為什麼FinalData 3.0沒有恢復出X-Ways Forensics 發現的數據?


FinalData軟件的作者Jeff對本人測試的數據恢復例子回覆,解釋了為什麼FinalData 3.0 沒有找到那個doc文件。而X-Ways Forensics可以找到。

該他通過對磁盤空餘空間中的Office破損文件進行分析後,發現該文件沒有 Summary Information信息。而正常的Office文件應該包含下面這樣的 Summary Information 信息。

Cluster = 5291, Sector = 21598
0000AC00 05 00 53 00 75 00 6d 00 6d 00 61 00 72 00 79 00 ..S.u.m.m.a.r.y.
0000AC10 49 00 6e 00 66 00 6f 00 72 00 6d 00 61 00 74 00 I.n.f.o.r.m.a.t.
0000AC20 69 00 6f 00 6e 00 00 00 00 00 00 00 00 00 00 00 i.o.n...........
0000AC30 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
0000AC40 28 00 02 01 ff ff ff ff ff ff ff ff ff ff ff ff (...............
0000AC50 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
0000AC60 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
0000AC70 00 00 00 00 43 00 00 00 00 10 00 00 00 00 00 00 ....C...........
0000AC80 05 00 44 00 6f 00 63 00 75 00 6d 00 65 00 6e 00 ..D.o.c.u.m.e.n.
0000AC90 74 00 53 00 75 00 6d 00 6d 00 61 00 72 00 79 00 t.S.u.m.m.a.r.y.
0000ACA0 49 00 6e 00 66 00 6f 00 72 00 6d 00 61 00 74 00 I.n.f.o.r.m.a.t.
0000ACB0 69 00 6f 00 6e 00 00 00 00 00 00 00 00 00 00 00 i.o.n...........
0000ACC0 38 00 02 01 04 00 00 00 ff ff ff ff ff ff ff ff 8...............
0000ACD0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................


這個破損文件僅包含有文件頭信息如下:

Cluster = 5196, Sector = 21218
00000400 d0 cf 11 e0 a1 b1 1a e1 00 00 00 00 00 00 00 00 ................
00000410 00 00 00 00 00 00 00 00 3e 00 03 00 fe ff 09 00 ........>.......
00000420 06 00 00 00 00 00 00 00 00 00 00 00 01 00 00 00 ................
00000430 54 00 00 00 00 00 00 00 00 10 00 00 57 00 00 00 T...........W...
00000440 01 00 00 00 fe ff ff ff 00 00 00 00 53 00 00 00 ............S...
00000450 ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ................
00000460 ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ................
00000470 ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ................

由於該文件沒有包含 Summary Information信息,因此FinalData和FinalForensics沒有把它認為是一個Office文件。有些情況下,用戶可以通過BIFF格式找到類似的Office文檔格式。

FinalForensics(FF) 通過檢測每一個簇的第一個扇區來查找文件格式。
比如,在下面的例子中,FinalForensics 僅檢測21216 個字節,並不檢測扇區第 21218 字節。如果恢復過程中遇到這種情況,FinalData就不會找出刪除的數據。

當然,FinalData過去也可以去掃瞄每一個扇區,但是這樣掃瞄會花費太長的時間,很多人無法忍受。因此新版的FinalData改變了數據掃瞄方式,僅掃瞄每一個簇的第一個扇區,因此使數據掃瞄和恢復的速度得以進一步提升。


Cluster = 5196, Sector = 21216
00000000 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00000010 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00000020 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00000030 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00000040 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00000050 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00000060 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00000070 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00000080 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00000090 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
000000A0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
000000B0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
000000C0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
000000D0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
000000E0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
000000F0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00000100 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00000110 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00000120 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00000130 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00000140 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00000150 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00000160 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00000170 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00000180 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00000190 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
000001A0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
000001B0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
000001C0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
000001D0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
000001E0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
000001F0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
Cluster = 5196, Sector = 21217
00000200 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00000210 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00000220 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00000230 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00000240 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00000250 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00000260 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00000270 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00000280 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00000290 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
000002A0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
000002B0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
000002C0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
000002D0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
000002E0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
000002F0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00000300 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00000310 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00000320 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00000330 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00000340 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00000350 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00000360 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00000370 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00000380 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00000390 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
000003A0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
000003B0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
000003C0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
000003D0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
000003E0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
000003F0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
Cluster = 5196, Sector = 21218
00000400 d0 cf 11 e0 a1 b1 1a e1 00 00 00 00 00 00 00 00 ................
00000410 00 00 00 00 00 00 00 00 3e 00 03 00 fe ff 09 00 ........>.......
00000420 06 00 00 00 00 00 00 00 00 00 00 00 01 00 00 00 ................
00000430 54 00 00 00 00 00 00 00 00 10 00 00 57 00 00 00 T...........W...
00000440 01 00 00 00 fe ff ff ff 00 00 00 00 53 00 00 00 ............S...
00000450 ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ................
00000460 ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ................


Jeff所說的這種情況的確如此。在Winhex或X-WaysForensic中,通過簽名掃瞄時提供了三種方式,
搜索扇區邊界,即上面Jeff所說的方式。這種方式掃瞄速度相對較快,一般來說是默認的搜索方式。
還有一種是字節級掃瞄,即在每一個扇區中搜索文件頭簽名,這種方式非常耗時,搜索出的文件數量多出不少,但很多都是無法查看的。因此實際用戶並不使用此種方式。

大多情況下,嵌入的數據是正常文件的一部分,比如嵌入在Office文件中的文件。如果大家認為FinalData掃瞄每一個扇區是一種好一些的方法,那 麼我可以建議 FinalData將掃瞄方式改變,增加一個選項,可以掃瞄每一個扇區。但是終究速度太慢,FinalData公司仍不建議用戶使用此種掃瞄方法。

昨天,與JEFF利用遠程訪問的方式,利用Finaldata對這個例子重新進行了測試,在開始插入NTFS 512格式,即成功恢復出這個FinalData沒有發現的doc文件。JEFF擬在3.0版中增加一個選項來實現用戶自定義恢復。

轉自計算機取證技術

0 意見: