characters, * and? t match the required name p200

201 File selectin based n MD5 value Files can selected r skipped based n the value f their MD5 Hash. T use this functin, a file has t be selected with a list f MD5 entries. Useful files culd be nes that list all standard hash values fr files within an perating system. A very useful web site fr these files is On the structure f the files is an ASCII list f hash values, terminated by a CRLF - the file name is nt actually relevant. CnW sftware will test, and if need be srt the file befre using it, it is therfre pssible t append multiple files tgether. T autmate this prcedure, the Hash Tables may be dwnladed an saved fr CnW use There are tw ptins that may be taken when a file is detected that matches a hash value within the file, it may either be cpied, r skipped. By using a hash list f standard perating system files, nly changed, r user files will be restred. Fr a frensic investigatin, this can save a cnsider amunt f time. It shuld be nted that CnW Recvery sftware wrks with MD5 hashes, rather than SHA-1. Althugh it culd be argued that SHA-1 is mre secure, fr % f the time, it is nt signficant. N knwn accidental clash t my knwledge has ever been detected. MD5 Table structure The MD5 file can be in tw pssible frmats. The prgram will analyse the data and hence select the crrect frmat t use. In each case, the table must be srted with the lwest values stred at the start f the file. ASCII frmat. In this mde the file is entirely ASCII, with each line being 32 characters, yerminated by CRLF. This is an easy frmat t generate frm sme published MD5 tables Binary frmat. In this mde the data is straight binary, with each recrd being 16 (0x10) bytes lng, and n recrd terminatr. The advantage f this recrd type is slightly faster running time, and a smaller file required f the hard drive. The NSRL dwnlad functin prduces this style f table, which is less than 300MB in length (Jan 2011). p201

202 File size selectin fr selective file recvery These ptins will allw files be selected based n their file size All file size matching are actually dne n selecte size in bytes. T m ake te entry f numbers easy, the units may be selected as Bytes, KB, MB r GB. If the size f units is changed, the display is updated t match the new units. Thus 2KB, when changed t bytes will display as Ging the ther way, 2000 bytes will display as 1KB, and is actually truncated t 1024 bytes There are 6 radi buttns that will chse the mde f selectin Select files less than Any file less than the size in the tp bx will be selected. If the bx is displaying 1500 bytes, then files f 1499 bytes will be selected, but 1500 bytes will nt be selected Skip files less than Any file less than the size in the tp bx will be skipped. If the bx is displaying 2500 bytes, then files f 2499 bytes will be skipped, but 2500 bytes will nt be skipped Select files between Any file greater than r equal t the value in the tp bx and less than r equal t the value in the bttm bx will be selected. In the display abve, a file f 150K wuld be selected, 800K wuld nt be selected. Skip files between Any file greater than r equal t the value in the tp bx and less than r equal t the value in the bttm bx will be skipped. In the display abve, a file f 600K wuld be skipped, 100K wuld be selected. Select files greater than Any file greater than the size in the lwer bx will be selected. If the bx is displaying bytes, then files f bytes will be selected, but bytes will nt be selected p202

203 Skip files greater than Any file greater than the size in the lwer bx will be skipped. If the bx is displaying bytes, then files f bytes will be skipped, but bytes will nt be skipped p203

204 Imprt List Imprt list enables the user t imprt a list f files t be selected. p204

205 RAID Drives Over the years several types f RAID have been develped. RAID stands fr Redundant Array f Inexpensive Disks. The basic reasn is t allw fr a large amunt f strage n disk drives, but t be tlerant f disk failure withut lsing any data. There is always a trade ff between perfrmance, cst and degree f pssible failure. There are several basic standards, but als many prprietary variatins. CnW Recvery cncentrates n the mst cmmn standards with it's ptinal RAID recvery ptin. Please cntact CnW fr details f purchase. T evaluate the RAID ptin as part f the dem, enter the cde 'RAID' in the registratin cde (rather than 'DEMO'). T use the RAID ptin there are tw stages, the first is t cnfigure the RAID, and the secnd then is t select the RAID and perfrm a recvery, just as with a standard drive. ie a RAID will act lgically in the same way as a single drive. RAID recvery is ften required when a RAID cntrller fails, r after an unsuccessful rebuild when a faulty drive is replaced. The CnW Recvery tls will assist in all cases where data is still pssible t be recvered. The basic RAID standards that are in cmmn use are as belw RAID 0 It is ften argued that RAID 0 is nt actually a RAID as it has n redundancy. Data is striped between tw r mre disks. It is methd s that 2 500GB disks can be made t lgically lk like a 1TB disk. With a suitable drive cntrller, bth disks can be used at ne time, and s can be faster than a single disk. Failure f a single disk means that 50% f data is lst. If a stripe is maybe 128KB lng, then nly sme files, less than 128KB will be recverable. If there is a partial failure f ne disk, then CnW Recvery sftware will prduce gd results. RAID 1 RAID 1 is 100% redundancy. The disk is imaged ttally. If ne disk fails, the data is still n the ther. With a gd hardware cntrller, perfrmance will be the same as a nrmal disk. With a sftware cntrller, speed will suffer. RAID 4 RAID 4 is the same as RAID 5 belw, except the parity stripe is always n a fixed drive, and nt a mving lcatin. It is just as secure, but nt always as fast. Fr reading, the RAID 5 rutines will wrk, but parity will be just ne drive. RAID 5 RAID 5 has at least 3 disks where ne is a parity disk. This will accept a single disk failure withut lsing any data. Data is stred in stripes (maybe 128KB blcks at a time) and then the parity is calculated, and written n the final disk. It is cmmn fr the parity t be written n different disks fr different stripes and s fr a 4 disk array, the data may be rganised as belw P 4 5 P 6 7 P 8 9 P Fr reading, perfrmance is gd, but when writing a single sectr it is necessary t als read the ther unchanged sectrs n the same stripe, and then update the parity sectr. Thus what was a single write n a nrmal disk, becmes 2 reads and 2 writes. This can p205

206 be dne in sftware with a device driver, but fr high perfrmance, a hardware cntrller is required. RAID 6 RAID 6 is similar t RAID 5 except there are tw parity drives. It means that recvery is pssible even if tw drives fail. It can be used n 4 r mre drives. The cmplex aspect is that the pattern used can be very varied. Fr this reasn n RAID-6 a CnW ptin f 'Variatins' can be specified - this is when there is nt single pattern but several. JBOD Jb Bunch f Disks. This is the descriptin given t multiple disks perating as a lgical single drive. This may r may nt include redundancy. One example is the HP media vault which has the string "Bradcm NAS Versin 1.1 MBR Tag" as the start f disk 1. This is nrmally a Reiser FS disk stred n several sectins f multiple disks. A specifc mde f JBOD has been added in CnW t handle these disks. RAID Recvery There are a few appraches t RAID recvery. Depending n the applicatin, and maybe frensic security, the disks may be read directly, r cnverted t a flat image t be prcessed in the same way as a single disk. The sftware is very flexible n hw disks may be read, either as a physical disk, r a an image file - even an image stred ver a netwrk. A cmpletely failed disk can be marked as missing Variatins Variatins is an ptin where the RAID cnfiguratin patter is lnger than expected. Fr instance, with a RAID-6, 4 drive ne wuld expect 3 lines f cnfiguratin, such as 1 2 P P 4 P P 3 P P 5 6 The pssible prblem with this cnfiguratin is that drive 1 and 4 culd have twice the number f disk accesses than drives 2 and 3. Thus the actual pattern fund has been fr 24 stripes, rather than 6 stripes. T enter this with CnW it is necessary t set the variatins value t 4, and fill in the data as fllws (ther RAIDS may have different cnfiguratins). 1 2 P P 4 P P 3 P P 5 6 P 7 8 P 9 10 P P 12 P P 11 P P P P P P 20 P P 19 P P P P The variatin value gives the number f variatins - fr mst drives it will be 1, but the example abve it was 4 p206

207 RAID drive selectin There are three menus required t set up a RAID fr CnW Recvery. The first is drive selectin, and the secnd is the cnfiguratin, and third fr JBODs T create a new cnfiguratin, enter the required name in the New Cnfiguratin bx, then select 'Create'. At this pint select the number f drives, and then enter details fr each drive. T start cnfiguring a RAID it is necessary t select the number f drives, and then define each drive. A drive can either be a Physical drive File image Defined as missing - nly relevant fr RAID-5. The example abve is fr 4 disk images. It is nt essential t select the drives in the crrect rder as the analysis will determine this. Hwever, if the rder is knwn, it makes manual analysis rather easier The RAID type is selected n this screen, and then the relevant cnfiguratin screen can be accessed t set up details f stripes etc. p207

208 RAID cnfiguratin The cnfiguratin f a RAID is very imprtant. It can be dne manually, but typically, CnW autmatic analysis will assist The areas that need t be cnfigured with the RAID are Analyse RAID type Vlume start lcatin Stripe size Disk sequence and pattern used Stripe variatins (nrmally 1) Sme NAS drives start with bth (all drives) mirrred, ie in RAID-1 cnfiguratin. The first part f the analysis is t detect this type f drive, and if fund, it will autmatically set the vlume start lcatin t the detected value. Fr instance, n a Lacie 2Big drive it will be set 0x1ea43d The analyse functin is designed t safe a large amunt f evaluatin and testing. Once the drives have been selected, it ges thrugh a series f tests which will determine the fllwing parameters. These are currently as belw RAID type, currently RAID 0 and RAID 5 The stripe size which culd be 0x10, 0x20, 0x40, 0x80, 0x100, 0x200, 0x400, 0x800 sectrs The prcess wrks in several stages (currently just fr NTFS disks but ther frmats will be develped). The stages are as fllws Find the MBR t establish where partitin starts are, and type f partitin Find BIOS Parameter Blck (BPB) t establish lcatin f MFT Find MFT entries n each disk t determine stripe size Analyse MFT entries t determine stripe rder Save the new parameters with the RAID cnfiguratin The analyse functin will try and determine if the RAID is knwn t the sftware, in which p208

209 case the parameters will be laded autmatically Wrk ut values by hand Cnfiguring a RAID is nt easy. A gd knwledge f file systems can help, alng with being very happy reading Hex dumps. As a hint, the mst useful type f file is a sequential file where the sequence is clear, and very ften the best example f this is the $MFT. A $MFT may nt be ttally sequential but the MFT REF is a gd number that increments with mst MFT entries. By lking at this value ne can very quickly determine the stripe size, and then try and determine the sequence between drives. p209

210 RAID bxes and cnfiguratins There are many RAID systems n the market. They can ften be a small bx with 2-8 drives in it, ften used as a NAS (Netwrk Attached Strage) device. Many f these systems actually cntain a prcessr and a Linux perating system, which then cntrls a RAID 5 cntrller. T make the system slightly mre cmplex fr recvery, the disk may be in multiple partitins, s that Linux can be bted, and then a large partitin where user data can be stred. Frm the hst PC, the NAS just lks like a lgical drive, that will stre files. The hst has n knwledge f hw files are stred, which culd actually be using any file system, thugh XFS des seem fairly cmmn n new devices. T determine the layut f a RAID is nt trivial as it requires knwledge f file systems, and RAID structure. The fllwing parameters have t be determined Stripe size Stripe cnfiguratin RAID start lcatin. Stripes The stripe size is ften the easiest t wrk ut by hand. It is easiest t lcate a lng text file and it will then be clear when the text is nt cntiguus (allwing fr file fragmentatin). Typical stripe sizes are 0x80 and 0x100 sectrs, thugh this can range frm maybe 0x8 t 0x4000. Cnfiguratin The stripe cnfiguratin can be very difficult unless again there are sme lng, unfragmented text files. With a text file it is ften easy t cnfirm that data is crrect ver a stripe bundary. Trial and errr may be required and the fllwing patterns may be seen fr a 4 drive RAID P P P 4 5 P 6 4 P P 4 7 P P 9 9 P 7 8 P P P If the selected pattern is wrng, s will the data RAID start lcatin Nt all RAIDs are the same thrugh the whle area f the disk. A cmmn exceptin is t stre the Linux perating systems files n all disks, ie as a RAID 1 cnfiguratin. The RAID 5 will then start at a lcatin later n the disk. T implement this feature, the RAID1 can be ignred, and the RAID can be set t start at a defined lcatin. Precnfigured RAID setups T assist with reading prprietary RAIDs, certain settups will be distributed with the sftware. This will be if nthing else a basis fr cnfiguratin, and any parameter may be changed. p210

211 RAID JBOD Jb Bunch f Disks are a series f disks cnfigured s that they act as a single disk. Technically they are nt a RAID because there is n redundancy, but f f cnvience, they are refered t as RAIDs. CnW allws the user t select phyiscal areas f the disk and then trat them as a lgical device. The simplest cnfiguratin wuld be just appending the secnd (and third) disks t each previus ne. Each disk can be set t have a lgical stripe, and the length f the stripe. A stripe need nt fill a disk, and there can be multiples stripes n a disk, nt necessarily in sequence. The example shwn belw is based n a Bradcm NAS Versin 1.1 set f disks With a Bradcm disk the setup was as fllws. The parameters are set as abve When the drive was selecteds RAID, Sectr 0 will; display the string "BrcmSeMagicStr". Sectr 0x80 will then shw the Reiser SuperBlck with ReIsEr2Fs starting in byte 0x34. It may be necessary t set the partitin t Reiser in the partitins ptin screen. The Bradcm values are extracted fr sectr 0x1 (starting at 0x0) A C DB 7E E0 BP "Û~à The dump abve is fr the first disk and the start sectr in rw 2 is 0x with a length f 0x22DB7EE0. The first 2 start and length values are fr cntrl data, rather than user data Fr disk tw, there have been a few variatins seen F 42 4C A 05 F2 BL * ò A 44 6B D 0F FB 5E :Dk û^ D0 D4 9H@ 9 ÐÔ The data abve apparently has three sectins, but frm experimentatin the first ne was nt used. On anther disk seen, the secnd disk had nly a single sectin f data, with it's data in the first 16 bytes f sectr 2 Vlume Start p211

212 The vlume start is nrmally set t zer but n sme RAID system, the RAID cnfiguratin starts at a certain sectr. Typically, all sectrs befre this pint are R AID-1, ie mirrred between drives. Analyse.. The analyse feature is currently fr HP Media Vault disks. It will try and cnfigure the disks and sectin starts based n the meta data stred n the drives p212

213 Typical RAID setup parameters There are many ff the shelf RAID systems n the market. CnW will handle a lt f systems, but smetimes wrking ut the paramters can be cmplex. The list belw is frm actual RAID systems. These may nt be typical values but can be used as a starting pint fr wrking ut the drive setup. Fr many cnfiguratins, the start f the drive is actually RAID 1 (ie all disks have the same infrmatin) and then the data sectin is in RAID 0, RAID 5 etc. Internal Apple RAID 0 with 3 drives Stripe size 64 sectrs (32K) RAID 0, disk rder 2,3,1 Vlume start lcatin 0x64028 File system, HFS+ Lacie 2Big NAS with 2 drives, RAID 0 Stripe size 128 (64K) RAID 0 disk rder 1,2 Vlume start lcatin 0x1ea43d File system XFS p213

214 HP Mediavault recvery The HP Mediavault is a fairly cmmn RAID system. It is mre cmmn fr the RAID cntrller t fail than the disks. Thus the user ends upm with a pair f gd disks, but n means t read them. With CnW RAID ptin, it is ften pssible t recver all f the files frm the Reiser FS disk drives. T enable the RAID ptin n the dem prgram, please cntact CnW at inf@cnwrecvery.cm Hw t recgnise the disks? HP Media vault disks have a nn standard bt sectr, ie sectr 0. A typical sectr is bt sectr is shwn belw F F 6D E Bradcm NAS Ver F 6E E D sin 1.1 MBR Tag D SYSTEM DA C EB 1C D0 D8 E0 A6 74 ÚÆ t!ëðøà t D F X ò The imprtant part f the bt sectr is the string 'Bradcm NAS Versin 1.1 MBR tag'. Hwever, it is quite cmmn fr bt sectrs t be verwritten by well meaning peple trying t create a valid bt sectr. Thus sectr 1 can als be examined and is quite distintive. Examples f sectr 1 are shwn belw Disk A C DB 7E E0 BP "Û~à Disk F 42 4C A 05 F2 BL * ò A 44 6B D 0F FB 5E :Dk û^ D0 D4 9H@ 9 ÐÔ The sectrs abve have tw pieces f infrmatin, the start f a sectin, and the length. The numbers are big endian, 64 bit numbers. Disk 1 typically starts with 2 cntrl sectins, fllwed by data sectin(s). Cnfiguratins The Bradcm is meant t cme in varius cnfiguratins, including RAID 1 and JBOD. Fr RAID 1, bth disks shuld be identical and s can be read withut the RAID ptin. Fr RAID 1, the ttal capacity will be the same as a single drive. Bth drives will need t be the same capacity JBOD is when disks are added, maybe separately and the ttal capacity is nearly the same as the tw drives added tgether. Drives can be different capacities. T read this type f drive, RAID JBOD ptin is required. The final cnfiguratin is as tw serparate drives. Fr this the RAID ptin is nt required and CnW will read each disk as a Reiser drive T recvery HP MediaVault JBOD The first stage is t create a new RAID cnfiguratin and give it a name (such as Bradcm, r HPVault). Enter the drives being used - r drive images, alng with the number f drives. Als set the cnfiguratin t be JBOD p214

215 Select the JBOD cnfiguratin screen and select Analyse. This shuld fill in the lcatin bxes and lengths. The cnfiguratin is nw cmplete, s select 2: - RAID as the drive type Select Recver, and if all OK, the Resiser FS frmat shuld be seen, and the Unix ptins screen will be displayed. Select the lcatin fr the data t be recvered t, and press OK. p215

216 Fragmented files Mst file systems will at sme time r anther create files that are nt sequential. The best file systems wrk hard t prevent r reduce the number f fragmented files, but ultimately, with a fairly full disk, and a large file, there are n lnger cntiguus areas t save the file. The ther cmmn reasn fr fragmented files are files that grw. These grwing files culd be lgs, r maybe systems which expand every day. Symptms f fragmented files If a file has been fragmented, then the start will lk OK. ie The signature will be valid, hwever it is unlikely that the end f the file will be in the crrect lcatin. If a fragmented pht is viewed, then it will almst certainly be incmplete. Often the bttm f the picture will be blank, r pssibly view parts f different pictures. Fr a vide, mst will nt play unless the cmplete vide and cntrl data is present. CnW has several file validate rutines t check the integrity f files and determine if defragmenting is relevant. Hw t prcess fragmented files When ding a recvery using a lgical file system such as NTFS, XFS all fragmentatin is taken care f by the file system handler. Fr deleted NTFS, it is als nrmal fr the fragmentatin infrmatin t be retained. The prblem cmes with deleted FAT disks and thse disk that have n file system infrmatin left. FAT is nt used much n PC hard drives these days, but is very cmmn n memry chips, camera and vides and als ften n external USB drives. The links belw indicate hw each type f fragmented file shuld be prcessed using CnW Recvery and data carving. AVCHD - high reslutin vide AVI vide 3GP, FTYP, MOV, MP4 vide JPEG Phts Zip, DOCX, XLXS, ODT files White paper n tpic Nn vide files CnW will prcess fragmented JPEGs. The results are best frm a camera memry device as hard drives tend t be rather large and JPEGs can get scattered a lt. CnW has rutines fr ZIP and Wrd but they have nt been develped t a very high level, Fragmented 3GP/MP4 files recnstructin 3GP/MP4 Files p216

217 3GP/MP4 are all part f the Quick Time file structure. A Quick Time file has three main elements ftyp - the file header mv - file meta data mdat - the file vide and audi data Lgically, the main file can be either f the tw sequences belw ftyp-mdat-mv r ftyp-mv-mdat The frmat is very cmmn with current disk r memry chip vide recrders (rather than min dvd recrders). Mst recrders use FAT32 as the file system which means when deleted, the files may be fragmented. Why are 3GP/MP4 files fragmented? The tw main reasns why the files are fragmented either because f general FAT32 fragmentatin, r due t the way they have been recrded. When an individual file, r grup f fils are deleted n FAT32 there is an area f unallcated data space. New files will be written t this space but if larger than the first gap, the file will be split int tw r mre fragments. The chaining is cntralled by the FAT (file allcatin table) and s invisible t the user. When files are deleted, s is the relevant allcatin infrmatin in the FAT, and s recvery frm data carving is nt immediately pssible. The secnd reasn fr fragmentatin is rather mre bscure. When a vide is recrded the mdat segment takes mst space, but is cntinuusly indexed by the mv segement. Until recrding is finished, the size f the mv and mdat segments is unknwn. The mdat segement is large and s can nt be cached in camera memry and must bewritten directly t the disk. The mv segment cntains many atms that have pinters t the mdat, and these pinters are ften abslute values frm the start f the main file. Different camera manufacturers have devised different appraches t the prblem. These are utlined belw and autmatically deteceted by CnW Recvery sftware t recnstruct the fragmented files mdat-ftyp-mv In this frmat the camera recrds the mdat straight t the disk, and when finalised the header and mv segments are added t t the next cluster after the mdat. By manipulating the FAT, lgically the file will lk like ftyp-mv-mdat. If a standard prgram tries data carving, then the incrrect ftyp-m v will be applied t the fllwing mdat and the vide will nt play. CnW data carving and fragment prcessing takes care f this issue. ftype - preallcated mv - mdat - trak In the abve apprach an attempt t pre-allcate the mv area is used. The mv area is allcated an area at the start f the file and the large atms, such as 'stsz' all start n cluster bundaries. These atms are then padded with a 'free' s that they remain cluster sized. Fr sme reasn, n ne example seen, the audi 'trak' atm is stred after the full mdat segment. General defragmentatin recvery The examples abve shw fragmentatin in a knwn pattern. General defragmentatin p217

218 shw n such patterns and prcessing is mre cmplex. It falls int tw main stages withn the assumptin that all data is present. Recvery when there is n mv segment If the camera is switched ff befre recrding has finished, r maybe drpped r battery remved then cases can exist where there is a mdat segment but n mv segement. CnW has a slutin fr this that will wrk with certain file types (but currently nt all). The technique used is t use a knwn gd file and extract mv fragment as a template. This will give fixed values fr the camera and then the variables, eg stsz tables are recnstructed. This technique des require knwledge f each type f cdec used. Fr this reasn, nt every MP4 can currently be recvered this way, but the list is grwing. CnW are happy t add supprt fr anyne wh has a failed file, and can prvide cmplete file frm the same camera. p218

219 Typical 3GP crruptins 3GP files can be crrupted fr several reasns. This page will describe sme f the cmmn reasns, and hw they can be recnstructed. Recnstructin after file deletin Unfinalised Vide camera files are nt typically fund unfinalised, but it culd happen if there was a camera failure, r maybe the memry chip r battery was remved befre cmpletin. The mst likely indicatin f this wuld be 'mdat' segement length is zer. This means that it is very likely that the 'mv' segment has nt been written. The slutin t the abve is t create a new mv segment. As the pssible variatins are very large, the apprach des require a sample valid file, frm which the mv parameters can be analysed and used. CnW sftware will autmatically scan the media fr a suitable file and use it. The apprach des require the lcatins f each frame t be fund by parsing the mdat segment. Frames are indicated in several ways depending n which cdec has been used t recrd the vide. The cdec will be determined frm the sample mv segemnt is the sample file. p219

220 Fragmented Zip and DOCX files Zip files are used fr bth general archives, preparing t send multiple files but als as strage fr current wrd prcessing packges. The current packages are Office, 2007 and later, and Open Office,.ODT files. The reasn fr the zip framewrk is that a.docx files is based n several XML files that are very verbse, and easily cmpressed. Thus a file that wuld be maybe 100K is reduced t nearer 10K. Thus zipping the files saves space, and als reduces the chance that file will be fragmented. If fragmented, the CnW data carving functin will recver many such files, and the prcess is described briefly belw Zip files are fairly straight frward t defragment as they have a well defined data structure, helped by sectins with pinters and lengths. As mentined abut, many DOCX files are fairly small, and will nt be fragmented mre than a few times at wrst case - the exceptin is when they have embedded phts. The Zip file structure. The basic file structure is well dcumented, ( is ne such link) s the fllwing is just a brief utline. File signature The basic signature is 'PK' fllwed by 0x03 0x04 which is a lcal file header B CC 1E PK Gr#9Ì C F4 57 3B A C 69 \ôw; h li F F 2F E F E b/aut/win32/win E 64 6C 6C ED 7D - 0B D5 D5 E8 C9 7B 32.dllí} xtõõèé{ CA 6B F2 22 C9 3C ` $ Êkò"É< 0x00 lcal file header signature 4 bytes ( PK 0x03 0x04 ) 0x04 versin needed t extract 2 bytes 0x06 general purpse bit flag 2 bytes 0x08 cmpressin methd 2 bytes 0x0a last md file time 2 bytes 0x0c last md file date 2 bytes 0x0e crc-32 4 bytes 0x12 cmpressed size 4 bytes 0x16 uncmpressed size 4 bytes 0x1a filename length 2 bytes 0x1c extra field length 2 bytes filename (variable size) extra field (variable size) The example abve shws that the cmpressed size f the file is 0x3b57 and uncmpressed is 0xa068. The file name is 0x18 bytes lng and s the cmpressed string starts at lcatin 0x1e (length f header) + 0x18 (name length), ie ffset 0x36. As we knw that this sectin is 0x3b57 bytes lng, the next PK header will be at lcatin 0x3b57 + 0x36, ie 0x3b8d. On a fragmented file, the technique is t search fr a PK header which has an ffset within a cluster f 0x3b8d. Thus fr a cluster size f 0x4000 bytes, it wuld be ffset 0x3b8d, but fr a cluster size f 0x1000 bytes, the ffset wuld be 0xb8d. With a limited number f Zip files, the chance f a miss match is limited. The header sumcheck can be verified t make sure it is valid PK header B B FF 62 A5 B5-76 AB F0 3F B 03 [$ ÿb µv«ð? PK p220

221 00003B DC - 6A E2 F1 1B Üj#9âñI 00003BA0 3B A C C F 61 ; a lib/a 00003BB F 2F E F E E ut/win32/win BC0 64 6C 6C 2E ED - 7D 7B D5 B5 F8 C9 dll.aaaí}{xtõµøé As can be seen a new PK header is fund in the crrect lcatin. This prcess can be cntinued thrugh the file. Central Register Twards the end f the file a central regsiter is stred. This is a directry f all files within the Zip file E0 2C 5B AC F2 FF FF FF ,[ r òÿ ÿÿ P F0 4B D 00 0A E K -! ^ C6 32 0C Æ2 ' ' D 69 6D mim B D etypepk - 0x00 central file header signature 4 bytes PK 0x01 0x02 0x04 versin made by 2 bytes 0x06 versin needed t extract 2 bytes 0x08 general purpse bit flag 2 bytes 0x0a cmpressin methd 2 bytes 0x0c last md file time 2 bytes 0x0e last md file date 2 bytes 0x10 crc-32 4 bytes 0x14 cmpressed size 4 bytes 0x18 uncmpressed size 4 bytes 0x1c filename length 2 bytes 0x1e extra field length 2 bytes 0x20 file cmment length 2 bytes 0x22 disk number start 2 bytes 0x24 internal file attributes 2 bytes 0x26 external file attributes 4 bytes 0x2a relative ffset f lcal header 4 bytes 0x2e filename (variable size) extra field (variable size) file cmment (variable size) The central regsiter can be used t verify the file structure and that all elements are present and crrect. If there is an errr, then it is likely that smewhere there has been a false psitive match. Final header The final header is basically a pinter t the start f the central regsiter end f central dir signature 4 bytes (PK 0x05 0x06) number f this disk 2 bytes number f the disk with the start f the central directry 2 bytes ttal number f entries in the central dir n this disk 2 bytes ttal number f entries in the central dir 2 bytes size f the central directry 4 bytes ffset f start f central p221

222 directry with respect t the starting disk number 4 bytes.zip file cmment length 2 bytes.zip file cmment (variable size) C E 78 6D - 6C 50 4B tyles.xmlpk A EF Z ï3 CnW Zip Recvery The CnW rutine can be called after the data carving has detected crrupted - pssibly fragmented - Zip files. It will run the abve techniques t scan the hard drive / memry chip fr fragments that fit the zip file. p222

223 Recgnising Sectrs An imprtant part f data recvery is being able t recgnise imprtant system sectrs. Fr an experienced investigatr this becmes secnd nature, but fr anyne starting with data recvery it can be rather daunting. This sectin gives sample dumps f critical sectrs and indicates where there will be fund, and their functin. With the exceptin f the Master Bt Recrd each sectr type is specific t an perating system, althugh there can be similarities Master Bt Recrd GUID Sectrs - as n many Macintsh systems BIOS Parameter Blck FAT directry entry NTFS Directry entry, MFT Disk clusters - hw t wrk ut their size VMFS sectrs Master Bt Recrd The sectr belw is a typical master bt recrd, ie sectr 0 f a disk C0 8E D0 BC 00 7C FB F FC BE 1B 7C 3ÀŽÐ¼ ûppü¾ BF 1B B9 E F3 A4 CB BE BE 07 B1 04 PW¹å ó ˾¾± C 7C C6-10 E2 F5 CD 18 8B 14 8B 8, uƒæâõí EE 83 C C 74 F6 BE E AC îƒæ It8,tö¾ N C FA BB B4-0E CD 10 EB F < tú» Í ëò F% A B4 06 3C 0E B4 0B 3C 0C ŠF < t < t A C4 75 2B 40 C BB AA B4 :Äu+@ÆF% u$»ªup CD FB - 55 AA F6 C AÍXr ûuªuöá t B 8A E C A1 06 EB 1E BF ŠàˆV$Ç ëˆf A 00 B B DC 33 - C9 83 FF 05 7F 03 8B 4E Ü3Ƀÿ N 0000A E 02 CD BE E FE 7D 55 %N Í r)¾f >þ}u 0000B0 AA 74 5A 83 EF 05 7F DA - 85 F BE EB ªtZƒï Ú öuƒ¾'ë 0000C0 8A A E A EB Š R F V è Zë 0000D0 D5 4F 74 E4 33 C0 CD 13 - EB B ÕOtä3ÀÍë 0000E F BE B F4 V3öVVRPSQ¾ V ô 0000F B A CD 13 5A 58 8D PR BŠV$ÍZX d r A C E2 F7 F8 5E C3 EB 74 B Çâ ø^ãëti E C F 6E nvalid partitin C F C 6F 61 table Errr la E F E ding perating s D 00 4D E F 70 ystem Missing p E D erating system B FC 1E 57 8B - F5 CB üw õë A B CA EE BA Êîº6 0001C FE 7F D7 3F FF þ? ÿ 0001D E F AA Uª The bt sectr has three main sectins, described as fllws The first sectin is ptinal, and includes all bytes upt 0x1BE. This is cde that is used fr a p223

224 disk t bt frm and is blank fr nn btable disks, such a camera memry chips. The bt data can be different fr each machine, but typically it des start with the same sequence, such as 0x33 0xc0. It is als typical, such as abve t have sme text as pssible warning messages The final tw bytes f the sectr must be 0x55 0xAA This is the same as several ther prating system cntrl sectrs The mst imprtant area f the bt sectr is the partitin map starting at lcatin 0x1BE. There are infact 4 pssible tables, each f 16 bytes in length. See Partitin Table Structure fr full details. The pints t lk fr t recgnise the blck is that the fact they always end with 0x55 0xAA and there are 1-4 partitin recrds starting at 0x1BE p224

225 GUID Partitin sectrs GUID Master Bt recrds are standard - as in Master Bt Recrd, but the partitin table entry is rather different. The partitin type, as described in byte 4 is set t 0xEE and the partitin start, bytes 8-11 are nrmally set at 1. Sectr 1 then has the cmplete partitin infrmatin. Sectr A B C D E F A B C CC 51 6B FE ŒÌQk þ 0001C0 FF FF EE FE FF FF F 59 1C 1D ÿÿîþÿÿ Y 0001D E F AA Uª Sectr 1 Partitin table header C EFI PART \ E6 CB B æë F 59 1C 1D Y " E 59 1C 1D E F1 2A 90 7A NY Nñ* ze I CF CA DB ÏÊÛ B5 D7 E6 8B µ æ The rest f the sectr is all zers 0001E F The sectr always starts with the string EFI PART fllwed by the versin number (1) and recrd length (0x5c) Offset 0x18 give the lcatin f this sectr (1) Offset 0x20 is the ffset f the spare EFI header (0x1d1c59ef) Offset 0x28 is the start f the data area f the disk (0x22) nrmally just after the partitin entries Offset 0x48 start f partitin entries, nrmally 2 Sectr 2-33, Partitin entries E3 C9 E3 5C 0B B8 4D D F9 2D F AE ãéã\ M }ù-ð E D9 3E F6 CE 0D B A5 B8 8A 0B 10 6A 55 E3 nù>öî µb Š juã "! p225

226 D M i c r F F s f t r e s e r v e d p F 00 6E 00 a r t i t i n A2 A0 D0 EB E5 B C0 68 B6 B C7 Ðëå¹3D Àh & Ç A CD 32 5D 7E A F B3 D7 0A A5 1F 77 EF Í2]~ 5HŸ³ wï A FF 2F 51 5D ÿ/q] B B a s i C c d a t a p D F 00 6E 00 a r t i t i n E F EFI stands fr Extensible Firmware Interface. EFI is designed t imprve upn the existing Partitin table design, which in particular has a 32 bit limit n sectr numbers. 32 bit addressing will allw fr 2TB f disk. Althugh this is nt a prblem at the mment, 1TB disks are becming cmmn, and 2TB are just being annunced. The address fields are nw 64 bit rather than 32 bit. This will give a few years grace in capacity. Sectr 2, and fllwing sectrs describe each partitin type. Rather than a single byte, a GUID is used. Each partitin is described by 0x80 (128) byte recrd, and s in the example abve, there are tw partitins. The first ne 16 E3 C9 E3 5C 0B B8 4D D F9 2D F AE is a reseved micrsft partitin It starst at sectr 0x22 and has a length f 0x40021 The secnd partitin is Micrsft Data, and can be a nrmal NTFS partitin. The GUID is A2 A0 D0 EB E5 B C0 68 B6 B C7 and the starting sectr is 0x The length is 0x15d512fff sectrs, r abut 2.9TB. It shws that this value is greater than 32 bits, and hence the requirement fr the EFI partitin data. A GUID is a Glbably Unique ID. These are numbers which shuld be unique. A series f such numbers have been defined fr different types f disk partitin, eg Micrsft Data Partitin, Apple HFS+. There are als defined numbers fr Linux, Slaris, HP-UX. CnW currently recgnise a few f these, but the list will grw. The secnd 16 bytes f partitin entry is a GUID fr the specific drive. This can be treated as a unique partitin serial number. p226

227 BIOS Parameter Blck BPB The partitin bt sectr cntains the BIOS Parameter blck is used t define the details f a lgical partitin. The sectr is pinted t frm the entry in the partitin table. A very cmmn lcatin fr the first BPB n a disk is sectr 0x3F (63). Fr camera memry chips, sectr 0x20 (32) is als cmmn EB E ër NTFS F F 00 FF 00 3F ø? ÿ? FF ÿ C F9 4F ùo F C A6 96 1C 24 ö s $ FA 33 C0 8E - D0 BC 00 7C FB B8 C0 07 ú3àžð¼ û À E D8 E B8 00 0D - 8E C0 33 DB C6 06 0E 00 ŽØè ŽÀ3ÛÆ E D 68-6A 02 CB 8A B4 ès h hjëš$ CD B9 FF FF - 8A F1 66 0F B6 C Í s ¹ÿÿŠñf Æ@f F B6 D1 80 E2 3F F7 E2-86 CD C0 ED F Ñ â? â ÍÀíAf 0000A0 B7 C9 66 F7 E1 66 A C3 B4 41 BB AA 55 8A Éf áf à A»ªUŠ 0000B CD F 81 - FB 55 AA F6 C1 01 $ Ír ûuªu öá 0000C FE C E A tþ Ãf` f f 0000D C B F 82 3A 00 1E 66 6A f; : fj 0000E E fpsfh > 0000F0 0F 85 0C 00 E8 B3 FF 80-3E F è³ÿ > a B4 42 8A F - 8B F4 CD B 07 BŠ$ ôífx[ F EB 2D D2 66 0F B7 0E fxfxë-f3òf F7 F1 FE C2 8A CA 66-8B D0 66 C1 EA 10 F7 36 f ñþâšêf ÐfÁê A D6 8A A E8 C0 E4 06 0A CC B8 ÖŠ$ ŠèÀä Ì CD 13 0F C C E C0 66 Í ŒÀ ŽÀf FF FF 0E 0E 00-0F 85 6F FF 07 1F ÿ ÿ ÿ fa C3 A0 F8 01 E A0 - FB 01 E FB EB FE à ø è û è ûëþ B4 01 8B F0 AC 3C B4 0E BB CD 10 ð < t» Í EB F2 C3 0D 0A B ëòã A disk read F F errr ccurred 0001A0 0D 0A 4E 54 4C D NTLDR is missi 0001B0 6E D 0A 4E 54 4C F ng NTLDR is c 0001C0 6D D 0A mpressed Press 0001D C 2B 41 6C B C F Ctrl+Alt+Del t 0001E D 0A restart 0001F A0 B3 C AA ƒ ³É Uª Anther example EB 3C 90 4D F E ë< MSDOS F4 F8 F3 00-3F 00 FF `ôøó? ÿ B7 - E E 4F 20 4E 41 ) áqxno NA D C9 ME FAT16 3É Tw easy pints t help recgnise the sectr are the terminating 0x55 0xAA characters, but als the perating system name starting at byte 3. In the examples abve these are NTFS and MSDOS5.0 Fr FAT disks, yu als expect t see FAT12 r FAT16 r FAT32 near the tp f the sectr The first bytes f the sectr are a JMP instructin s nrmally starts 0xEB Lgically, the FDC data starts at byte 0xB. Full details can be fund in FDC Descriptr fr FAT r FDC Descriptr fr NTFS NTFS details Bytes 0x0B-0x0C x200 r 512 bytes per sectr Byte 0x0D 08 8 sectr per cluster (nrmal value). Pssible values are 1,2,4,8,16,32,64 p227

228 Bytes 0x0E-0x0F reserved sectrs NTFS always starts at 0. Byte 0x10-0x Always zer Bytes 0x13-0x Always zer Byte 0x15 F8 Media type - always F8 fr hard drive Bytes 0x16-0x Always zer Bytes 0x18-0x19 3F 00 Nt checked by NTFS Bytes 0x1A-0x1B FF 00 Nt checked by NTFS Bytes 0x1C-0x1F 3F Nt checked by NTFS Bytes 0x20-0x Must be Bytes 0x24-0x Nt checked by NTFS Bytes 0x28-0x2F 98 FF Ttal sectrs n hard drive Bytes 0x30-0x C Lgical cluster number fr $MFT Bytes 0x38-0x3F F9 4F Lgical cluster number fr $MFTMirr Byte 0x40 F6 Cluster per MFT recrd Bytes 0x41-0x Nt used by NTFS Bytes 0x44 01 Clusters per Index Buffer Bytes 0x45-0x Nt used by NTFS Bytes 0x48-0x4F C A6 96 1C 24 Vlume serial number Bytes 0x50-0x Nt used by NTFS p228

229 FAT directry entry A FAT file system has tw basic types f directry, the rt directry and subdirectries. On FAT12 and FAT16, the rt directry is in a fixed lcatin, just after the FAT, and it is a fixed size. On FAT32, the start f the rt directry is defined in the BPB, and the directry can be any length. A directry is made up f 0x20 byte recrds. The nly difference between a rt and subdirectry, is that the sub directry always starts with tw recrds shwing the current lcatin, and the parent directry lcatin. These entries are ". " and ".. ". The file attribute fr bth is 0x10 shwing it is a subdirectry. Typically, the first entry fr a rt directry is the vlume label, with a file attribute f 0x08 Rt directry F F POWERSHOT C Ç I E5 4D 47 5F A B 8B 86 åmg_1696jpg C A B C 00 I7L7 JµF7 t, E5 4D 47 5F A D 86 åmg_1626jpg B C I7I7 C7D ÇC E5 54 4C 41 4E A E 6B 97 åtlanta JPG.k D E - 3E I7M7 >5(8u E A B 97 åeach JPG pk A F A F3 FC I7J7 ôc51:óü 0000A0 E F A B 97 åeach_2 JPG k 0000B D7 6A B 0B I7I7 jd50; & 0000C0 E E A A 6C 97 åeachnc JPG l 0000D C 35 C4 3C C I7I7 L5Ä<Æ3 0000E0 E5 4D 47 5F A E åmg_1779jpg. 0000F C D E 3E 64 B2 4D 00 I7L7 ri7^>d²m E5 4D 47 5F A D 98 åmg_1787jpg C D8 FC I7L7 ui78eøü E5 4D 47 5F A A åmg_1778jpg A D B7 80 3A 3A I7J7 ÕrI7 ::A E5 4D 47 5F A F 4E A4 åmg_2380jpg?n A A DD AF I7J7 š05dý " E5 4D 47 5F A A4 åmg_2379jpg!q C A C F 00 I7L7 š05œ' B E5 4D 47 5F A A4 åmg_2394jpg C D A1 30 F I7L7 }85U 0ö5 0001A0 E5 4D 47 5F A C CA A4 åmg_1831jpg Ê 0001B C CD BC 7F D I7L7 QÍ4Q¼ Ó1 0001C0 E5 4D 47 5F A CD A4 åmg_1824jpg Í 0001D A CC 34 3B D5 CE I7J7 VpÌ4;ÕÎ 0001E0 E5 4D 47 5F A CE A4 åmg_1829jpg FÎ 0001F C D3 4E - CD 34 3E E0 94 5F I7L7 ÓNÍ4>à _% Subdirectry E D. G"M D D #M9S E 2E D.. G"M D #M F C 22 4D AUTOEXECBAT L"M F 1E 53 E s'sà F D AUTOEXECDCS Q"M B - E3 1E C E{ã SÁ D AX BAT W"M C y9"SW 0000A C 22 4D B BAT \"M 0000B A C %aj$#sl 0000C B D BACKSEW BAT b"m 0000D E8 51-8F A èq 8$SŠ 0000E0 42 4B D BK BAT g"m 0000F C sl %%S C C 4C B 22 4D BUILDALLBAT k"m AE 7A - 8F C8 0F z 2'SÈ D CC5 BAT r"m D - FA 38 2F 53 E H ú8/sè D CC86 BAT x"m BA D º (0S p229

230 D 22 4D CCSC5 BAT }"M A 1E qš2s A D CCZ5 BAT ƒ"m A0 5A - 5C A Z\%3SZ 0001A C 4C D CFDLL BAT "M 0001B B5 - CA A iµê$4s 0001C F 52 4D E 22 4D CFORMAT BAT Ž"M 0001D C E r 5Sá 0001E0 43 4F 4D C D COMPILE BAT "M 0001F A6 1A DD # 6SÝ Each 0x20 byte entry used t be a file n early DOS versins, but nw the structure has been enhanced (see later) t allw fr names lnger than 8.3. Hwever, it is fully cmpatible and the first character in the entry can have tw cntrl values. If it is set t 0xE5 then the entry is a deleted file. If it is set t 0x00, then this is the ned f the directry file. Any ther value is the first character f the file name. The tw sectrs abve all have shrt 8.3 file names, all upper case. The recrd structure is as fllws Bytes 0x00-0x0A autmatically added Byte 0x0B File name as 8 characters then thre characters extensin. The '.' is File attribute p230

231 NTFS directry entry, MFT NTFS creates directries frm recrds in the $MFT file. Each MFT recr5d has a maximum length f 0x400 bytes (1024) and is always stred in tw cnsequative sectrs. The first sectr always starts with FILE fllwed by a '0' r '*' depending n versin f perating system A very cmmn lcatin fr the start f the $MFT file is 0x60003F When an MFT sectr is viewed in CnW Recevery sftware, the sectr is parsed, and a tl tip will display values fr each type f field with the cmplete recrd Sectr 0x60003F C F3 D4 36 9D FILE0 óô F ø ` H E3 BE 35 B2 C E3 BE 35 B E3 BE 35 B2 C E3 BE 35 B h 0000A A J 0000B E3 BE 35 B2 C6 0000C E3 BE 35 B2 C E3 BE 35 B D E3 BE 35 B2 C A * 0000E A * 0000F D $ M F T A A * A A * 8* D C CE 00 CB 11 F $Õ CdÎ Ë B A ` C C ÈQ ÈQ FF FF 0B A4-5E E ÿÿ 1 ^p1@ åa 0001A0 01 D8 F4 F D A9 C4 7E FF Øôð 1 ÕDA Ä~ÿ 0001B A E 01 1 iyza `c 1 %N 0001C A F EA FF 1 b 1 A êtwÿ 0001D A6 - EE 7A C îz E DD E2-0F AF 0A G1 Ýâ F0 FF FF FF FF FF FF FF FF ÿÿÿÿ ÿÿÿÿ Next sectr, 0x A B C D E F T help recgnise an MFT sectr it shuld be nted that the last tw bytes f each sectr will always be the same. These bytes are set with a 'randm' value that is then mdified later. It ensures that bth sectrs have been read fully. In the example abve, ne can nte that the final tw bytes are and these values are als set in bytes 0x30-0x31 t shw the value that shuld be read With CnW sftware, when the sectr is viewed with View Sectr, as the cursr is mved ver each field in the MFT recrd, it will be decded and displayed as a tl tip. Mst useful values can be the date fields and size fields that are nt always bvius, r easy t decde. p231

232 p232

233 Disk clusters Disks cnsist f sectrs, nrmally 512 (0x200) bytes in length. With a mdern, 500GB disk, this means there are abut 1,000,000,000 separate sectrs that the perating system has t manage. As these numbers can get rather large, perating systems wrk in grups f sectrs, and call it a cluster. A cluster is then the smallest amunt f disk that can be allcated, and are always cntigius runs f sectrs. The size f a cluster is always a cmprmise. A large cluster means that there are fewer clusters fr the perating system t manage, but there is always the prblem that a small file will require a cmplete cluster, and s can represent a large amunt f wasted space. A small cluster reduces the amunt f wasted space, but will require many mre t be tracked by the perating system. When recvering a disk it is ften useful t knw the size and lcatin f clusters. If the disk has a valid perating system, then this will be determined frm infrmatin within the BPB. If the perating system infrmatin is lst - r maybe nt valid due t a refrmat - then it will be necessary t determine the cluster size, and lcatin. There are built in tls fr FAT and NTFS disks t try and determine values, but the ther way is t examine the lg after an Image Raw Scan. Once a Image Raw scan f a disk is dne, the lg shuld be pened, and the data viewed in hex mde The imprtant parameters are the start sectr value, and Incr(ement) sectr, and the reasn fr viewing in hex is that all clusters sizes are multiples f2, ie 1,2,4,8,16 etc. In the example abve it can be seen that the majrity f increments are multiples f 0x20 (ie 32). With an Image Raw, there may be false psitive starts detected, and s it can be seen that the tp few values d nt fit the pattern. Fr the majrity f the files, it lks safe t say that the cluster size is 0x20 p233

234 Lking at the Start Sectr it is very clear that the majrity f files start with a sectr value ending in 9. The first cluster f a disk can be lcated n any sectr lcatin, and s fr a cluster size f 0x20, the start f a cluster culd in thery be any value between 0x00 and 0x1F. In the example abve, files always start at vlaue such as 0xb9, 0x19, 0x39 s the start value f the cluster wuld be sectr 0x19. p234

235 Apple Vlume Header This sectr is nrmally 2 sectrs after the start f the partitin - fr HFS Plus disks, it always starts with 'H+'. A typical sectr number fr this sectr is 0x6402a B A AF 01 H+ ` HFSJ C1 E CC 0E 49 C C1 E6 F0 92 Áæ Ì IÇ Áæð A F3 E E AD DE óá n ÞG C DB D ÛÕ uh BE 3E C1 29 C9 26 0B B ¾>Á)É& C 8A 00 9B 1A Š C 8A - 19 BD 42 F8 8A 51 5A 3A Š½BøŠQZ: B D Ð A B C P ` D E F ` 0 v D A D D E 00 š =Ò D A B D A Ó kðe F O F F0 0 ð F E F Oè ð The sectr is extremely imprtant fr recvery as it has pinters t bith the catalg, and extents table. It als has the basic infrmatin regarding cluster sizes. The sectr is nrmally duplicated near the end f the partitin Imprtant fields in the vlume header Bytes 0x00-0x01 Signature, H+ Bytes 0x02-0x03 Versin, 0x4 Bytes 0x10-0x13 Bytes 0x14-0x17 Bytes 0x18-0x1B Bytes 0x1c-0x1F Bytes 0x20-0x23 Bytes 0x24-0x27 Bytes 0x28-0x2B Bytes 0x2c-0x2F Bytes 0x30-0x33 Bytes 0x38-0x3B Bytes 0x3C-0x3F Create date Mdify date Backup date Checked date File cunt Flder cunt Blck size, typical 0x1000 Ttal blcks Free blcks Resurce clump size Data clump size Bytes 0xc0-0x10f Bytes 0x110-0x15f Extents file lcatins Catalg file lcatins p235

236 VMFS sectrs VMFS is a Virtual file system frm VMWARE. CnW Develpment in underway t prduce a flat file frm the virtual frmat. Several sectrs have fixed patterns and are shwn belw Partitin entry blck FA B E D0 BC 00 - B0 B E D8 8E C0 ú ŽÐ¼ ŽØŽÀ FB BE 00 7C BF B F3 A4 EA û¾ ¹ ó ê! BE BE B - 83 C FE FE ¾¾8 u ƒæ þþu F3 EB 16 B4 02 B0 01 BB C B2 80 8A B óë» ² Št C 02 CD 13 EA 00 7C EB FE L Í ê ëþ A B B 06 0A K C FB FE FF FF FC 9E B6 2D ûþÿÿ üž D E F AA Uª Offset 0x1c6 is the start lcatin f the virtual disk Offset 0x1ca is the end f the virtual disk - bth values in 0x200 byte sectrs Inf blck E F1 AB 2F E C9 3E 5F 3C C0 6E 00 ^ñ«/.é>_<àn FC 5E 5F 68 B5 99 C AD ü^_hµ ÉS dat F astre A C9 3E 5F 3C É>_< B0 00 9A 3E 5F 3C EC 03 E2 - BD B5 99 C9 53 š>_<ìâ½uhµ ÉS C0 AD Magic numnber is 0x5ef1ab25 (Big endian) Offset 0xa1 is the blck size, ie 0x VMFS Header, LVM D D0 01 C Ð À ` B B 4E C 4F ± R9SYAKNU LO GICA F8 ø D 6D 5B B B5 05 =m[ µ E 3E 5F 3C F5 3E - ED 82 8D 2E 68 B5 99 C9 ž>_<õ>í.hµ É AD EF 86 3C AE E6 CF Sï <Q4 æïs A B A9 FE þ B B `[ D c5f3e9a-bde D D ec b c953ad A 3E 5F 3C - EC 03 E2 BD B5 š>_<ìâ½uhµ C9 53 AD A 31 3D ÉS J1=Q B B B 65 CF µ ;eïs4 p236

237 Magic number is 0x0dd001c0 (Big endian) p237

238 General Tls CnW Recvery sftware has several functins that can be used nce files have been recvered frm crrupted media. Typically they assist in Vide disk recvery, and als prcessing files fr writing t DVDs Tls are accessed frm the Tls entry in the tp drp dwn menu Split directries fr DVD burning Rebuild vide disk frm MPEG files Merge disk images User Passwrds Split directries Split directries will allw a directry tree t be split int sectins suitable fr burining t DVDs. This functin can be used when it is necessary t transfer many files t DVDs and will try and fill DVDs t apprx 90-95% capacity. It is pssible t recver files int DVD sized directries when ding recvery, but this can ften mean that directries are scattered ver several DVDs. This ccurs when certain recvery mdes are use, such as NTFS Recver frm file entries. In rder t prduce DVDs with a mre lgical directry structure, files shuld be recvered withut the DVD ptin, and then this split tl can be run. T run the functin, it is just necessary t enter the name f the main directry string the files t be placed int DVD directries. The utput files will be mved int new directries n the same drive, in a directry with a 0 added t the riginal directry name. Thus is the initial directiry is "SplitDVD" the utput directry will be "SplitDVD0". As the files are mved, the riginal file will disappear, and s files can be split n a full drive, very little extra space is required. p238

239 Merge disk images Occasinally ne has duplicate cpies f a lgically identical media. Hwever, at time each cpy has different failures. The merge disk images allws tw disk images t be merged. The rutine will analyse the master file, and if a blank sectr is fund, it will then test the secnd file. If the secnd file has a nn blank sectr, this will be merged int the master file. There are ccasins where ne wants t merge a partial file with a full file. If fr instance, as in the example shwn abve, there is an image f just the start f MFTs, this will be merged int the main file starting at sectr 0x60003f. It is nt pssible t merge a file that starts after the end f the master file. p239

240 Extractin extractin is a tl t help cnvert certain type f file int text cpies f s. It will perate with Outlk Express 6, dbx files and als Macintsh Database files. It des assume that the file is largely intact. There are tw parameters that have t be set, the lcatin f the input files, and where the utput files are t be saved. The prgram will autmatically detect file file frmat and extract the s. When pssible, the urput will have a name based n cntent and date and time. p240

241 User passwrds Many disks are prtected by passwrds cntrlling access t the disk and ften user files. CnW Recvery sftware reads files directly and by passes all such passwrds. It is therefre nt necessary t have access t a passwrd in rder t read files frm a directry that the perating system will nt allw access t. The same applies t system files, which can all be read and saved n a new hard drive. User lgin passwrds Smetimes (typically a laptp) can nt be used because the user has defined a passwrd that has since been lst, r deliberately changed. As described abve, CnW Recvery sftware will read the files, but it may be necessary t find the passwrd in rder t handle encrypted files and t restre the PC t a full wrking state. CnW des nt d any decding f passwrds but it can read tw f the critical files that stare the infrmatin. These are the SAM file and SYSTEM file, typically stred in windws\system32\cnfig It is nt nrmally pssible t read such files withut special tls, r CnW. CnW des require the hard drive perating as a slave drive t access such files. There are then several tls that may be fund n the web t assist with accessing passwrds, and tw such prgrams are 'Jhn the Ripper' and SAMInside, which bth make use f the SAM and SYSTEM files. A web search will als highlight many mre. p241

242 AVCHD recnstructin AVCHD is a high definitin vide standard nw being used by quality cameras and vide recrders. When a raw recvery f data is perfrmed, several types f files are fund. The mst imprtant ne is the MTS file which stres the vide data. Other files are are.cpi, MPL etc. Fr a vide editr t prcess these, they have t have relevant names, and be stred in valid directries. This tl will assist in the prcess. p242

243 Extract and jin This functin allws sectins f a file t be extracted and a new file created frm these fragments. It can be a useful tl if ding manual data carving, and wanting t recnstruct a file. A fragment can be any length f sectrs. T aid with file creatin, the lcatin that the fragment is stred in can be defined (as sectr ffset). The utility is used by entering the start sectr, and then either the length r end sectr. If the ffset is set as zer, then the sectin will be appended t the previus sectin. p243

244 Fake memry test Sme memry chips, (eg sd, CE r USB memry sticks) are marked and sld as ne capacity, but are infact much smaller in size. The chips will frmat crrectly, and give every indicatin that they are size marked n the case. In fact the firmware within the chip is nrmally 'fiddled with' t make sure they lk genuine When used, a few phts r vide will be stred crrectly, but maybe 90% n a full memry chip will be lst. This tl is designed t test memry chips t ensure that they are valid. There are tw tests. Test 1 The first test is t examine fr data at the end f the memry chip and see if it is repeated earlier in the memry. If this pattern is fund then it unfrtunately indicates that it is t late, and data has been lst Test 2 The secnd test is nly required if there is n data written at the end f the physical chip, such as when the memry chip is new. In this test, a sectr with a unique pattern is written near the end f the physical memry. The memry chip is then examined t see if this new data ccurs else where n the memry chip. If the pattern is fund again, then this is a fake memry chip, if it is nt fund, then the chip is valid. p244

245 Recnstructin tips Once files have been recvered, they ften need t be restred back t a new peratinal disk. Fr mst, this is a straight frward cpy int the relevant directries, but thers require a bit mre effrt. This sectin gives sme useful tips Restratin - Outlk Express 6 - restratin Outlk Express 6 The files fr Outlk Express 6 have the file extensin f.dbx. Files may be fund by file recvery mdes, r by Raw recvery. Once fund, they cannt just be cpied t a directry, they have t be imprted with Outlk. T imprt the files, they need t be placed in a subdirectry which must nt be n a DVD r CD-ROM. They als need t include with the files, the file Flders.dbx. Withut this file, the errr message 'N messages r files can be fund in this flder r anther applicatin is running that has the required files pen". The imprt prcedure is a series f Outlk Express menu peratins as fllws, File / Imprt / messages... / Outlk Express 6 / Next/ Brwse.. at this pint brwse t the lcatin f the subdirectry where.dbx t be imprted are files are. After Next, the details f the main bxes t be imprted are shwn, and may be selected. p245

246 Lgs CnW Lgs prvide details f all jbs dne. They are an essential part f any frensic investigatin, as well as very useful as a summary fr any disk recvery. Lg verview File details Search fr sectr File fragments Jb details Frensic Reprt Trace?.txt file Lg verview The lg stres details f all files that have been read, alng with media errrs. There is als an ptin t exprt the lg int a CSV file. The default file name will be the jb number f cnversin. The details stred in the lg d depend n the ptins purchased with the CnW sftware package. The standard package will have file names, dates and sizes. The full lgging ptin, fr frensic investigatins, will cntain details n file lcatins, as well as a MD5 sum check fr each file read. The lg has fur sectins File detail Details abut the media and the jb Frensic Lg (Frensic ptin nly) Keywrd search Lg (Cmmerical and Frensic nly) An imprtant feature f the lg is that it is pssible t duble click n a file name and view an image f the file. Current versins will just display images, under develpment is a hex and text display f data. This wrks in dem mde, s even thugh files can nt be restred t a hard disk, the image that wuld be recvered, can be displayed. The file view screen will either display a picture, r will display a hex dump f the first 1MB f the file. Any picture image displayed is stretched t the size f the windw this may distrt the image, and s shuld nly be taken as an indicatin, rather than a valid image. This will give a gd indicatin t see if the file is crrect p246

247 File details displayed in the lg The fllwing data is displayed in the lg. It is slightly media dependant and sme items are nly available with the Full Lg ptin designed fr frensic investigatrs and ther pwer users. Frm the lg screen, previus lgs may be displayed, by when ever the lg screen is started, the mst recent lg is displayed. Any clumn may be srted by clicking the clumn header - there is currently (April 2007) a (large) limit n the maximum number f entries that can be srted, but that will be rem ved in later versins. All sectr numbers are abslute numbers n the disk drive, and nt relative t the current partitin Lg selectin Lgs are stred with an incrementing jb number. Als, t help with huse keeping, they are gruped n a mnthly basis. Bth these are cntrlled by the cmb bxes at the bttm f the display. The left hand bx selects the mnth, s viewed abve, it is February The secnd cmb bx selects the actual lg. It is stred in a subdirectry,with a name generated frm the date. In the example abve, it is 2 February 2006, the frmat is YYYYMMDD. The jb number will 'never' rll ver. T jb between cnsecutive lgs, the + and - buttns may be used. cnsecutive Status This describes the cntents f the lg recrd and can have many pssible values, listed belw. Del The file was detected in the directry as a deleted file. Directry - this is the name and lcatin f a directry fund Errr an errr was detected IC - The file is incmplete, ie less recvered than stated in directry. Fr a FAT disk this is ften a crrupted FAT p247

248 MFT The file was recvered crrectly, it was based n an MFT in NTFS OK The file has been cpied crrectly Over The file that has been read cntains sectrs that have been read in ther files. ie the riginal file has prbably been partially r cmpletely verwritten. Rec vd The file has been recvered by using the read unallcated space, r the disk image scan. These files may r may nt be valid and shuld be tested befre assuming they are cmplete r crrect. Scan The file entry has been fund by scanning the directry, n cpy has been made Skipped The file has been skipped, either because it is a deleted file, r because f the file filter ptins It shuld be nted that the status will ften change after a restre has been made after a scan. A Scan will nrmally have the status f Scan, rather than OK etc File size This is the filesize as read by the directry entry. ie, if the file fails t read cmpletely, the lg shws the expected filesize Filename This is the filename as read frm the disk directry Signature The signature is determined by analysing the start f the data. Fr a scan, there is n signature test, and s remains as unknwn, r '?'. Many file types have the same start f a file, s fr instance a DLL, EXE bth start with the same cdes, and s the signature will always shw as.exe. Experience is ften required t determine if any differences between signature, and Extensin(see next item) are significant. Files such as jpeg, r jpg have a unique start, s if the signature is detected as jpg, but the extensin is marked as.dc, r.dat it culd be a case deliberate renaming f a files, pssibly t hide them. When a signature is nt recgnised the first tw hex values are displayed, eg 0x59 3F This helps see the start f the file, and if there is a pssible pattern, it will be clear. Flags The flags are values stred in the disk directry. When a flag, r attribute is detected, a letter is utput in the field. These values are as fllws A The archive flag is set C The file is cmpressed by the perating system, such as NTFS D The file was deleted E The file has been encrypted H The file is hidden R The file is read nly - ie write prtected S This file is a system file 2,3 etcthis number is the number f streams that have been fund. A single stream is nt shwn, and s cunting starts at 2 Start sectr The start sectr is the first sectr f the file Dir Sect The directry sectr is where the directry infrmatin is stred. Fr an NTFS this will be the address f the MFT blck. By clicking n this clumn the the sectr will be displayed Parent Dir Sect The parent directry sectr is the lcatin f the parent directry f the file Dir ffset p248

249 Fr many file systems, multiple file entries are stred within a larger directry file. The Directry ffset is the lcatin within the file fr the particular file entry. Fr NTFS disks, the ffset is the number f the MFT within the $MFT file Sect Err If a missing r failed sectr is encntered within a cpy, then this flag will be set t yes. On sme ccasins the file will still pen, but it will be crrupted. When srted, it will be srted alng with the start sectr number. This can ften give an indicatin f areas f a disk that have failed, r in the case f a disk image, have nt been imaged. Frags Many large files are fragmented n a disk, ie nt written as a single cntinuus stream. The fragment cunt indicates hw many fragments there are within the file. By clicking n this clumn, details f each fragment will be displayed. Verify The verify clumn will indicate Yes r N indicating if the file has passed several validatin checks. These results must be treated with a bit f cautin as there can be false psitives and negatives, smetimes due t changes in the riginal file structure due t prgram updates. If the verify clumn is clicked n, there is the tl fr Manual Data Carving (as a frensic ptin nly). Fltr The filter flag is Y r N. If Y the file has been cpied, and if N, the file filter testing has meant that the file has nt been cpied Create, Mdify, and Access dates These are the dates that file was created, mdified, r accessed. It shuld be nted that the definitin f mdified, is when the cntents have been changed. Creatin is when the file was placed n the disk. It is therefre pssible, if a file is mved frm ne lcatin t anther lcatin n a different disk, that the creatin date will be newer than the mdified date. MD5 This is an industry standard hash value f the file cntents. If any single bit f the file is changed, the hash value will be different. N tw files will ever have the same MD5 value. The file name and date are nt part f the MD5 value. Frensic investigatin ften makes significant use f hash values. It has tw main uses, It can be used as a quick way t test that tw files are identical, even if in different lcatins It can verify that the file has nt been changed The MD5 value is als used within the file filter t test files against a knwn database Lg time The lg time is the time that the lg entry was created Exprt The exprt functin will utput all the lg in a.csv frmat. The lcatin is defined by the values in the Directries cnfiguratin. Search The search functin will shw which file a sectr is used in p249

250 p250

251 Search fr sectr A very useful frensic tl is t determine which file a sectr belngs t. In the case f verwritten, r deleted files, a sectr may have mre than ne apparent wner The value f the abslute lcatin f the sectr is entered int the bx (in either hex r decimal accrding t the flag) and when Search is pressed the lg is examined t determine which file(s) the sectr is part f. Obviusly, a sectr shuld nly be used in a single file, but if deleted files have been restred within the lg, these will be tested as well. If a deleted file has been verwritten, it shuld be pssible t see which file verwrte it. The rutine will search up t 80 fragments n a file. As a duble check, when a file has been islated, it is pssible t view the fragments f the file by clicking n Frags clumn within the lg. It must be nted that the lg is nly valid after a file recvery has been run. Hwever, t save time, and space if recvery is nt actually required, the slutin is t use the 'Select Files' rather than Recver All. The disk will be scanned and this stage will be cmplete when the 'Select All' and 'Cpy' buttns becme enabled. The sectr number may then be entered and matching file(s) displayed. If nt fund, then the sectr is in the unallcated area. p251

252 File fragments Mst files are stred n a disk in cntiguus sectrs. If a file is very large, r the disk is very full, then a file may be stred in many fragments. This is als very true when a file has been created by added small sectins t file, as ften happens with lgs. The CnW prgram will indicate in the lg the number f fragments a file has. By duble clicking n the fragment number in the lg, details f the fragments will be displayed shwing the start lcatin, and length f the fragment. The reprt shws bth start and end lcatin f each data run as well as the length. T assist an analysing disks, the infrmatin is shwn in bth sectrs and clusters. If the sectr number is Start lcatin r End lcatin is duble clicked, the sectr will be displayed. p252

253 Jb details The jb details are btained by clicking n the Media Status tag. This screen will give details f the media, and the jb that are fixed fr the media, rather than individual file details. The screen is universal fr all types f media, s nt very field will be filled in fr every media type. Vlume ID This is the name read frm the media. It is nrmally user entered when the media is frmatted, r fr a CD, when it is burnt. Frmat This is the lgical frmat, r perating system. One will expect values such as NTFS, FAT32, UDF. Media Type This is the physical media. Values such as CDROM, Flppy, and Hard drive will be seen. It is very difficult t distinguish between a hard drive and a flash memry chip, s they described as Remvable drive. Drive This prvides details f the physical drive being used t read the media. Fr frensic inquiries this can be imprtant. When reading a hard drive, the details stred here are thse f the drive. Library Slt The library slt value is nly used when media (eg CDs) are being read frm a randm access library. Capacity The capacity is the raw capacity f the media, displayed in bytes. This des nt define the amunt f infrmatin n the media, and when cmpressin is used, the data stred can exceed the stated capacity. Erasable The erasable flag is nly relevant fr CDs and DVDs. If set, then the media is RW p253

254 (Read/Write) rather than write nce. Tracks partitins Many types f media can be divided int lgical smaller sectins. Fr a hard drive, they can be partitined s that they behave like cmpletely separate drives. Fr CDs, the disk can be written as separate tracks. Fr audi CDs, this is used fr separate sngs etc. With data CDs, tracks are nrmally an indicatin that the CD has been written mre than nce, as a multi-sessin CD. Hwever, it shuld be nted that a single sessin may cntain multiple tracks, thugh typically, tracks and sessins map ne t ne t each ther. Serial Number Many pieces f media have a unique serial number, added at creatin time, r first initialisatin. This is nt nrmally user changeable. Mde CDs can be written in several different physical ways. Althugh these are largely invisible t any user, they can affect cmpatibility. The ptins that are recgnised are CD Audi Yellw Mde 1 Yellw Mde 2 XA Mde 2, frm 1 XA Mde 2 frm 2 Finalised CDs can be appended t r have cntents fixed. When fixed, the sessin is finalised, r clsed and n additinal sessins may be added. Errr Cunt This is the number f errrs detected when reading the media. Many disks can be read very successfully with several errrs, but prblems can ccur when the errr cunt ges int hundreds Retry Cunt This is the number f times the drive has t retry t read a sectr. A large number f retries, and a small errr cunt indicates a drive that is failing, media that has prblems, r a drive media cmbinatin that is nt very c mpatible, r misaligned. Cpied Output Path The utput path is where the files have been cpied t. At times, depending n recvery mde, the utput path may be appended with fixed directries such as!recver r!deleted. Layers Layers is fr DVDs nly. Sme DVDs have 2 layers - and hence a capacity f abut 9GB a side. Sessins Fr CDs there can be multiple sessins f writing. Typically each sessin n a data CD will be a new track, but there is n reasn why sessins shuld nt cntain mre than ne track. p254

255 p255

256 Frensic Reprt The frensic reprt is part f the Frensic Optins, cntrlled by the prgram licence. The functin f the reprt is t be the basis f any lg r reprt listing actins and tests n the drive. It will reprt any disk errrs, and ther errrs the standard lgical recvery have nt been pssible. The best example wuld be when it has nt been pssible t reslve a full directry path, and a dummy directry entry has been created. The reprt is part f the main lg screen, and selected by the tab at the tp f the bx. Lg entries, frm prgram Wizard The wizard perfrms tests n the physical media, and the fllwing status messsges, r errrs will be detected. The results frm the Verify Disk structure are stred in the lg Recver ptins The lg will mnitr all ptins that have selected as part the apprpiate recvery screen. NTFS - these will include Cluster size $MFT start cluster and start sectr MFT cunt Relative sectr FAT - these will include Cluster size Cluster 2 lcatin FAT start Directry start NTFS messages The frensic reprt will d basic analysis n system files. This will include $bitmap and p256

257 $lgfile Fixup errr in MFT - and MFT has self checking built in, an errr was fund Cluster ut f range - a cluster higher the length f the partitin was requested MFT entry nt fund at expected lcatin - the specified lcatin is nt an MFT MFT entry nt fund at cluster 4 - when an MFT is nt set by BIOS, sme values are tested MFT entry nt fund at cluster 0xc0000- when an MFT is nt set by BIOS, sme values are tested Cluster 0xc0000 has been set as start f MFT - a 'guessed' value has been used Cluster 4 has been set as start f MFT - a 'guessed' value has been used MFT fr xxx nt a directry MFT - a parent directry lcatin is invalid FAT messages FAT parent directry nt fund fr cluster : xxx - the parent directry was nt fund, dummy directry will be created. This is the directry that is pinted t by the '..' entry in the directry stub. File truncated, fund xxx expected yyy - the full file has been truncated, ften due t a FAT entry indicating end f file. Next cluster same as current cluster, incrementing value - this will cause the prgram t lp n single cluster, s the next sectr will be selected autmatically. p257

258 Keywrd search The keywrd search is part f cmmercial and frensic ptins. It allws files t be tested fr keywrd while being recvered. The lg displays the results f a keywrd search n the files. the fields are as described belw # The riginal entry number Flags This is the type f search carried ut, and can be any cmbinatin f the fllwing c Character search u Unicde search i Case ignre Offset This is the ffset f the first ccurance within the file Cunt This is the number f times the string has been fund String The string being searched fr File The name f the file the string was fund in p258