File truncated because of a false header & other issues
Posted: Mon Feb 01, 2016 2:18 am
Hi,
Recently, for the sake of fun and knowledge, I ran a few recovery softwares, including R-Studio (which is my favorite overall and I've tried a few), on a 500GB hard drive which had no problem whatsoever, after copying a large amount of data on it (100GB), which left about 20GB of free space. I knew what files had been on it and then erased at some point, files which I had elsewhere, that way I could make comparisons and check the accuracy of the recovery. So, here are some things I found out.
- When running the scan on the HDD itself with R-Studio 7.7, I had this error message :
Error File System 07/01/2016 21:50:19 Known File Types scan thread analysis timeout at sectors 123687680..123687936 (61843840..61843968KB)
Error File System 07/01/2016 21:50:19 Known File Types scan thread has been restarted because of analysis errors at sectors 123687680..123687936
And very few "extra found files" were actually found. I ran the analysis a second time with the exact same result. Apparently this issue could be related to a lack of memory : http://forum.r-tt.com/scan-freezes-t430.html. It could also be related to the fact that it had been quite a long time since the last proper reboot when I performed this test (several weeks at least).
Yet surprisingly, R-Studio 5.4 (which I have kept on that system despite upgrading) didn't have this issue and found many more files, albeit several of them with inaccurate sizes (too large).
Meanwhile, Recuva and Photorec found many of those files (mostly AVI & WMV videos) with the exact correct size and equal CRC32 for most of them, or only a few "padding" bytes missing at the end (the extra files recovered only by R-Studio 5.4 were mostly fragments of overwritten files, but no other software found these readable fragments).
- I then extracted the free space with X-Ways Forensics, and ran R-Studio 7.7 on that file, treated as a volume image. This time it proceeded with no error, and found most of the same files that were found by R-Studio 5.4 / Recuva / Photorec (albeit not without caveats, see below). But still, there were files recovered by R-Studio 5.4 which were not found by any other software, even Photorec, a free software which is specialized in raw file carving and usually carves everything there is to carve. How can it be explained that the newer version performs worse in this particular case ? (In other instances I've found the opposite.)
- Among the files found by R-Studio 7.7 (from the free space analysis), there's one that is truncated, a WMV file which should be 351MB and is only 265MB ; if I examine both the recovered file and the original in X-Ways Forensics using the "Synchronize & compare" function, I can see that that there is a random false JPG file signature at the truncature point, i.e. « ÿØÿ », which made R-Studio treat it as the begining of a JPG file, which it is not. The file in question was still complete on the remaining free space, and was fully recovered by Recuva and Photorec (same size & CRC as the original).
w w w . c j o i n t . c o m/c/FBbgimIoppy
On the contrary, an MP4 file recovered by R-Studio 7.7 had an abnormally large size, and after painstakingly comparing it with known MP4 files which had been recently erased I found out that it was simply 4 of those files joined together, despite the fact that each of them was still complete and with a correct header. (Recuva didn't find those files though, but Photorec carved them each with their correct sizes.)
As evidenced here file recovery is no exact science (at least from the end user's point of view !), but again how can it be explained that in such a case R-Studio performs worse than free softwares, despite a much longer scan ? (The two failed attempts at scanning the 500GB HDD took about 4 hours, whereas Recuva completed its "deep" analysis in about 20 minutes.) Are any of these known issues, and could they be adressed in a future new version ?
Thanks to those who will scratch their heads trying to figure out these quandaries !...
Gabriel (France -- I hope my english is good enough for me to be well understood on such a technical matter)
Recently, for the sake of fun and knowledge, I ran a few recovery softwares, including R-Studio (which is my favorite overall and I've tried a few), on a 500GB hard drive which had no problem whatsoever, after copying a large amount of data on it (100GB), which left about 20GB of free space. I knew what files had been on it and then erased at some point, files which I had elsewhere, that way I could make comparisons and check the accuracy of the recovery. So, here are some things I found out.
- When running the scan on the HDD itself with R-Studio 7.7, I had this error message :
Error File System 07/01/2016 21:50:19 Known File Types scan thread analysis timeout at sectors 123687680..123687936 (61843840..61843968KB)
Error File System 07/01/2016 21:50:19 Known File Types scan thread has been restarted because of analysis errors at sectors 123687680..123687936
And very few "extra found files" were actually found. I ran the analysis a second time with the exact same result. Apparently this issue could be related to a lack of memory : http://forum.r-tt.com/scan-freezes-t430.html. It could also be related to the fact that it had been quite a long time since the last proper reboot when I performed this test (several weeks at least).
Yet surprisingly, R-Studio 5.4 (which I have kept on that system despite upgrading) didn't have this issue and found many more files, albeit several of them with inaccurate sizes (too large).
Meanwhile, Recuva and Photorec found many of those files (mostly AVI & WMV videos) with the exact correct size and equal CRC32 for most of them, or only a few "padding" bytes missing at the end (the extra files recovered only by R-Studio 5.4 were mostly fragments of overwritten files, but no other software found these readable fragments).
- I then extracted the free space with X-Ways Forensics, and ran R-Studio 7.7 on that file, treated as a volume image. This time it proceeded with no error, and found most of the same files that were found by R-Studio 5.4 / Recuva / Photorec (albeit not without caveats, see below). But still, there were files recovered by R-Studio 5.4 which were not found by any other software, even Photorec, a free software which is specialized in raw file carving and usually carves everything there is to carve. How can it be explained that the newer version performs worse in this particular case ? (In other instances I've found the opposite.)
- Among the files found by R-Studio 7.7 (from the free space analysis), there's one that is truncated, a WMV file which should be 351MB and is only 265MB ; if I examine both the recovered file and the original in X-Ways Forensics using the "Synchronize & compare" function, I can see that that there is a random false JPG file signature at the truncature point, i.e. « ÿØÿ », which made R-Studio treat it as the begining of a JPG file, which it is not. The file in question was still complete on the remaining free space, and was fully recovered by Recuva and Photorec (same size & CRC as the original).
w w w . c j o i n t . c o m/c/FBbgimIoppy
On the contrary, an MP4 file recovered by R-Studio 7.7 had an abnormally large size, and after painstakingly comparing it with known MP4 files which had been recently erased I found out that it was simply 4 of those files joined together, despite the fact that each of them was still complete and with a correct header. (Recuva didn't find those files though, but Photorec carved them each with their correct sizes.)
As evidenced here file recovery is no exact science (at least from the end user's point of view !), but again how can it be explained that in such a case R-Studio performs worse than free softwares, despite a much longer scan ? (The two failed attempts at scanning the 500GB HDD took about 4 hours, whereas Recuva completed its "deep" analysis in about 20 minutes.) Are any of these known issues, and could they be adressed in a future new version ?
Thanks to those who will scratch their heads trying to figure out these quandaries !...
Gabriel (France -- I hope my english is good enough for me to be well understood on such a technical matter)