How to pass "test free data recovery software" (part 2)
My colleague Viktor-Flash conducted tests of free data recovery programs ( first and second parts). In this article I will analyze the second test, in which the section was reformatted. I hope that after reading the reader will develop an understanding of what the data recovery programs are doing / trying to do / could_do_. A significant part of the article is devoted to how you can recover files without analyzing the FS metadata.
(I described the FAT32 device and the recovery method for the erased Boot in the previous article , so I assume that the reader is familiar with them)
“Fast formatting” in FAT32 usually consists in recording a new set of metadata for a “clean” FS. Namely, new Boot, FAT and Root tables will be recorded. If we assume that the old and the new FS have been formatted with the same driver with the same settings, then the listed metadata will be overwritten by the new ones. In other cases, there may be something left of the old metadata, and maybe vice versa - some part of the data will be rewritten.
What can be done? In this case, the most correct way is to remove all new metadata from consideration, find a couple of FAT Folders that are left from the old system and use them to determine the cluster size and the start of clustering the old file system. Also, we can build most of the directory and file tree. Since root erased, information about the files directly in it disappears altogether. Directories will lose their names and attributes, but we will know what they are and what they contain, because we will find further the corresponding FAT Folder. Such “detached” directories are usually given new names like Folder000020, where 20 is the cluster number with FAT Folder.
')
Pay attention to the results of some programs - they fully fit this description.
Continue to count the losses. In FAT Folder, the first cluster of the file and its size is indicated. For continuously placed files, this is enough, but to collect a fragmented file, we need a FAT table, and both of its copies are erased. Therefore, fragmented files are added to the victims.
Let's summarize the subtotal. Analysis of the remaining metadata from the original file system allows you to build almost the entire file system tree and the placement of continuous files. Files in the root directory will be lost. The files fragmented in the source filesystem will have the wrong location (for example, jpegs will not open completely).
Earlier, I looked at approaches that are based on searching and analyzing file system structures. But there is an alternative approach, the essence of which is in the search for files directly. It is based on the fact that many file types at the beginning have some signature that can be searched.
For example, bmp files start with “BM”, jpeg'i start with 0xFFD8FF, zip-archives with 0x504B0304.
The most academic name for such a method, in my opinion, is File Carving . Specific modes in specific programs may be called differently (in PC3000 DataExtractor - “Draft recovery”). There are also many approaches to implementing a carver, depending on how the headers are searched for, how the file size is determined, how its integrity is checked (if at all), etc.
For example, consider a very simple and "stupid" approach - Header / MaximumSize. Such a carver searches for the file header according to the signature and saves it with a predetermined identical size (we assume that the real file will always be smaller and the garbage will not hurt to open the file). Very simple, but it can be very effective, for example, when recovering photos from a digital camera - the jpeg header is known, the files are usually continuous and their size rarely exceeds, say, 10mb.
The unique disadvantage of any carver is the inability to restore the tree of directories and files, their names and attributes. Since This information is stored in the FS metadata. Then Carver only searches for files he knows. The problem of fragmented files also remains open. Special cases for some types of files are solved, but in my opinion there is no general solution for disks of modern volume. The abstract carver described above is also endowed with its own personal flaws. It will often be mistaken, it will not be able to distinguish a “live” file from a “non-living” one. Can not determine the exact file size and exact file type (did you know that doc, xls, ppt and others have a common format ? And docx, pptx, odt, ods, jar, ... are all zip archives?)
Many programs in the second test, and some even in the first, performed the file carving. It is very easy to understand by the results - there is no hint of the source tree of directories and files, all files are grouped by type and named by some pattern. A striking example is PhotoRec (separate from TestDisk). If you look at it in the source code, you can note some features: procedures for finding the file header and, where possible, end-of-file signatures are implemented. Some file types are sorted out more deeply, knowledge of their internal structure is used, which reduces the number of false positives.
In PC3000 DataExtractor there is also a file carver, in which headers are searched using regular expressions and by analyzing the file format .
In my opinion, the most qualitative result in the second test should be given by the combination of file system analysis and file carving.
In general, the result of data recovery in each case may be different. Sometimes you can easily and quickly return “everything as it was”, and sometimes the possibilities of restoration are limited in principle. Therefore, I want to repeat 2 tips:
Test Two: Reformatting
(I described the FAT32 device and the recovery method for the erased Boot in the previous article , so I assume that the reader is familiar with them)
“Fast formatting” in FAT32 usually consists in recording a new set of metadata for a “clean” FS. Namely, new Boot, FAT and Root tables will be recorded. If we assume that the old and the new FS have been formatted with the same driver with the same settings, then the listed metadata will be overwritten by the new ones. In other cases, there may be something left of the old metadata, and maybe vice versa - some part of the data will be rewritten.
What can be done? In this case, the most correct way is to remove all new metadata from consideration, find a couple of FAT Folders that are left from the old system and use them to determine the cluster size and the start of clustering the old file system. Also, we can build most of the directory and file tree. Since root erased, information about the files directly in it disappears altogether. Directories will lose their names and attributes, but we will know what they are and what they contain, because we will find further the corresponding FAT Folder. Such “detached” directories are usually given new names like Folder000020, where 20 is the cluster number with FAT Folder.
')
Pay attention to the results of some programs - they fully fit this description.
Continue to count the losses. In FAT Folder, the first cluster of the file and its size is indicated. For continuously placed files, this is enough, but to collect a fragmented file, we need a FAT table, and both of its copies are erased. Therefore, fragmented files are added to the victims.
Let's summarize the subtotal. Analysis of the remaining metadata from the original file system allows you to build almost the entire file system tree and the placement of continuous files. Files in the root directory will be lost. The files fragmented in the source filesystem will have the wrong location (for example, jpegs will not open completely).
Alternative method - file carving
Earlier, I looked at approaches that are based on searching and analyzing file system structures. But there is an alternative approach, the essence of which is in the search for files directly. It is based on the fact that many file types at the beginning have some signature that can be searched.
For example, bmp files start with “BM”, jpeg'i start with 0xFFD8FF, zip-archives with 0x504B0304.
The most academic name for such a method, in my opinion, is File Carving . Specific modes in specific programs may be called differently (in PC3000 DataExtractor - “Draft recovery”). There are also many approaches to implementing a carver, depending on how the headers are searched for, how the file size is determined, how its integrity is checked (if at all), etc.
For example, consider a very simple and "stupid" approach - Header / MaximumSize. Such a carver searches for the file header according to the signature and saves it with a predetermined identical size (we assume that the real file will always be smaller and the garbage will not hurt to open the file). Very simple, but it can be very effective, for example, when recovering photos from a digital camera - the jpeg header is known, the files are usually continuous and their size rarely exceeds, say, 10mb.
The unique disadvantage of any carver is the inability to restore the tree of directories and files, their names and attributes. Since This information is stored in the FS metadata. Then Carver only searches for files he knows. The problem of fragmented files also remains open. Special cases for some types of files are solved, but in my opinion there is no general solution for disks of modern volume. The abstract carver described above is also endowed with its own personal flaws. It will often be mistaken, it will not be able to distinguish a “live” file from a “non-living” one. Can not determine the exact file size and exact file type (did you know that doc, xls, ppt and others have a common format ? And docx, pptx, odt, ods, jar, ... are all zip archives?)
Many programs in the second test, and some even in the first, performed the file carving. It is very easy to understand by the results - there is no hint of the source tree of directories and files, all files are grouped by type and named by some pattern. A striking example is PhotoRec (separate from TestDisk). If you look at it in the source code, you can note some features: procedures for finding the file header and, where possible, end-of-file signatures are implemented. Some file types are sorted out more deeply, knowledge of their internal structure is used, which reduces the number of false positives.
In PC3000 DataExtractor there is also a file carver, in which headers are searched using regular expressions and by analyzing the file format .
In my opinion, the most qualitative result in the second test should be given by the combination of file system analysis and file carving.
Conclusion
In general, the result of data recovery in each case may be different. Sometimes you can easily and quickly return “everything as it was”, and sometimes the possibilities of restoration are limited in principle. Therefore, I want to repeat 2 tips:
- make backups;
- If you have lost important data - do not touch anything and carry to professionals.
Source: https://habr.com/ru/post/261007/
All Articles