File names recovering after formatting
|
View:
New views
1 Messages
—
Rating Filter:
Alert me
|
 |
File names recovering after formatting
by Nanni Bassetti
::
Rate this Message:
Hi all,
I saw those softwares like: R-Studio, Recuva, ecc. can recover file names after formatting the disk/pendrive. I don't know how...because when we format a device, eg. NTFS, we delete the MFT and we write a new MFT on it. So I tried to format my NTFS pendrive, I ran Recuva and R-Studio and I found the old file with their names and sometimes their date and time metatadata. 8-O I knew that the only way for recovering the files after formatting is the data carving, but by this method all the metadata are lost. So I tried this: strings -a -t d -e l /dev/sdb ... ... 42281714 Dl3.jpg 42282738 Dl4.jpg 42282858 15062008013.jpg 42283762 190820~2.JPGjpg0 42283882 19082008023.jpg 42284786 190820~3.JPGjpg0 42284906 19082008024.jpg 42285810 NANNIR~1.JPGa640 42285930 nanniricciola640.jpg 42286834 NANNIL~1.JPGjpg0 42286954 nannileccia.jpg ... etc. So, the file names are still there as strings...ok ok let's go on: xxd -s 42286954 -l 512 /dev/sdb 2853f6a: 6e00 6100 6e00 6e00 6900 6c00 6500 6300 n.a.n.n.i.l.e.c. 2853f7a: 6300 6900 6100 2e00 6a00 7000 6700 8000 c.i.a...j.p.g... 2853f8a: 0000 4800 0000 0100 0000 0000 0400 0000 ..H............. 2853f9a: 0000 0000 0000 9f01 0000 0000 0000 4000 ..............@. 2853faa: 0000 0000 0000 0040 0300 0000 0000 8e3f .......@.......? 2853fba: 0300 0000 0000 8e3f 0300 0000 0000 22a0 .......?......". 2853fca: 0165 2800 0100 ffff ffff 8279 4711 0000 .e(........yG... 2853fda: 0000 0000 0000 0000 0000 0000 0000 0000 ................ 2853fea: 0000 0000 0000 0000 0000 0000 0000 0000 ................ This is the pendrive hex view at the offset (in bytes) corresponding to the nannileccia.jpg Now the "idiot try": (42286954 - 0)/512 = 82591 ifind -f ntfs -o 0 -d 82591 /dev/sdb Inode not found By the Autopsy, clearly, no deleted file is shown...so in which way can those softwares rebuild the association between the file and their metadata, even if the MFT has been rewritten? Thank you ------------------------------------------------------------- Dott. Nanni Bassetti Consulente Informatico http://www.nannibassetti.com/ CFI - http://www.cfitaly.net INDAGINI DIGITALI - http://www.lulu.com/content/1356430 Selective File Dumper - http://sfdumper.sourceforge.net/ World Wide Crime - http://www.worldwidecrime.it -- Io utilizzo la versione gratuita di SPAMfighter. Siamo una comunità di 6 milioni di utenti che combattono lo spam. Sino ad ora ha rimosso 71804 mail spam. Gli utenti paganti non hanno questo messaggio nelle loro email . Prova gratuitamente SPAMfighter qui:http://www.spamfighter.com/lit ------------------------------------------------------------------------------ Come build with us! The BlackBerry(R) Developer Conference in SF, CA is the only developer event you need to attend this year. Jumpstart your developing skills, take BlackBerry mobile applications to market and stay ahead of the curve. Join us from November 9 - 12, 2009. Register now! http://p.sf.net/sfu/devconference _______________________________________________ sleuthkit-users mailing list https://lists.sourceforge.net/lists/listinfo/sleuthkit-users http://www.sleuthkit.org |
| Free embeddable forum powered by Nabble | Forum Help |
