Monday, January 31, 2011

Windows 7 update

I recently wrote about upgrading a PC from Vista to Windows 7.  The cost was about £80 for software upgrade and £25 for extra memory.

It has been worth it.  The machine is more reponsive and setting up network connections and printers much easier. The configuration is a 2.4GHz, Core 2 duo PC with 4GB RAM, 750GB hard drive, (250-500 partitions), a 2TB WD green drive, and a 2.7TB  RAID.  The only slow part to be investigated is the100Mb network.

The WD Green drives are not blistering fast, but they are very cool (in the sense of temperature).  This should help reliablity, and mean that computer fans can run less often, giving me a quieter life.

Graphics are not important, so the PC has the standard graphics interface, but Windows 7 aero does work.

Friday, January 28, 2011

Create a DVD with recovered video

Software development is always looking at ways to improve the use of a program. What often happens is that simple task is being repeated many times, and this indicates that something can be improved.
CnW gets lots of failed mini-DVDs to recover, and has a very high success rate.  Copies of the software are also sold to do the same function.  The original version would produce a series of files in the standard directory structure for a video disk.  The user would then have to use a DVD burning program to create a new video disk.  Not every 3rd party burning program works as required, so now the function has been added to CnW.  It is a very simple process, so when a disk has been recovered, a blank DVD may be inserted, and a new DVD burnt.  This saves both time, and also the chance of operator error, and program incompatiblity.
So for simple video data recovery, that will actually produce a playing DVD at the end look at

Tuesday, January 25, 2011

Blank DVD-RW

I recently received 2 mini DVD-RW disks.  When read with normal hardware, every sector was blank, and there were no error messages.  However, when read with specialised hardware, it was possible to recovery about 20 mins of a wedding video from each disk.

The moral of this story is what looks blank, may not always be blank.  Any forensic investigation should also take this into account.  CnW Recovery have developed a method to examine and recover data from areas of a DVD that can not otherwise be accessed.  CnW Recovery has a fixed price of £40, no fix, no fee for this type of data recovery.  Contact for more details

Monday, January 24, 2011

Solved - problems copying files to a Mac from PC disk

My data recovery is all done on PCs.  Often though, the original disk is a Mac HFS+ disk, and the customer wants the data back on a Mac Drive.  My process for doing this is to recover the files to a PC drive (NTFS or FAT32) which a Mac will read. By using the AppleDouble format (with hidden ._ files) all resource forks are retained.  I then copy the files, using a Mac on to a customer disk.  I could have used a program such as MacDrive, but the last version I had did not retain resouce forks.
Most files copy without problems, and the resource fork is correct, but sometimes an error such as -
     "The operation cannot be completed because you do not have sufficient privileges for some of the items"

is displayed and the copying stops.  This is best described as a pain as the point of stopping has to be determined, and a copy restarted.  Eventually I tracked this down to the type of file and established the problem files had the file type 'slnk' or 'hlnk' in the resouce fork.  This was trying to associate the file with a program that may not present on the copying Mac.  The solution has been to remove this strings in the resouce fork and initial results now allow me to do a copy  in one stage.

Tuesday, January 18, 2011

Bye Bye Vista!

Doing software development it is essential that your product works on systems customers want to use.  This means keeping upto date with standard updates and a few years ago I purchased a Vista system.  It did thrown up a few compatibility problems so the purchase was worth while, but somehow the system never worked very well.  The PC was a reasonable spec, Core Duo, 2.4GHz with 2GB or RAM.

However, enough has been enough, and my Windows 7 systems seem very stable, so I decided it was time to update the Vista to Windows 7 - 32bit.  A search on Amazon brought up a reasonable price, and then a few more GBs or RAM to go to 4GB.  The fitting of RAM was easy, though of course, 32 bit Windows only sees 3GBs.

In theory, Vista can be updated to Windows and keep the system intact.  Obviously a full backup was done first, and the install was started.  At this point a problem arose.  The new Windows 7 package was less high end than the original Vista package, and this would not allow for a seamless upgrade. The notes implied that all data would be lost, and a clean install would be carried out.  The truth was actually not quiet so bad.  On starting the update, about 50GB of files were backed up to a windows.old directory, and this contained all programs and user directory.  Obviously the programs are not installed, but copies are made.  Unexpectedly, the rest of the hard drive was left unchanged, so all existing directories were left as original.  I now just need to clear down a lot of the unwanted 50GB backup.

Overall, the upgrade was very painless and after a bit of personal tweaking, I now have a nice Windows 7 machine which seems to work.

Wednesday, January 5, 2011

Defragmenting videos from mobile phones

Mobile / Cell phones typically store videos as .3GP, .MP4 type files.  These can be recognised easily in a hex viewer by looking at the start of the file. The second group of 4 bytes will be the string 'ftyp' followed by the exact type of file, eg '3gp5'.

If the files are to be recovered by data carving, then at times the data may be fragmented.  CnW is working on a solution to this problem.  Fortunately these Quick Time files have a fairly helpful data structure, and so it is possible to both verify, and hence reconstruct files from fragmented stored in different fragments.  The basic file struct is 3 main data areas,

    ftyp  moov  mdat

However, the order of moov and mdat can vary.  The moov segment stores all pointers and decoding details for the data area, mdat.  The mdat area basically contains frames of video and sound.  As video frames normally start with the same header string, by decoding the moov it is possible to examine a possible fragment and determine if it does have the correct headers in the correct location.  If a match is found then it is possible to apply this fragment to the new image.

The moov fragment is not normally very large and so the expectations are that the complete segment will be found in the first complete fragment, along with the ftyp header.  This will be true for the files that store moov straight after the ftyp tag.  For files which are ftype - mdat - moov sequence, it is necessary to examine the mdat for frame starts and hence calculate possible values that will be found in a moov segement.  The disk then has to be searched for a suitable moov fragment.

The current status of CnW Recovery is for recovery of a ftyp - moov - mdat file.  The second variation is under development. for more details of software