Saturday, August 22, 2020

XFS Deleted File Recovery

 XFS is a high performance Linux file system.  Unlike NTFS, recovering deleted files is not always possible, but CnW have developed tools to assist.  The results can be mixed, but normally better than just data carving.

XFS comes in a few flavours, but until recently CnW Recovery did not support file version 5.  The changes between earlier version and version 5 are small in overall design, but almost every internal data structure has been changed.  The most critical iNode is now twice the length at 0x200 bytes.  All structures now have increased security including a (unique) parent UUID as part of their structure.

CnW version 5.45 now supports all current versions of XFS


Wednesday, August 19, 2020

Windows 10 2004 update

I don't often comment on Microsoft because I actually like their products, in particular Visual Studio for C++.

My  main PC (Dell XPS desktop) is a few years old, but with a SSD drive and iCore 7 3.4GHz processor,  12GB RAM, still fine for I use it for.

I try and keep the software up to date and so downloaded the 2004 windows update.  I know there has been some bad press about it, but that was a few months ago.  I also have it running this update without problems on a few other PCs/laptops.  The download and install took a few hours, and all seemed OK when I logged in.  My PC is set to sleep if idle for 2 hours.

Normally coming out of sleep is a much faster process that that of it's owner, ie 5-10 seconds and all running well. This time, it did not show signs of waking up, so much so I ended up doing a forced power off.  Starting from cold was a very slow process, about 4-5 minutes, rather than the normal 30 seconds.  

I then did a test sleep, and this time was more patient.  The system eventually started after 3 about minutes, and ran as normal.

Google searching high lighted I was not alone, but none of the suggestions worked.  At the same time I kept losing screens from my 3 screen setup. I normally would have two, but on one occasion I only had one.

My eventual solution was to revert back to an earlier release (an option in Windows Update). This was a 'quick' process, a few minutes not hours. Everything is now as before.

I will wait a month or so before I retry this 2004 update.

Monday, July 20, 2020

GPS values in data recovery

The two main CnW products now try and include GPS co-ordinates in the forensic versions of the software.  For CnW this is added to photos (jpegs) that are recovered.

For GoPro Recovery, the cameras Hero 7 and later all include GPS receivers.  The the starting location value is added for all videos.  It should be noted though that the receiver is has limited sensitivity and so may not be active for internal recordings.

For a forensic investigation, location can be a very valuable tool.

GPR website

Drone cameras added to GoPro Recovery software

Many drone cameras are similar to GoPro Hero cameras in that they save high and low resolution video at the same time.  For this reason it has been possible to expand the capabilities of the world leading GPR software to include drones.  Currently supported drones include the following list

 ● DJI Inspire 1
 ● DJI Matrice 210
 ● DJI Matrice 600
 ● DJI Mavic 2 Enterprise
 ● DJI Mavic Pro
 ● DJI Phantom 3
 ● DJI Phantom 4 (FC6310)
 ● DJI Spark
 ● Yuneec Typhoon H

Download the current demo version and try for yourself from https://www.goprorecovery.co.uk


Sunday, February 28, 2016

Incomplete, or unfinalized GoPro Videos

The GoPro camera is very popular for activities that involve action.  At times these can go wrong and the camera can be thrown off, and sometimes stop recording.

The latest version of GoPro recovery (V1.25) can recover these partial files for Hero 3 camera.

When a camera is stopped from recording video data is normally left on the memory chip in an unplayable format.  It is this data that the GoPro recovery software will find and reconstruct into a playable video file.  GoPro recovery software goes much further than most packages as it will demultiplex the low and high resolution video and audio streams.  Thus a new file might be created out of maybe 100 separate fragments.

How much data will be recovered.  This is a slightly harder question.  When the camera records, obviously at first the video is saved in memory, and then written to the memory chip.  The unknown question is how quickly is data written to the memory chip, ie how much data up to the point of failure will be saved.  The answer is probably up to the final few seconds.

On some recent examples recovered using GoPro Recovery, the saved data seems to have stopped between 1 and 3 seconds before the critical event.  On one occasion this was made worse beacue the police, thinking nothing further could be recovered, told the owner to use the memory chip again.  On this occasion, the saved data was set by the file system, which is almost certainly updated after the data has been written to the memory chip.  ie there would have been more video data saved in unallocated memory which was then overwritten.

The new version of V1.25 works for just Hero 3 cameras, it has a very good reponse to low res videos, but can be slightly mixed with high res video.  This problem will be resolved very soon, and support for Hero 4 cameras will be added next


Monday, February 1, 2016

Digital signatures and SHA256

A very important point for anyone selling software is to make sure that the demo downloads and works.  A critical point of the download is that it is not recognised as a virus, or malicious software.  Hence, for the past several years, all my software has been digitally signed.

The signing was with a SHA-1 signature, and a recognised certificate.  Recently, (Jan 2016) this started give nasty warning messages on downloads.  What has happened is that SHA-1 is no longer considered safe, and so from 2016, web browsers etc have started to look for SHA-256 signatures.

The solution was to contact GlobalSign who provide my certificate,  and they very quickly supplied one with a SHA-256 code.

The next stage was updating my batch files to add the signature.  This was a matter of changing the .PFX name and the password, and all almost worked.  It worked, but the signature was still showing as SHA-1.  Curiously, the code signed within InstallShield 2015 was showing SHA-256.  This did mean my new certificate was correct.  It turned that my signing routine was along the lines

c:\signtool  sign  /f 1234.pfx   etc

By default the sign routine adds a SHA-1 signature, when I changed the line above to be

c:\signtool  sign /fd SHA256  /f1234.pfx  etc

it all worked OK.

Hopefully my programs will now download without alarm bells.

Friday, November 6, 2015

Windows 10

I have been running a pre-release of Windows 10 for some time, and seemed fairly stable.  After making good backups,  I have decided to upgrade several working PCs to Windows 10 as well.  This included 2 x Windows 7, and a Windows 8.1 system.  Overall I do not regret this, but the following are a few issues I ran into.

The first issue was to do with remote log on.  I typically have more PCs than screens, partly because I use 3 screens on my main development PC.  The upgrade to Windows 10 took across my pre configured setups, but not everyone worked.  I am not entirely sure how I fixed it, but think the main problem is that Windows 10 is more precise on logon than Windows 8.1  I needed to add the full C name, eg \\Window7system\user name  rather than any abbreviation.  Once the correct logon string was determined, it has been stable.

Next big issue was a conflict between Carbonite backup, and Kaspersky 2016.  When one Googles this problem it is not uncommon.  The solution appears to be to remove both programs and re-install Carbonite followed by Kaspersky. I had to configure Kaspersky by hand to give Carbonite the required permissions.   Another laptop with Carbonite and Norton 360 did not have any issues.

The last problem, I have just solved is that the internet uploads seemed very slow.  An internet test on an iPad showed good speed, but on the PC, downloads were about 35Mbs, but uploads 0.5Mbs.  A few suggested tweaks made no difference.  I tried to update the Ethernet drivers, and was told they are up to date, dated 2012.  The PC is a 2 year old Dell, and I then tried to disable the Ethernet, and use the built in WiFi.  Internet speeds were back to normal, but obviously this is not the way top transfer TB files in the office.  My suspicion was then the device drivers, rather than the basic Windows 10 software.  I went to the Realtek website and found that for my board, RTL8168 there is a Win10 Auto installation package, dated October 2015.  I downloaded this and it now works correctly, ie fast.  I am sorry that the auto driver update did not find this driver.

I may be the last man in the world to stick with Windows Internet Explorer, rather than Firefox, Chrome etc.  IE11 however seems very flawed, and much to my surprise, Microsoft Edge works well.  This has now become my default explorer.

Saturday, October 10, 2015

MXF video

MXF is a video encapsulation program, and as in many programs, the video is stored sequentially on the camera memory chip.  I have a problem with an exFAT memory chip froma Sony PXW-X70 camera XAVC which had been partially formatted.  All fragmentation information was lost.

The solution was to add a new wizard function to CnW.  This scans the memory chip and isolates key types of cluster, headers, indexes, and video data and trailer.  Once found, these XAVC video files are reconstructed in the correct logical order and video will play.

This is another growing example of video that cannot be recovered by standard data carving methods.  Unfortunately many companies may claim to process such files because they are probably tested by writing files sequentially to a memory chip, and saying that recovery is possible.  True, but this is not the way the camera writes it's data 

Sanyo E1 Video camera

Most months I come across a new video variation.  One of the latest is a Sanyo E1.  The video is 'standard' MP4 but the physical recording is non standard.  The customer had spent a few years trying to get the video recovered with no success.  The problem is that the moov atom is both fragmented, and out of sequence, and interleaved with the start of the mdat atom.  No program that just does data carving could ever recover this type of file.  Once the correct sequence was determined recovery was possible.  The initial attempts found video, but no sound, but eventually this was resolved. 

CnW Recovery V4.99 now supports recovery for many such videos, though a few tweaks are still required for longer files.

www.cnwrecovery.com  and run the MP4 wizard.

Website URL

My new GoPro Recovery program is working well, but sales are currently limited.  Most sales appear to be UK based, and USA, where the big market is, is still limited.  One reason I feel for this is because the website goprorecover.co.uk  is a .uk website.  I have now tried a new website, www.recovergopro.com  in the hope that having set my Google preference for world wide coverage, I will get more USA hits.  Time will tell.

An area I am also working on is to try and ensure the two websites are different enough in content so as not be classed as duplicate, even though they have started from the same base.