Recovery of Acronis true image backup/archive files. (tib)

[Alt]

I'll see what's wrong. Meanwhile, you may use the following file:
<?xml version="1.0" encoding="UTF-8"?>
<FileTypeList>
<FileType id="747" group="User Custom" description="Acronis True Image" extension="tib">
<Signature>\xB4\x6E\x68\x44</Signature>
<Signature from="end" offset="3">\xB4\x31\x96\x17</Signature>
</FileType>
</FileTypeList>

[Sn3akyP3t3]

I discovered some files that i need to recover using this so I'll be purchasing a license. I noticed more strange behavior related to loading custom user generated files types. The problem was revealed in the log.

The actual xml loaded at runtime may have been this file shown, but ultimately I loaded AcronisTrueImageR-studioSignature.xml
Information System 8/21/12 7:32 AM Successfully loaded user's file types definitions from "/home/user/Desktop/AcronisTrueImageR-studioSignature_3.xml"
Tested against flash drive to verify files could be located.
Information System 8/21/12 7:32 AM Scanning drive CorsairFlash Voyager1100 started
Information System 8/21/12 7:35 AM Scan has been completed for CorsairFlash Voyager1100 in 2m 57s
Information System 8/21/12 7:35 AM Scanning drive CorsairFlash Voyager1100 completed
Information System 8/21/12 7:35 AM Enumeration of files for Extra Found Files started
Information System 8/21/12 7:35 AM Enumeration of files for Extra Found Files completed
Information System 8/21/12 7:36 AM Enumeration of files for Recognized1 started
Information System 8/21/12 7:36 AM Enumeration of files for Recognized1 completed
Scanning the real drive here.
Information System 8/21/12 7:37 AM Scanning drive /media/Virtual/cloneDeeDrive/D_DrvClone started
Information System 8/21/12 8:54 AM Scan has been completed for /media/Virtual/cloneDeeDrive/D_DrvClone in 1h 17m
Information System 8/21/12 8:54 AM Scanning drive /media/Virtual/cloneDeeDrive/D_DrvClone completed
Information System 8/21/12 10:12 PM Enumeration of files for Extra Found Files started
Information System 8/21/12 10:12 PM Enumeration of files for Extra Found Files completed

There really isn't a problem other than the noted xml file loaded isn't the actual. Viewing the file stated in logs that was loaded showed this incomplete xml:
<?xml version="1.0" encoding="UTF-8"?>
<FileTypeList version="2.0"/>
(literally newline here)

[Sn3akyP3t3]

I'm having difficulty recovering a test Acronis True Image file written to USB then formatted for simulation.

The end signature:
<Signature from="end" offset="3">\xB4\x31\x96\x17</Signature>
makes the search for files successful, but the file(s) recovered are not the correct size and just to be sure when I try to validate the file with Acronis it informs me that the file is corrupt which is no surprise.

Anyway, I can't seem to identify the reason why R-Studio is not identifying the file correctly and that I'm not able to restore an Acronis True Image file. In my test in fact on a new 2GB, never been used before USB drive I got from some seminar I put a single Acronis true image file with the following known size:
1.5 GB (1,547,086,336 bytes)

After copying that file to the USB then formatting the drive to NTFS again I ran a scan on that USB drive and found 2 Acronis Files. Both were incorrect sizes:
1952399360 bytes
1708822528 bytes

Why is it that 2 files are being discovered? Why are both files the incorrect size? Am I missing something?

[Alt]

I've passed the problem to our developers and they'll look what's wring and fix the bug.

[Sn3akyP3t3]

I did some more testing with this and confirmed that there is a problem. I'm posting what I did so that the dev team or anyone else can recreate. I compared my first file recovered some time ago to the one I just conducted recovery of today and they are exactly the same in hex compare. That means the problem is can be recreated.

• 1.) Using a new or scrubbed USB (scrub with modified command, shred -vfz -n 1 /dev/sdg)
  2.) Create msdos table and format to NTFS partition using gparted
  3.) Write known good test.tib file to target USB drive.
  4.) Using gparted format partition to NTFS
  5.) Use R-Studio to recover .tib file using signature:
  <?xml version="1.0" encoding="UTF-8"?>
  <FileTypeList>
  <FileType id="747" group="User Custom" description="Acronis True Image" extension="tib">
  <Signature from="begin" offset="0">\xB4\x6E\x68\x44</Signature>
  <Signature from="end" offset="4">\xB41\x96\x17</Signature>
  </FileType>
  </FileTypeList>
  6.) Compare known good and recovered .tib files to discover data inserted somewhere in the recovered .tib file.

I have a diff report on my findings using hex compare with beyond compare software:
Left file: /media/drive/D/R-StudioRecovered/1.tib
Right file: /media/Me/Backups/Acronis True Images/Images/NewXPBaseline.tib
1547086336 same byte(s)
9768960 left orphan byte(s)

I'm willing to upload the discovered orphaned bytes for analysis if someone can show me how to extract a portion of a file and write to disk with some sort of hex editor on Linux that is capable. I was looking into using Sublime Text 2 to do this, but I'll wait to be advised. That equates to about 9MB of data. I can say that there seems to be a repeating pattern followed by a long series of F F F F F, etc in the hex editor view.

I'll rescan the image I created of the drive I'm trying to recover data from to see if I can find a few .tib files that I can perform a comparison to and see if that 9768960 orphaned bytes is something common. At the moment I'm unable to perform this comparison against the files currently recovered because beyond compare attempts to load the files to memory which is not possible when they are of 30+ GB in size each.

Hopefully this can be resolved since I was hoping to have these recovered files in hand and not really expecting a problem of this caliber.

[Alt]

Can you check if there is that \xB41\x96\x17 pattern inside a .tib file?

[Sn3akyP3t3]

In the original and test recovery file the
5CCBB9FB: B4 31 96 17
Marks the end of the file and is not found anywhere else within the file.

The B4 31 96 17 also only marks the end of the files that were tested which have been identified by R-Studio for the drive I'm going to focus recovery on.

So basically, B4 31 96 17 exists only once in the file and is the end of file signature marker with no repeats.

[Sn3akyP3t3]

I extracted the block of foreign data found in the Acronis True image test tile. Thanks to Erdem U. Altinyurt and wxHexEditor for simplifying the process by providing a dump option in the editor. I was unable to upload it here in this forum for unknown reasons. I'm assuming timeout or size limitations. The linked file won't be available forever as a result since it is made available by a 3rd party. About 9.8 MB in size.

http://www.fileden.com/files/2006/4/20/ ... ataTib.tib

[Alt]

I've downloaded the file and will browse through it.

[Sn3akyP3t3]

Is there anything I can do to facilitate assistance for testing or anything? The smallest data file I can provide is 1.5 GB in size if that is what is necessary. Unfortunately that is the nature of Acronis files... big big big.