I Lost My Data!
Recently I
was invited to attend an Instructor Development Course (IDC) for a well-known,
global digital forensics company, for which training is a component of their
business. The IDC was run by two of the
managers of training and, having attended other IDC’s (or train-the-trainer
classes) in the past, I knew the rough format would be a review of the material
to be taught and some sort of teach-back or presentation. Turns out, I was
right!
On day one
of the IDC, the 6 participants in the class were chosen by lottery to pick a
random topic upon which to present on the afternoon of day three of the
class. I drew topic #3 of 6, so my
randomly drawn topic was “File Headers and Signatures.” Not bad.
Far better than numbering systems or 7-bit PDU encoding, if you ask
me! So I got to work on my presentation
that evening. The length was to be 20-25
minutes. We could use whatever resources we need and they had to facilitate the
presentation. No biggie, but I wanted to
be prepared and well-versed because having given dozens of presentations in the
past and having it reinforced during the first two days of the IDC, I know that’s
what makes a good presentation – Preparation!
So I spent a
few hours putting together what I thought was a clever presentation on File
Signatures & Headers. What they are,
what they look like, how they can be utilized, how automated tools find files
using them, how we can manually search using them within a particular tool and
how to validate our findings. It was
pretty good. By the time afternoon of the
final day came around, I tweaked and adjusted and walked through the presentation
multiple times. After all, I didn’t want
to screw up the opportunity to teach for this company, because it’s a fantastic
opportunity! Then, Murphy paid a visit
(no, not the well-known Forensicator Cindy!)…
The Wheels Come Off
When
constructing the original presentation in my hotel room, I composed it on a 17”
MacBook Pro with Bootcamp on the Windows partition running Windows 7 Pro in MS
Power Point. Everything went
smoothly. The presentation was saved on
an 8 GB USB 2.0 thumb drive formatted in FAT 32, which was a marketing freebie
(first clue, perhaps?) and previously unused.
When I refined, tweaked and updated the presentation, I did so on a MacBook
Pro 15” retina on Mac OS High Sierra, also in MS Power Point. There were no issues reading or saving the presentation,
or so I thought.
When it came
time for me to present, I popped up out of my chair, properly ejected the thumb
drive from the MacBook Pro and brought it into the presentation room along with
my other necessary materials. I plugged
my thumb drive into the presentation computer and this is what I saw:
My heart sank. I clicked “Cancel” only to be presented with
this from Windows:
So I thought maybe, just maybe, I
could get it to work on the MacBook Pro.
So I ejected the drive from the PC and plugged it into the Mac, which
was the last computer to touch the presentation. Here’s the message I received:
A series of expletives began to spew
forth from my mouth, or at least that’s how it felt. But I do forensics for a living, right? I have to know SOME way to
recover this presentation!
I knew the original 17” MacBook Pro,
which is my backup forensic laptop as well, was back at the hotel room with a
box full of dongles. Something in my
forensic bag of tricks MUST work, right?
I told the other two students to go
ahead of me and raced back to the hotel to work my forensic data recovery magic
on the thumb drive and recover my presentation.
I was sure I had my X-Ways Forensics license with me! That’ll get it in no time! Except I didn’t. Any tools I brought me were either for Mac
forensics or mobile devices, neither of which had the capability to recover anything
off of this thumb drive, at least not quickly.
I searched for auto-saved documents on both Windows and Mac. No dice.
I searched the extended metadata in Mac.
Nothing found. I Googled
locations of temp files and other potential sources of auto-save or
system-generated copies, whether hidden or not.
No luck. So after about 40
minutes of trying what I could with what I had, I resigned myself to the
reality of the situation: I either had to
try and re-construct the presentation from memory or go without a Power Point,
which would have looked horribly unprepared and unprofessional.
Fortunately, the last student before
me had about 25 minutes left to go when I got back to the training site, so I
hurriedly composed what I could remember from my previous presentation and got
it about 85% of the way to where it was before it was my turn to present. I did it and it turned out very well.
But what about the original presentation?
The Recovery
I’m an investigator at heart. I want to get to the truth of the matter, no
matter what the truth may tell me. And
yes, curiosity and tenacity play a pretty big role in that. So instead of trashing the thumb drive in
frustration, I decided to see if the original presentation was on there. Back at my office (where my X-Ways license was
the whole time), I created an image of the thumb drive in X-Ways.
Once the image was created, I used the
Refined Volume Snapshot to conduct a File Header Signature search. Hmm, this is sounding a lot like my
presentation!
For the sake of time and because I
already know what I’m looking for, I only searched for MS Office
Documents. It didn’t take long…
Sure enough, after a few minutes,
X-Ways carved not one, but three copies of my presentation on the
disk. They are all of different size and
contain slightly different data:
Yes, that’s page one of my presentation. And yes, that’s a bust of Dick Butkus from
the Pro Football Hall of Fame.
Being that the presentation was about
file signatures and headers, I decided to double-check the header on the
recovered files. A quick Google search
reveals that the file header for a .PPTX (or Power Point) file in hex is: 50 4B 03 04 14 00 06
00. Cross-referencing that with
the data of the recovered files reveals the same header, serving to further
validate the findings:
Wrapping it Up
I know this example of data recovery
is very basic. Would it were that all
data recovery jobs were this simple! But
the principles and procedures detailed here are the same whether we’re dealing
with an 8 GB thumb drive (FAT 32) partition or a 4 TB hard drive with multiple
partitions. Hardware and software are the
variables. The constants are the
procedures and methods used to acquire, analyze, carve, locate and report the
lost data. Ultimately, these methods
need to be repeatable and defensible in a court of law because that’s what “Forensics”
means.
Not every job is this
straight-forward or simple, but with a little problem-solving, tenacity and experience,
a competent examiner can put these methods to work to help recover just about
any lost data!
Author:
Patrick J. Siewert
Principal Consultant
Professional Digital Forensic
Consulting, LLC
Virginia DCJS #11-14869
Based in Richmond, Virginia
Available Wherever You Need Us!
We Find the Truth for a
Living!
Computer Forensics -- Mobile
Forensics -- Specialized Investigation
About
the Author:
Patrick
Siewert is the Principal Consultant of Pro Digital Forensic Consulting, based
in Richmond, Virginia. In 15 years of
law enforcement, he investigated hundreds of high-tech crimes, incorporating
digital forensics into the investigations, and was responsible for
investigating some of the highest jury and plea bargain child exploitation
investigations in Virginia court history. Patrick is a graduate of SCERS, BCERT, the
Reid School of Interview & Interrogation and multiple online investigation
schools (among others). He is a
Cellebrite Certified Operator and Physical Analyst. He continues to hone his digital forensic
expertise in the private sector while growing his consulting &
investigation business marketed toward litigators, professional investigators
and corporations, while keeping in touch with the public safety community as a
Law Enforcement Instructor.
Email: Inquiries@ProDigital4n6.com
