Recover data from f...
 
Notifications
Clear all

Recover data from formatted drive/floppy

15 Posts
4 Users
0 Likes
1,077 Views
(@hezry79)
Posts: 8
Active Member
Topic starter
 

I am self learner about Computer Forensic and I use trial tools such as EnCase and X-Ways to recover lost files. I would like to ask some question to you guyz out there.

If the file was deleted from the hard drive, the application can recover it. But how about if the hard drive has been formatted? Can it be recovered?. I try to format a floppy disk, and implement those EnCase or X-Ways tools to recover the previous file in that floopy. But I fail to get it back.

Is that true that if the drive is formatted, we can't get any data back?

Thank you

 
Posted : 22/07/2005 8:30 pm
(@fatrabbit)
Posts: 132
Estimable Member
 

Recovering data deleted by formatting is possible with the exception of low level formats. While general formatting and quick formatting deletes only the data information and leaves the actual file on the HDD, low level formatting deletes all data areas and causes the same result as an overwrite.

 
Posted : 23/07/2005 12:15 am
(@hezry79)
Posts: 8
Active Member
Topic starter
 

But why when I do a test on my floppy for example, I save one word file and delete it from the floppy. After that I do general format on that floppy. Then I use encase/xways tools to get the data back from the floppy but I can't even see any file appear… why is it?

 
Posted : 23/07/2005 7:05 am
andy1500mac
(@andy1500mac)
Posts: 79
Trusted Member
 

You won't see the file in a hierarchical (windows explorer) type layout as the format will have gotten rid of the file structure.

Search for the header ÐÏ.ࡱ.á (ms office header for .docs, .xls etc…) in free space or do a keyword search in the free space for a word or phrase you know to be in the document. You should be able to find it.

Andrew-

 
Posted : 23/07/2005 8:37 am
(@hezry79)
Posts: 8
Active Member
Topic starter
 

I will try it now

 
Posted : 23/07/2005 8:46 am
(@hezry79)
Posts: 8
Active Member
Topic starter
 

ok success. i create a text file name test and write something inside it. and format the floppy disk. i use encase to recover it and i found it. this is similar to any document such as word or ect…

but how about picture such as jpg, gif, bmp?….how to track it and save it back to it own format?

thanks for guidance

 
Posted : 23/07/2005 9:11 am
andy1500mac
(@andy1500mac)
Posts: 79
Trusted Member
 

It is the same thing regardless of the type of file although some are more difficult that others. You can test using the same logic. Save a .jpg to the floppy and format it. If you go back into the free space area and look for the header ÿØÿà you should locate the file.

It is possible to manually extract them but most of the forensic software packages have built in features that search for file headers and then recover them for you if found.

If you want some more info on file signatures take a look at http//www.garykessler.net/library/file_sigs.html

Hope this helps.

Andrew-

 
Posted : 23/07/2005 10:23 am
(@hezry79)
Posts: 8
Active Member
Topic starter
 

thank you…that help much.

 
Posted : 23/07/2005 10:35 am
(@hezry79)
Posts: 8
Active Member
Topic starter
 

i have one little question…

for Encase, at the first time I Acquire the floppy, the message appear like below

a write lock could not be placed on drive A. The drive contents may change during this process. Continue?

what does this mean?…does this mean I cannot proceed because if I proceed the data will change?..or is this a bad habbit for a forensic guy?…normally for testing I just click Continue…

 
Posted : 23/07/2005 10:40 am
andy1500mac
(@andy1500mac)
Posts: 79
Trusted Member
 

I am not overly familiar with Encase; other members of the forum would be able to help with specific inquiries. However one of the cardinal rules in this field is not to alter the original media if at all possible

You would normally take a checksum or hash value of the source drive (ex md5) image it and then ensure they the same by checking the hash value of the image against the original. There are hardware write blocking devices available on the market that are attached to the source drives to prevent any writes to them. I know Winhex forensics does not allow data to be written to the source drive by using software blockers but I believe most in the field couple this with a hardware one to be sure..?

In respect to the error you are getting…it is just Encase telling you that it cannot write protect the drive and it MAY be altered during the acquisition. Although I haven’t tested myself on floppies you can just use the write protect notch on the disk itself. I am not 100% sure whether this fully protects it during an acquisition…

Andrew-

 
Posted : 23/07/2005 11:57 am
Page 1 / 2
Share: