±Forensic Focus Partners

Become an advertising partner

±Your Account


Username
Password

Forgotten password/username?

Site Members:

New Today: 0 Overall: 35503
New Yesterday: 0 Visitors: 136

±Follow Forensic Focus

Forensic Focus Facebook PageForensic Focus on TwitterForensic Focus LinkedIn GroupForensic Focus YouTube Channel

RSS feeds: News Forums Articles

±Latest Articles

±Latest Webinars

Encase how to recover broken excel files

Forensic software discussion (commercial and open source/freeware). Strictly no advertising.
Reply to topicReply to topic Printer Friendly Page
Forum FAQSearchView unanswered posts
Page 1, 2  Next 
  

irfanion
Newbie
 

Encase how to recover broken excel files

Post Posted: Mar 29, 19 12:10

Hello Forensic Folks, lets cut to the chase, the suspect's laptop are using SSD. Im using Encase v8. I found all the important data are mark with permanently deleted tick and the is_deleted tab are true. Is there any way to recover this files? Especially excel ones. Encase only give me the names of the file, and when i try to recover excel for instance, it cannot be opened. Files are damaged.

I also try to recover using free online excel recover tools and it does'nt help.


Any inputs are welcome. Thanks  
 
  

kastajamah
Senior Member
 

Re: Encase how to recover broken excel files

Post Posted: Mar 29, 19 14:58

You should scroll over a little further and see if the file is marked as overwritten. If it is overwritten, you will most likely not get it back. If you look in the GPS bar, if the file is overwritten, it will tell you what file is now in its place. You could go into the hex/text view to see what is there. EnCase will mark the file as overwritten if the header is missing, but in the hex view, you might see what you are looking for. You can then highlight it and bookmark it for your report.  
 
  

keydet89
Senior Member
 

Re: Encase how to recover broken excel files

Post Posted: Mar 29, 19 17:56

Volume Shadow Copies?  
 
  

jhup
Senior Member
 

Re: Encase how to recover broken excel files

Post Posted: Mar 30, 19 15:27

Carve the Excel file as much as possible, then some more, and give it to 7-Zip.  
 
  

irfanion
Newbie
 

Re: Encase how to recover broken excel files

Post Posted: Apr 01, 19 05:00

- kastajamah
You should scroll over a little further and see if the file is marked as overwritten. If it is overwritten, you will most likely not get it back. If you look in the GPS bar, if the file is overwritten, it will tell you what file is now in its place. You could go into the hex/text view to see what is there. EnCase will mark the file as overwritten if the header is missing, but in the hex view, you might see what you are looking for. You can then highlight it and bookmark it for your report.



some files are overwritten and some are permanently deleted. I know if its overwritten it is impossible to recover. But what i don't understand is all those files have 'is_deleted tab' true. is_deleted mean those files going to recycle bin but not permanently deleted. It means those files can be recovered. But not in this case

Also nothing can i get from the hex view, its just random strings and weird symbols


www.forensicfocus.com/...ic/t=3783/  
 
  

jaclaz
Senior Member
 

Re: Encase how to recover broken excel files

Post Posted: Apr 01, 19 09:00

- irfanion

Also nothing can i get from the hex view, its just random strings and weird symbols


Hmmm.
What would you have expected, instead? Shocked

I mean, create an Excel file.
Have a look at it with a hex viewer.
Can you find *any* pattern or recognizable text?
Or are you seeing anyway "just random strings and weird symbols"?

Recent MS office files (.docx and .xlsx) are nothing but a .zip (PK zip compatible) archive containing a number of .xml files, like *any* zip archive, in a hex view they look essentially as "just random strings and weird symbols".

You need to parse them with a .zip recovery tool or similar.

As a reference, check this seemingly totally unrelated discussion thread:
reboot.pro/topic/12255...al-floppy/

jaclaz
_________________
- In theory there is no difference between theory and practice, but in practice there is. - 
 
  

hommy0
Senior Member
 

Re: Encase how to recover broken excel files

Post Posted: Apr 01, 19 09:35

If your using EnCase, the following enscript from EnCase App Central could be used for recovery of entries from a zip archive:

www.guidancesoftware.c...try-finder

This will identify the individual entries from a zip archive (using the local file header 0x50 0x4B 0x03 0x04), it will then repair adding the central directory and if required create a LEF to brought back into EnCase.

There is also a condition to restrict your carving based on components of the local file header:
Name (within the archive), CRC32, Modified Date, and Uncompressed size

Make an Excel file, change the extension to zip and open using Winrar/7zip - look at the construction of the archive identify what you might need, so for example xl/worksheets/sheet1.xml, and see what can be recovered.

To answer the other point of the "Is Deleted" column.
This does not relate exclusively to an entry in the Windows Recycle Bin since a file in the recycle bin is still allocated and is not deleted until it is emptied from the Recycle Bin.
EnCase will make this value TRUE for a file/folder that has the status of Deleted as indicated for NTFS in $MFT record header

Regards  
 

Page 1 of 2
Page 1, 2  Next