Wiped File Recovery

A forum on data recovery using the professional data recovery software R-STUDIO.
jfulton
Posts: 2
Joined: Thu Oct 14, 2010 10:08 pm

Wiped File Recovery

Post by jfulton » Thu Oct 14, 2010 10:19 pm

I have used R-STUDIO Network Edition to try and recover deleted files on a SATA hard drive formated under NTFS. The program only finds the boot records of the files. It also has a large number of "Extra FIles Found" that it has catagorized under the various file types. When I try and view the files in the hex editor, the majority of them have the exact same contents. A few of them actually have what would appear to be remnants of the old files. Is R-STUDIO adding a "filler" because it doesn't know the actual byte format of the "Extra FIle"? Could this be the after effect of a file wipe program? Is there any way using R-STUDIO to determine if the files have been wiped?

Thanks,
Jon

Alt
Site Moderator
Posts: 3129
Joined: Tue Nov 11, 2008 2:13 pm
Contact:

Re: Wiped File Recovery

Post by Alt » Fri Oct 15, 2010 6:21 am

It could be a result of file wiping. It's easy to determine that the data has been wiped if the wiping program used a certain wiping pattern, and it's hard to do if random numbers are used. Any disk editor, including that built in R-Studio can be used.
R-Studio erroneously recognizes files if that wiping pattern contains a file signature of a certain file type.

jfulton
Posts: 2
Joined: Thu Oct 14, 2010 10:08 pm

Re: Wiped File Recovery

Post by jfulton » Fri Oct 15, 2010 6:42 pm

Thanks for the info. The patterns are identical on all the files. I used the hex editor to look at the contents and they were the same across all file types that were in the "boot file only found" category. The R-STUDIO recover - obviously - will not work on any of these files. The files recognized are a product of the R-STUDIO scanning routine of which the .scn file is 151MB. I am trying to gain some certainty as to whether or not the files were wiped as the client is expecting to lay the blame for the missing (and wiped) files on an ex - employee. So I want to be as certain as I can when I write up the report. I have used the "forensic" mode which is very nice!

Alt
Site Moderator
Posts: 3129
Joined: Tue Nov 11, 2008 2:13 pm
Contact:

Re: Wiped File Recovery

Post by Alt » Sat Oct 16, 2010 2:54 pm

I can't be absolutely sure without seeing the actual data. Moreover, a virus might do the same damage to the files. Nevertheless, if no file names can be recognized and disk space is filled with a certain data pattern, I'd rather suspect file wiping. I'd inspect the Registry on the victim OS in order to find a file wiping program among recently started programs for further proofs.

Post Reply