Q: different views in the R-Studio hex viewer/editor

A forum on data recovery using the professional data recovery software R-STUDIO.
alokoko
Posts: 3
Joined: Tue Oct 20, 2009 8:59 am

Q: different views in the R-Studio hex viewer/editor

Post by alokoko » Tue Oct 20, 2009 9:13 am

Hello,

I would like to ask about the different views in the hex editor in R-Studio. I downloaded and tried the latest 130017 demo build (64 bit) to see if it will be able to find a large deleted file. R-Studio found the file, but viewing the contents of the file via right click->View/Edit on the file shows different results, based on whether "Std", "Unlimited", "Direct" or "Allocation" is selected. In my case, "Std" shows the contents as all zeros, while "Unlimited" and "Direct" show some content. "Allocation" shows a few bytes of data.

I looked at the documentation and the forum posts but could not find an explanation for these different views. I would appreciate if someone could explain what these views mean.

Thanks in advance for your help.

Alt
Site Moderator
Posts: 2271
Joined: Tue Nov 11, 2008 2:13 pm
Contact:

Re: Q: different views in the R-Studio hex viewer/editor

Post by Alt » Tue Oct 20, 2009 3:53 pm

There are up to four tabs showing the data in different representations. Actual number of tabs depends on the object and property being viewed/edited.
Std: Exact attribute data. If the attribute is compressed, R-Studio decompresses it prior to showing.
Unlimited: Exact attribute data + free space of last cluster. If the attribute is compressed, R-Studio decompresses it prior to showing.
Direct: Actual data written on the disk. If the attribute is not compressed, it coincides with the Std representation.
Allocation: Resident part of the attribute.

alokoko
Posts: 3
Joined: Tue Oct 20, 2009 8:59 am

Re: Q: different views in the R-Studio hex viewer/editor

Post by alokoko » Wed Oct 21, 2009 1:33 pm

Thank you very much for your reply. That cleared up some of the questions I had. I have few more, if you do not mind:

1- What exactly is the "attribute" concept in R-Studio you are referring to? I know about the sectors and bytes that can be displayed, but I am not sure about what else R-Studio treats as "attributes".

For example, if "std" view shows the file contents as all zeros, but "unlimited" and "direct" show some byte values, how should I interpret these results?

2- When I select the file and do right click->View/Edit, in addition to the "offset" field at the top and the "bytes/sectors" dropdown, there's another dropdown with the following options:

DATA:STD_INFO (R)
DATA:FILE_NAME (R)
DATA:FILE_NAME (R) (these two items seem to have the same name)
DATA:DATA (NR)

I would appreciate if you could explain what these choices mean.

3- Any chance these will be added to the documentation at some point? ;)

Thanks in advance.

Alt
Site Moderator
Posts: 2271
Joined: Tue Nov 11, 2008 2:13 pm
Contact:

Re: Q: different views in the R-Studio hex viewer/editor

Post by Alt » Thu Oct 22, 2009 12:21 pm

3. It'll be added to the next R-Studio release.
The rest... Well, MFT is quite a complex file system with a lot of attributes of files, folders, and other objects. It would be too long to explain all this in details.

alokoko
Posts: 3
Joined: Tue Oct 20, 2009 8:59 am

Re: Q: different views in the R-Studio hex viewer/editor

Post by alokoko » Sat Oct 24, 2009 4:17 am

Thanks. My first question was actually "What does R-Studio consider as an attribute" rather than "can you explain all the attributes". You have answered my question ("attributes" refer to the NTFS object attributes") somewhat indirectly by saying that NTFS is a complex filesystem (you said "MFT is a complex file system" but I am assuming you meant NTFS).

My second question was also not about explaining the filesystem itself but what those items in that new dropdown mean. I am hoping that the documentation in the next release will cover this UI element as well...

I am still not clear on how to interpret the difference when viewing the contents (sectors) of a deleted file through the hex viewer ("std" is all zeros while "unlimited" and "direct" show some content, even though they are completely different). I will revisit R-Studio when its next release is out to see if helps me to understand this difference and help me in recovering the file.

Thank you very much for your time.

Alt
Site Moderator
Posts: 2271
Joined: Tue Nov 11, 2008 2:13 pm
Contact:

Re: Q: different views in the R-Studio hex viewer/editor

Post by Alt » Sat Oct 24, 2009 2:18 pm

Frankly speaking, I cannot say much why is the difference unless I'm able to look at the data on the drive.

Post Reply