Custom Known Filetype for EaseUS Todo Backup file

A forum on data recovery using the professional data recovery software R-STUDIO.
torsrex
Posts: 2
Joined: Mon Jan 31, 2022 3:02 pm

Custom Known Filetype for EaseUS Todo Backup file

Post by torsrex » Mon Jan 31, 2022 3:24 pm

Hi,

I’m attempting to recover a backup file created by EaseUS Todo Backup using a custom known filetype.

I have uploaded 4 sample files here: https://drive.google.com/drive/folders/ ... sp=sharing

I followed the instructions here https://www.r-studio.com/creating-custo ... tudio.html but I'm struggling with identifying the signature. Any help would be greatly appreciated! Thank you in advance.

Alt
Site Moderator
Posts: 3171
Joined: Tue Nov 11, 2008 2:13 pm
Contact:

Re: Custom Known Filetype for EaseUS Todo Backup file

Post by Alt » Tue Feb 01, 2022 12:03 pm

There's a signature for the beginning of the files. Which is good. There's no definite signature for the end of the files, which is bad. Overall:

Code: Select all

<?xml version="1.0" encoding="UTF-8"?>
<FileTypeList version="2.0">
    <FileType id="50001" group="EasyUS" description=" EaseUS Todo Backup" features="" extension="pbd">
        <Begin combine="OR">
            <Signature>\x49\x4D\x47\x46\x2C\x05\x00\x00\x00\x00\x02\x00</Signature>
        </Begin>
        <End combine="OR"/>
    </FileType>
</FileTypeList>

torsrex
Posts: 2
Joined: Mon Jan 31, 2022 3:02 pm

Re: Custom Known Filetype for EaseUS Todo Backup file

Post by torsrex » Thu Feb 17, 2022 4:24 pm

I managed to recover the files! Here's how I did it:

1. I added the signature by user Alt to R-studio. Looking at a bunch of example backup files in HxD, I found that the backup files start with the words IMGF, then some jibberish, and then eventually it will show the location the backup file is stored in. This is how I could tell which backup file was which. Here is a screenshot of the file I wanted to recover in the built-in hex editor in r-studio:
Image

In the picture, you can see that the file starts with "IMGF" and then some jibberish, and then the backup location "G.:.\.b.a.c.k.u.p.\.m.s.i. .l.a.p.t.o.p.\.M.s.i. .l.a.p.t.o.p. .b.a.c.k.u.p.\.M.s.i. .l.a.p.t.o.p. .b.a.c.k.u.p._.2.0.2.0.0.8.1.5._.F.u.l.l._.v.1...p.b.d".

2. After inspecting a lot of backup files generated by EaseUs Todo Backup, I found that the file ended with the characters "IMGF", then some jibberish, and then a bunch of "ÿ". However, the number of "ÿ"'s varied between the files. Furthermore, the data between "IMGF" and the "ÿ"'s also varied. I found out that if I clicked on the sector as shown in the image, it would pull up a hex editor with the contents of the entire disk:
Image

So what I did was to search for a "good amount" of "ÿ" characters after the start position. I had to try different amounts as too few yielded too many hits, and too many didn't successfully find the end of the file. Searching through the disk took quite some time. After a while, I found the end of my backup file:
Image

3. I then used a program called DMDE (https://dmde.com/) where I inputted the start sector from step 1 and the end sector found in step 2
up to the last "ÿ":
Image

I then used the copy (tools->copy sectors) function in DMDE to copy the sectors into a file onto another harddrive:


4. I had to do some cleanups which I did in HxD (EaseUs Todo Backup was very picky about having exactly the right amount of "ÿ"'s). I did this by simply deleting all the stuff after the last "ÿ":
Image

5. Finally, I opened the file in EaseUs Todo Backup with my fingers crossed, and it loaded successfully!
Image


Hopefully, this will be of help to some other unlucky person who might happen to stumble upon this post in the future :)

Alt
Site Moderator
Posts: 3171
Joined: Tue Nov 11, 2008 2:13 pm
Contact:

Re: Custom Known Filetype for EaseUS Todo Backup file

Post by Alt » Thu Feb 17, 2022 6:52 pm

Good job! I'd like to mention that you can do all the stuff in R-Studio's Hex editor, too.

Post Reply