R-Studio found deleted files but doesn't add up.

A forum on data recovery using the professional data recovery software R-STUDIO.
1uptek
Posts: 5
Joined: Wed Apr 03, 2013 1:56 pm

R-Studio found deleted files but doesn't add up.

Post by 1uptek » Wed Apr 03, 2013 2:11 pm

I have r-studio network edition. My questions requires I provide a little background so you understand what I am asking. I am performing an analysis on a covert pen audio recorder. We suspect that the files on the audio recorder had been removed from the storage device, edited, and placed back on the device. Based on what I am finding I believe this suspicion to be well placed but I need some reassurance about my findings.

On this storage device there are 4 visible uncorrupted .wav files. When I perform data recovery I find 40 or so fragments. R-Studio recovers these fragments and places a $ in front of the file name. I have R-Studio configured to replace any invalid naming characters with $.

Is there any reason that R-Studio would find and recover these fragments other than the fact they were at some point deleted? The confusion comes from when we play back the fragments. A lot of them are unplayable because they are corrupted. But the ones that do play match up to parts of the files that are visible. So if the visible files are present and in tact why would R-Studio find fragments of those same files? My guess is that this proves that the files were deleted and later placed back on the device. Does anyone know of any other reasons this could happen?

Alt
Site Moderator
Posts: 3129
Joined: Tue Nov 11, 2008 2:13 pm
Contact:

Re: R-Studio found deleted files but doesn't add up.

Post by Alt » Thu Apr 04, 2013 8:23 am

Some important notes:
1. I trust you first imaged the device's storage and then perform the inspection on the image, didn't you? Because Windows (I presume you use this OS) may alter the file system just to clean up possible mess in it.
2. It's really hard to say something affirmatively without seeing the actual data firsthand. This is especially important when there is a kind of investigation is under way.

Well, an invalid character at the first place in a file name is a sign that the file has been deleted. And if an existing file has the same name as a deleted one, it is most likely that the file has been overwritten. But "most likely" rather than "surely", because there might be some corruptions of the file system that caused such effect. I would also look at the disk sectors the existing and deleted files occupy. If they're the same, both file records point to the same file and most likely this is a file system corruption (Again, "most likely" rather than "surely"). But if the sectors are different, most likely a new file was written over the old one with the same file name. (Again, "most likely" rather than "surely").

1uptek
Posts: 5
Joined: Wed Apr 03, 2013 1:56 pm

Re: R-Studio found deleted files but doesn't add up.

Post by 1uptek » Thu Apr 04, 2013 11:01 am

Thanks Alt. Yes and no, the government agency made us an image but when it didn't produce the expected results we requested the actual device. The image was suppose to be a block level image but it is likely not what we received. I will do as you suggested and take a look at the sectors. That will definitely tell us more. The file names are the same name as the visible files. All of the recovered files start with $EC000.wav while the visible files are REC000.wav with the last number advancing for each subsequent file. I also used 3 other recovery programs and all of them have the same naming convention of EC000.wav, the others just used a _ in front of the name instead of $. The biggest difference is that R-Studio recovered 84 of these files and the others only recovered about 20 or 30. Only a few in each play back but if I compile them together the content is almost exactly the same as the original visible files.

I'm trying to get the make and model of the device so I can contact the manufacturer to find out how the audio is recorded. It's possible that the device records the audio in small segments and then compiles them in to a single file once the recording is complete. Any other ideas or input is appreciated.

Thank you for your time and expertise Alt.

Alt
Site Moderator
Posts: 3129
Joined: Tue Nov 11, 2008 2:13 pm
Contact:

Re: R-Studio found deleted files but doesn't add up.

Post by Alt » Fri Apr 05, 2013 8:51 am

I strongly recommend you to create the image of the device using R-Studio and do the analysis on that image.
By the way, we have some forensic features in the Technician version of R-Studio. You may read more in R-Studio on-line Help: Forensic Mode.

1uptek
Posts: 5
Joined: Wed Apr 03, 2013 1:56 pm

Re: R-Studio found deleted files but doesn't add up.

Post by 1uptek » Mon Apr 08, 2013 6:43 pm

Okay, waiting on approval to flow down the chain for technician version. I see no reason why they won't approve it. But I wanted to ask a question about a statement made earlier regarding the visible files being in the same sector as the original. I did as you recommended and created an image then performed a scan on the image, saved the scan information, and I'm now reviewing it.

I've attached two images. The first shows the block summary. The second image is the content of the second "FAT Directories Entries line". The first "FAT Directories Entries" had the name of the only directory on the drive but other than that it was pretty much empty. So if I comprehend what I'm reading it appears that there use to be more files on the drive and they were sequentially numbered all the way up to 84. What other deduction should I be able to make based on this information. Or am I able to grab any other information using the Network Version to help make some kind of determination.

I also went from block to block opening the first few in the first row. The summaries show some blocks had multiple audio files starting at different offsets while some only had a single audio file. I haven't seen one that had multiple files and the same offset. If the files were overwritten would they have the same offset?

Thank you for your time in all of this. Your direction has been very beneficial.

I'm having difficulty attaching the images. Here are links to them instead.
Picture 1: http://1uptek.com/ftp/blocksummary.jpg
Picture 2: http://1uptek.com/ftp/FATdirectoryDetail.jpg

Alt
Site Moderator
Posts: 3129
Joined: Tue Nov 11, 2008 2:13 pm
Contact:

Re: R-Studio found deleted files but doesn't add up.

Post by Alt » Tue Apr 09, 2013 10:56 am

I'd rather see the screenshots of
1. the opened partition on the device image (both the Folders and Contents panes);
2. The content of Extra Found Files.
And it would be better to have screenshots rather than photos, as it's rather difficult to read from the photos, as it seems they're a little bit out of focus.

Also, I'd would like to see the first sector of a normal audio file from that recorder in the Hex editor.

1uptek
Posts: 5
Joined: Wed Apr 03, 2013 1:56 pm

Re: R-Studio found deleted files but doesn't add up.

Post by 1uptek » Tue Apr 09, 2013 2:58 pm

Thanks Alt. Yes they were a bit difficult to read and I apologize for that.

Here are the links to the information you requested. The folder and contents pane showing the files in the voice directory. The only directory with any files was the voice directory. The content of the Metafile directory. The content of the extra found files. The hex data for one of the good audio files. And 0.txt from extra found files opened in a text editor. Let me know if there is anything else that would be helpful or if I failed to provide something that would be helpful to you.

http://1uptek.com/ftp/FolderAndContent.gif
http://1uptek.com/ftp/MetafileDir.gif
http://1uptek.com/ftp/ExtraFoundFiles.gif
http://1uptek.com/ftp/Sector0goodWavFile.gif
http://1uptek.com/ftp/ExtraFiles0data.gif

Alt
Site Moderator
Posts: 3129
Joined: Tue Nov 11, 2008 2:13 pm
Contact:

Re: R-Studio found deleted files but doesn't add up.

Post by Alt » Thu Apr 11, 2013 12:27 pm

As I understand, you need to investigate files REC004.WAV, REC003.WAV, REC002.WAV, REC001.WAV. I'd do the following:
1. In the right (Contents) pane, I'd find deleted (marked with the red cross) file(s) ?EC004.WAV, ?EC003.WAV, ?EC002.WAV, ?EC001.WAV. If there's no such file(s), most likely that nothing had been overwritten. Once again, most likely, not surely. Or the original names of the suspicious files had been changed, if the person is smart enough.
2. Then I'd compare the disk sectors the existing and deleted files with the same name occupy. If the sectors are the same, most likely the new file had been written over the old one, and you can't recovery the old one. Once again, most likely, not surely.
3. If the sectors are different, I'd recover the deleted files to manually see what is the difference between the existing and deleted files.
Also, if you know the date when the new files might been written to the device, you can look at the dates/times of the existing and deleted files.
And once again, as I cannot see the data firsthand, all the above are just vague guidelines, rather than legally sound advices.

1uptek
Posts: 5
Joined: Wed Apr 03, 2013 1:56 pm

Re: R-Studio found deleted files but doesn't add up.

Post by 1uptek » Tue Apr 16, 2013 8:01 pm

Hi Alt. Got the technician version and I have enabled forensic mode. However, it doesn't seem to be working. If I'm not mistaken the software is suppose to prompt for case information and provide MD5's for recovered files. I'm unable to see a difference in the log file and it never prompts me to enter any information. I'm going to be contacting support unless you know what I might be doing wrong.

Apparently there were about 82 files on this drive at some point. They were all named rec###.wav with the number signs representing numbers that increment with each subsequent file. I found no deleted files with the same name as the 4 files in question. But do you know why the fat tables would have no information about the directories or the files, present or deleted? All the tables are identical and contain only the header with the allowed ascii characters. Everything beyond that section is all zero's.

The date and time on these files are way screwed up. A few of them have a year of 1600. Most of them are 2004-2005, some 2008 and 2011. So that's not going to be very helpful in deducing what has happened.

Alt
Site Moderator
Posts: 3129
Joined: Tue Nov 11, 2008 2:13 pm
Contact:

Re: R-Studio found deleted files but doesn't add up.

Post by Alt » Thu Apr 18, 2013 12:25 pm

1uptek wrote:Hi Alt. Got the technician version and I have enabled forensic mode. However, it doesn't seem to be working. If I'm not mistaken the software is suppose to prompt for case information and provide MD5's for recovered files. I'm unable to see a difference in the log file and it never prompts me to enter any information. I'm going to be contacting support unless you know what I might be doing wrong.
Well, I specifically tested our current version, and the prompt appeared as it should be. If you did enable the forensic mode on the Settings panel, it should appear any time you start file recovery. So, I think going to techsupport is a wise move.
1uptek wrote: Apparently there were about 82 files on this drive at some point. They were all named rec###.wav with the number signs representing numbers that increment with each subsequent file. I found no deleted files with the same name as the 4 files in question.
If there's no those file on the device, I really doubt if it's possible to prove that any file has been deleted and then written again. I'd suggest you recover deleted files
that occupy sectors different from those occupied by the existing files and acoustically compared them.
1uptek wrote: But do you know why the fat tables would have no information about the directories or the files, present or deleted? All the tables are identical and contain only the header with the allowed ascii characters. Everything beyond that section is all zero's.
Well, it's hard to say being miles away from the scene, maybe, the device treats the FAT file system in such way, or the suspect might clean (wiped) the tables. If the latter, it's impossible to recovery anything except garbage.
1uptek wrote: The date and time on these files are way screwed up. A few of them have a year of 1600. Most of them are 2004-2005, some 2008 and 2011. So that's not going to be very helpful in deducing what has happened.
Those of the year of 1600 are really interesting, might be the records of some Shakespeare's play. But joking aside, once again, either the device or the suspect. And nothing for sure.

Post Reply