Recovery of Acronis true image backup/archive files. (tib)

A forum on data recovery using the professional data recovery software R-STUDIO.
Sn3akyP3t3
Posts: 33
Joined: Fri Aug 17, 2012 1:33 am

Recovery of Acronis true image backup/archive files. (tib)

Post by Sn3akyP3t3 » Fri Aug 17, 2012 7:58 am

I'm interested in recovery of one or many .tib files. I've conducted a scan and attempted to search for any .tib files, but it appears the known file types don't contain any rules for .tib file types. I'm in need of assistance to correct a setting I may have a deficiency with or help with rule creation to recognize the .tib file type.

All I know about the Acronis files is this:
Identifying characters Hex: B4 6E 68 44 , ASCII: .nhD
Which is sourced from: http://mark0.net/soft-trid-e.html

Alt
Site Moderator
Posts: 3129
Joined: Tue Nov 11, 2008 2:13 pm
Contact:

Re: Recovery of Acronis true image backup/archive files. (t

Post by Alt » Fri Aug 17, 2012 12:33 pm

An offset (or a distance in bytes from the file beginning/end) for those Identifying characters (or file signatures) is also required. This article Creating a Custom Known File Type for R-Studio explains how to do that.
You may use a graphic editor instead manual writing a file.

Sn3akyP3t3
Posts: 33
Joined: Fri Aug 17, 2012 1:33 am

Re: Recovery of Acronis true image backup/archive files. (t

Post by Sn3akyP3t3 » Fri Aug 17, 2012 7:44 pm

Sad day! I can't seem to get past step 1! Reason being that the hex editor wasn't available from the context menu in Ubuntu 12.04. I can get into the hex editor from within R-Studio, but when navigating outside of the program and right clicking on a known good healthy file to invoke the editor there is no option.

1. Open the files in the hexadecimal editor built into R-Studio. To do so, right-click the files and choose View/Edit in the shortcut menu.

Perhaps I need to log off and back on for that change, if made, to take effect. Is there any way to invoke the editor outside and then open the file for viewing?

Alt
Site Moderator
Posts: 3129
Joined: Tue Nov 11, 2008 2:13 pm
Contact:

Re: Recovery of Acronis true image backup/archive files. (t

Post by Alt » Sat Aug 18, 2012 9:43 am

First, you need open the disk with the files in R-Studio by double-clicking it, then find the file, right-click it, and select View/Edit.

Sn3akyP3t3
Posts: 33
Joined: Fri Aug 17, 2012 1:33 am

Re: Recovery of Acronis true image backup/archive files. (t

Post by Sn3akyP3t3 » Sun Aug 19, 2012 12:48 pm

My bad. I didn't understand that all the tools mentioned were from the perspective within R-Studio and not through the Linux file manager.

Sn3akyP3t3
Posts: 33
Joined: Fri Aug 17, 2012 1:33 am

Re: Recovery of Acronis true image backup/archive files. (t

Post by Sn3akyP3t3 » Sun Aug 19, 2012 1:47 pm

The pattern at the beginning is as posted previously. The ending file signature pattern appears to be "B4 31 96 17" which was the hex pattern at the end of the file recurring between 3 different samples consistently. If there are different end file signatures for .tib files then this one is for version 8 of Acronis True Image. I'll post results of searching for that file type in a few days.

Sn3akyP3t3
Posts: 33
Joined: Fri Aug 17, 2012 1:33 am

Re: Recovery of Acronis true image backup/archive files. (t

Post by Sn3akyP3t3 » Sun Aug 19, 2012 4:53 pm

This was the resulting signature created:
<?xml version="1.0" encoding="UTF-8"?>
<FileTypeList>
<FileType id="747" group="User Custom" description="Acronis True Image" extension="tib">
<Signature>\xB4\x6E\x68\x44</Signature>
<Signature from="end">\xB4\x31\x96\x17</Signature>
</FileType>
</FileTypeList>

Something is not right with my above file signature. After I format the drive with two files to search for in testing the scan does not reveal the files for recovery. However, the start and stop points can be searched for in the hex editor and found. Not sure what I'm doing wrong.

I'm asking for assistance to identify what my discrepancy is with my ending file signature. These were the 3 ending file lines seen by the hex editor:
Stop sample 1:
Sector 6750895 (Parent: /media/Virtual Record: 147142639)
CE055F20: 00 00 00 00 00 00 00 00 - 00 00 00 00 00 00 00 00 ................ ........
CE055F30: 00 00 00 00 00 00 00 00 - 00 00 00 00 00 00 00 00 ................ ........
CE055F40: 00 00 00 00 00 00 00 00 - 00 00 00 00 00 00 00 00 ................ ........
CE055F50: 00 00 00 00 00 00 00 00 - 00 00 00 00 00 00 00 00 ................ ........
CE055F60: 00 00 00 00 00 00 00 00 - 00 00 00 00 00 00 00 00 ................ ........
CE055F70: 00 00 00 00 00 00 00 00 - 00 00 00 00 00 00 00 00 ................ ........
CE055F80: 00 00 00 00 00 00 00 00 - 00 00 00 00 00 00 00 00 ................ ........
CE055F90: 00 00 00 00 00 00 00 00 - 00 00 00 00 00 00 00 00 ................ ........
CE055FA0: 00 00 00 00 00 00 00 00 - 00 00 00 00 00 00 00 00 ................ ........
CE055FB0: 00 00 00 00 00 00 00 00 - 00 00 00 00 00 00 00 00 ................ ........
CE055FC0: 00 00 00 00 00 00 00 00 - 00 00 00 00 00 00 00 00 ................ ........
CE055FD0: 00 00 00 00 00 00 00 00 - 00 00 00 00 00 00 00 00 ................ ........
CE055FE0: 00 00 00 00 00 00 00 00 - 00 00 00 00 00 00 00 00 ................ ........
CE055FF0: 00 00 00 00 10 5F 05 CE - 00 00 00 00 B4 31 96 17 ....._.......1.. ..弐츅..ㆴព

Stop sample 2:
Sector 3021652 (Parent: /media/Virtual Record: 150216980)
5C36A8F0: 00 00 00 00 00 00 00 00 - 00 00 00 00 00 00 00 00 ................ ........
5C36A900: 00 00 00 00 00 00 00 00 - 00 00 00 00 00 00 00 00 ................ ........
5C36A910: 00 00 00 00 00 00 00 00 - 00 00 00 00 00 00 00 00 ................ ........
5C36A920: 00 00 00 00 00 00 00 00 - 00 00 00 00 00 00 00 00 ................ ........
5C36A930: 00 00 00 00 00 00 00 00 - 00 00 00 00 00 00 00 00 ................ ........
5C36A940: 00 00 00 00 00 00 00 00 - 00 00 00 00 00 00 00 00 ................ ........
5C36A950: 00 00 00 00 00 00 00 00 - 00 00 00 00 00 00 00 00 ................ ........
5C36A960: 00 00 00 00 00 00 00 00 - 00 00 00 00 00 00 00 00 ................ ........
5C36A970: 00 00 00 00 00 00 00 00 - 00 00 00 00 00 00 00 00 ................ ........
5C36A980: 00 00 00 00 00 00 00 00 - 00 00 00 00 00 00 00 00 ................ ........
5C36A990: 00 00 00 00 00 00 00 00 - 00 00 00 00 00 00 00 00 ................ ........
5C36A9A0: 00 00 00 00 00 00 00 00 - 00 00 00 00 00 00 00 00 ................ ........
5C36A9B0: 00 00 00 00 00 00 00 00 - 00 00 00 00 00 00 00 00 ................ ........
5C36A9C0: 00 00 00 00 00 00 00 00 - 00 00 00 00 00 00 00 00 ................ ........
5C36A9D0: 00 00 00 00 00 00 00 00 - 00 00 00 00 00 00 00 00 ................ ........
5C36A9E0: 00 00 00 00 00 00 00 00 - 00 00 00 00 00 00 00 00 ................ ........
5C36A9F0: 00 00 00 00 3A A8 36 5C - 00 00 00 00 B4 31 96 17 ....:.6\.....1.. ...尶..ㆴព

Stop sample 3:
Sector 16021843 (Parent: /media/Virtual Record: 166520379)
1E8F2A6F0: 00 00 00 00 00 00 00 00 - 00 00 00 00 00 00 00 00 ................ ........
1E8F2A700: 00 00 00 00 00 00 00 00 - 00 00 00 00 00 00 00 00 ................ ........
1E8F2A710: 00 00 00 00 00 00 00 00 - 00 00 00 00 00 00 00 00 ................ ........
1E8F2A720: 00 00 00 00 00 00 00 00 - 00 00 00 00 00 00 00 00 ................ ........
1E8F2A730: 00 00 00 00 00 00 00 00 - 00 00 00 00 00 00 00 00 ................ ........
1E8F2A740: 00 00 00 00 00 00 00 00 - 00 00 00 00 00 00 00 00 ................ ........
1E8F2A750: 00 00 00 00 00 00 00 00 - 00 00 00 00 00 00 00 00 ................ ........
1E8F2A760: 00 00 00 00 00 00 00 00 - 00 00 00 00 00 00 00 00 ................ ........
1E8F2A770: 00 00 00 00 00 00 00 00 - 00 00 00 00 00 00 00 00 ................ ........
1E8F2A780: 00 00 00 00 00 00 00 00 - 00 00 00 00 00 00 00 00 ................ ........
1E8F2A790: 00 00 00 00 00 00 00 00 - 00 00 00 00 00 00 00 00 ................ ........
1E8F2A7A0: 00 00 00 00 00 00 00 00 - 00 00 00 00 00 00 00 00 ................ ........
1E8F2A7B0: 00 00 00 00 00 00 00 00 - 00 00 00 00 00 00 00 00 ................ ........
1E8F2A7C0: 00 00 00 00 00 00 00 00 - 00 00 00 00 00 00 00 00 ................ ........
1E8F2A7D0: 00 00 00 00 00 00 00 00 - 00 00 00 00 00 00 00 00 ................ ........
1E8F2A7E0: 00 00 00 00 00 00 00 00 - 00 00 00 00 00 00 00 00 ................ ........
1E8F2A7F0: 00 00 00 00 B8 A6 F2 E8 - 01 00 00 00 B4 31 96 17 .............1.. .....ㆴព

Alt
Site Moderator
Posts: 3129
Joined: Tue Nov 11, 2008 2:13 pm
Contact:

Re: Recovery of Acronis true image backup/archive files. (t

Post by Alt » Mon Aug 20, 2012 4:00 am

I recommend you to use the built-in graphic editor for creation of the file type description file, to avoid making some technical mistakes.
To my understanding, the line for end description should look like:
<Signature from="end" offset="3">\xB4\x31\x96\x17</Signature>
the rest seems OK.
Also I recommend you to start testing the file with the signature of the beginning only. Once you are sure the beginning can be found correctly, you may start working with the end.

Alt
Site Moderator
Posts: 3129
Joined: Tue Nov 11, 2008 2:13 pm
Contact:

Re: Recovery of Acronis true image backup/archive files. (t

Post by Alt » Mon Aug 20, 2012 4:03 am

And I recommend you to disable all other file types on the Known File Types dialog box while searching for real files. Otherwise signatures of other file types may be found in the image file thus confusing R-Studio.

Sn3akyP3t3
Posts: 33
Joined: Fri Aug 17, 2012 1:33 am

Re: Recovery of Acronis true image backup/archive files. (t

Post by Sn3akyP3t3 » Tue Aug 21, 2012 7:00 am

The graphical editor for the user generated known file types appears to have a bit of a bug. When modifying an existing rule it asks to save and then upon exiting the editor it overwrites the existing rule with most of the same values it would have if the rule was just created. The start and stop identifiers are blank which really is frustrating.

Another bug appears to be the xml file created by the graphical editor is in some way not syntactically correct or it isn't being parsed correctly. When importing the xml file from "tools-->settings-->user's file types". The custom known file type rule shows up again in the graphical editor's listings, but it is not available for selection for anything related to scanning. The group isn't even showing.

Thanks for the suggestion to disable other file types. I was doing that anyway to save time on the scan and focus on files of interest.

Post Reply