Thursday, August 26, 2010

Multi-core processors

Hardware keeps developing very quickly, and Moore's law which states that the number of transistors in a processor will double every two years is still valid. The speed of operation though has hit a kind of ceiling and 3GHz processors has been fast for about 6 years now. The method of adding more punch to a processor has been with multi processors, and hyperthreading. The problem is that software has not always kept up.

With a lot of data recovery, many processes are sequential. ie read the problem disk, analyse the data, and then write the data somewhere. With multiple processors, probably the best we can manage is 3 parallel tasks. At each end is a bottle neck of a disk drive. The fastest way to read a disk drive is as a sequential stream. If you try and recover from two parts of a disk at the same time, then the drive will spend a lot of time 'thrashing', just moving the head to the new area, and then back to the original area. Overall, the process will be slower. Multiple processors may assist and enable two recoveries at the same time on the PC, but there are always dangers that the USB interface or similar may then end up saturated.

Very few recovery processes naturally make use of parallel processing so normally on a nice 8 core processor, 7 cores remain rather sleepy. CnW are looking at ways to wake a few of the cores up to help with the ever increasing size of disks, but ultimately, the big bottleneck is the speed of reading a disk. eSATA and USB-3 are all helpful parts of the equation, but at the moment, USB-2 just churns along.

Monday, August 23, 2010

Deleted XFS files

XFS is a popular file structure for NAS devices, both single disk and RAID. A RAID device may be resilient against disk failure (with the exception of RAID 0), but there is nothing to prevent operator error deleting files. With a NTFS disk, a deleted file is marked as deleted, and much of the meta data remains, although the area of the disk that the file used, could be reused.

XFS is less friendly in that the main data within the critical iNode is blanked. Thus flags indicating if it is a directory or file are blanked, along with the file length. Also, the table that stores the locations of all iNodes is also blanked, or filled with irrelevant values. Recovery is therefore deemed as all but impossible.

My challenge this week is to try and disprove this. iNodes still exist, as do cluster runs and resident data within the iNode. Watch this space to see if progress is made. I doubt a solution will be perfect, and there will always be the danger of producng files with a corrupted file structure, but I am curre ntly convinced that something will be possible.

Tuesday, August 17, 2010

Multiple Partitions on a drive

To most users the hard disk has a single partition, or just the C: drive. When it comes to recovery, it is very common to see three partitions. A typical pattern is
  • FAT16 (hidden)
  • NTFS
  • FAT32 (hidden)

The FAT partitions are actually hidden and are configured for system recovery purposes. ie, they will often keep a copy of the operating system and so allow a complete reload of the drive in the event of failure. This saves the manufacturer about 50 cents on not providing a boot DVD with the system and assumes that a disk will fail, but these partitions will remain. Users are actually asked to make their own recovery DVDs.

As far as recovering user data, the only partition to be concerned about is the big NTFS partition. This is where holiday photos, wedding photos and MP3 music will be found.

Forensically though, it is possible to store data in these hidden partitions. Suspicions would be raised if the partitions are bigger than expected. On standard example I have looked at the FAT16 partition is about 60MB, and the FAT32 is about 3GB. The disk was a 250GB. A significantly larger FAT32, or a hidden NTFS must raise questions, and so these partitions would need careful investigation for possible hidden files.

On NAS (Network attached storage) systems, there are often multiple partitions (sometimes more than 4). They are normally all Linux and most of the partitions are Ext2/3. The final partition is the location that data is stored in. This final partition could be XFS, ReiserFS or Ext2/3. In this type of configuration one would expect the final partition to be large, and the rest fairly small. The warning sign would be a second large partition.

Saturday, August 14, 2010

Seagate 7200.11 drives

There was a firmware bug a few years ago with Seagate 7200.11 drives. It typically affected 500GB drives and the symptoms were that the drive span, by could not be detected by the BIOS. It only affects a certain firmware, and is generally known as 'bricking' the drive.

Fortunately CnW Recovery do have a fix for this problem, and has had a high success rate, with complete data recovery. Contact CnW for more details if you think your drive has been affected.

The above problem is not be confused with another common Seagate failure of bearing seizure. The disks spin at 7200 rpm (ie fast) and sometimes the bearing sieze. The solution is a skilled replacement of the platters into a different drive case, only to be undertaken in a clean room with qualified operators. A drive has several platters and the radial alignment between the platters has zero tolerance. ie if the platter moves a micro degree out, all the data will be lost. CnW does not have a solution for this problem, but can recommend companies who can help.

Friday, August 13, 2010

Windows 7 64 bit

64 bit operating systems have been about for several years now and the hardware probably even longer. In the 1980s, it was a very slow move from 8 bit to 16 bit, and then from 16 bit to 32 bit. At last, with Windows 7, 64 bit operating systems are now becoming common, even on laptops, and the key selling point is that the once enourmous 4GB memory limit is now lifted. At a 1980 Intel seminar, it was suggested that 1MB of RAM was all one would ever need! In the course of my programming I now sometimes request 200MB buffers to help with sorting.

Although the operating system is 64 bit, the majority of applications are still 32 bit. The biggest nightmare has been critical support for drivers and other base level drive type programs. I have have been using Windows 7-64 since November 2009 and it is still a pain that the 64 bit Windows Explorer is not supported by Adobe Flash. I also have a nice standard HP printer that does not have a 64 bit driver, and has be used with a fiddle to make it look like a different PCL printer. For CnW Recovery software, support for the hardware dongle has only just been launched.

I like Windows 7, partly because it is on a fast Quad core PC, with 6GB or RAM, and much better than Vista. Whether the 64 bit apsect is worth anything, I am not sure, but I am convinced that this is the way forward., I just wish device drivers for old hardware kept pace.

For recovery purposes, I am looking forward to exploring the multi-tasking features that Visual Studio 2010 has. Disks are getting bigger and bigger, speed is becoming more critical.

A fun tip, you may not be aware of on Windows 7 is the 'Window Key and Tab'. Try it, it is more fun that Alt Tab.

Thursday, August 12, 2010

Apple Drives

I am often asked which make of drive is good and which is bad. The answer is like trying to recommend which type of car to buy, but there are two drives which should be replaced today if you have one.

The two problem Apple drives are both Segate Momentus (2.5"). The models are
  • Momentus 5400.2 Firmware 7.01
  • Momentus 5400.3 Firmware 3.CAE

If you have either of these two drives, then backup up all data today, and have the drive replaced. If the drive dies (this afternoon) physical recovery is all but impossible.

All makes and models of drive fail, but these are currently possibly the worst.

Wednesday, August 11, 2010

Video thumbnails on recovery

When evaluating a demo recovery program it is often very difficult to know if the data you require will be recovered by the licenced copy. Recovering DVDs has an added complication as many DVDs fail in a way that they can not be read by standard DVD readers.

The latest version of CnW Recovery has a wizard to recover Mini DVDs from video cameras. The wizard will first examine the disk to see if readable, and then will extract the video chapters, as MPEGs. For commercial reasons, the demo will not save these files to the hard drive, but will display th first few seconds of each chapter to give confidence that data will be recoverable. The licenced version will continue with a routine to recreate all the IFO files and merge the chapters into a standard VOB all within the stanard VIDEO_TS directory structure.

Monday, August 9, 2010

Decimal or Hex

I have a personal pet hate of people who use decimal numbers when Hex number make far more sense. On an NTFS disk, the first MFT sector is very often 6,291,519. I cannot remember this number, but 0x60003F is actually very easy. It is made up of a disk partition starting sector of 0x3F, and a cluster size of 8 times the starting cluster of 0xc0000.

When analysing a disk many times sector number make far more sense in Hex than in decimal. Another example can be to determine the cluster size based on file start locations. with a series of start locations such as 512, 640, 1824, 2368 there is no clear patter, but the same numbers in hex are 0x200, 0x280, 0x720, 0x940 it will be a good guess that clusters are probably 0x20 sectors in length.

CnW Recovery software allows for both decinmal and hex to be used, and many menus have an option box to switch between the two. Although it may be easy at first, it is well worth getting used to thinking in Hex when working on disk contents and this helps even more when a complex number is actually made up of several sections. An example maybe a date which has 5 bits for seconds, 6 bits for minutes etc. A decimal number is pretty meaningless, but a hex number is much clearer - though ultimately it is best viewed as a binary number.

Think Hex. Many numbers make far more sense in hex when investigating a disk and computer data. Windows comes with a nice calculator that will flip between decimal and hex when required.

Old joke - There are only 10 types of people in the world, those who understand binary, and those who don't.

Sunday, August 8, 2010

Slack space in NTFS

Slack space on a file system is data that is within allocated clusters, but not actually used. When a file is allocated space on NTFS is normally allocates a number of clusters, and a cluster is often 16 sectors in length. Thus, if a file is say 5K long, then there will be 3K of the cluster which is allocated, but does not contain file information. Also, no user will ever see the contents of this 3K of slack space.

Forensically, slack can be useful as it may contain data from previously deleted files. The data will not be complete but it could conatin between 1 and 8191 bytes of useful (for an 8K cluster). CnW actually has an option to collect these fragments and storfe then in a big file with a header for each length of slack data from each incomplete cluster. It should be noted that slack space will only be found in the final cluster of a file. Thus for a 31K file, there will be 3 complete clusters, and the final cluster will have 1K of slack.

For NTFS, slack space does not stop here. To optimise disk usage, small files are stored after the MFT entry in the 1024 MFT block. The maximum size of file maybe about in the region of 5-600 bytes. Thus when analysing a disk for data in the slack area it is essential to examine each MFT for possible data after the MFT, maybe from previous uses of the block. Again, CnW Recovery has a feature so that all MFTs can store the slack in a specific file, again separating each entry with a header. For more details www.cnwrecovery.com/html/ntfs_forensic.html

Saturday, August 7, 2010

Reiser FS

Linux is still a niche operating systems but has many very keen fans. With Windows, there are two file systems that may be used, NTFS and FAT, but with Linux (and Ubuntu) it is possible to install several file systems and so there have been many developments each trying to be better, or faster. The most common file systems as Ext2/3, XFS and ReiserFS (version 3).

The most significant feature of ReiserFS is the way it stores the data on the disk. With FAT, each file always takes at least a cluster (maybe 16K). With NTFS each file over about 500 bytes always takes a cluster, while small files may be stored with the directory entry in the MFT block of 1024 bytes. ReiserFS will use blocks to full capacity. Thus with a 4K block, it may actually contain 5 to 20 files, or the start of a long file. This can mean that the disk can be used with virtually no slack or wasted space.

From the recovery view point this makes data carving a nightmare. For most file systems, data carving always examines just the first bytes of a sector to determine if the sector contains a file start. For the same to be true with ReiserFS, it may have to check every byte, or if the data is 64 bit aligned, every eigth byte in order to detect all possible file starts. Fortunately though, long files normally start on block starts, so normal carving will work, but in order to find all short files, a lot more care has to be taken.

Friday, August 6, 2010

MFTs and NTFS

Probably the most import element of the NTFS file system is the Master File Table (MFT) structure. This is the block of data that stores information on every file. It contains the file name, dates, size and location on the disk. An MFT entry is normally 1024 bytes long, which means that at times, the file data for a short file (maybe less than 500 bytes) can be stored in this dirctory element, so avoiding having to allocate a 4K area of disk for a small file.

The MFT is made up of several elements, and the most important for receovery purpose are the file allocation locations, file name and the date metadata. On an NTFS disk, the file allocation informtion gives a starting location, and then the number of clusters in the data run. For fragmented files, there are extra staring locations (actually relative locations to the previous start). Occasionally, all the file information can not be fitted into a single 1024 block, so there is a system for chaining multiple MFT blocks.

Analysing the MFT by hand is not easy, so CnW Recovery have added a feature into the software so that an MFT sector is viewed, then moving the mouse over the data will display the decoded information. For more details, click here www.cnwrecovery.com/html/mft_parse.html.

Thursday, August 5, 2010

Hard disk partitions

A physical hard disk is a sequential series of sectors, typically 512 bytes long, though new disks with sectors of 4096 bytes are starting to appear. Logically, the disk can be split into multiple areas, or partitions. Each partition looks to the operator like a separate file. There are several reasons for multiple partitions such as below
  • House keeping - to keep disk sizes small
  • To prevent a logical drive getting bigger than 2TB
  • To separate data and programs
  • To have multiple boot mode with different operating systems
  • Hidden partitions for system recovery

Most drives still use a partition table in sector 0 to define upto 4 partitions, with the option of an extended partition that in effects chains to a new 'boot' sector and allows for an unlimited number of partitions. The maximum sensible number is probably less than 10.

A very common disk failure is for the boot sector to fail, or be corrupted / overwritten. In order to recover the disk data it is necessary to reconstruct the information that was stored in the partition table, and the critical values are the start sector, sector count in partition (the partition length) and the type of file system, eg NTFS, ReiserFS. Fortunately, thsi information can be discovered by scanning the disk and detecting certain elements such as a Bios Parameter Block, or a series of MFT entries. Thisa feature that CnW Recovery software performs as part of it's Partition function.

Wednesday, August 4, 2010

Which file is a sector in?

Many forensic investigations will scan a complete hard disk for possible interesting strings. The result will be that the string is found in several sectors, but then there is the problem of discovering which files these sectors relate to.

CnW recovery software has a feature within the log to provide an answer to this question. As CnW retains all locations of file fragments, the sme information can be used to discover if a sector is used within any files. This with thelog, the user can search for a specific sector and it will indicate if it is part of a file, or even files. A sector can be marked as part of several files if one has been overwritten by a later file.

If the sector is not part of a file, then it indicates that the data has been found in unallocated space - whch can of course be carved to obtain possibly useful files

Tuesday, August 3, 2010

Locating file fragments

When doing a forensic recovery one very important aspect is to log all actions so that they can be repeated. Recovering a file is reading a sequence of sectors, and many times they are in sequence, but not always. For the files that are out of sequence it is necessary to track each fragment / cluster.

The CnW log has a data column that records the number of fragments in a file. If this number in the log is clicked, each fragment (up to a maximum of 80) will be displayed as the starting sector, an sector run length. Abyone can then examine the original disk and establish how the file has been reconstructed.

Monday, August 2, 2010

Recovering deleted MAC files

If a file on MAC has been deleted and removed from the trash bin, recovery is difficult. On may operating systems and file systems, a deleted file remains in the directory, but is marked as deleted. With a MAC, the catalog entry is cleared entirely and then the catalog sector is rewritten with no residual information on the file remaining.

The only way to recover MAC deleted files is with data carving. This is a process where the disk is scanned and the start of each sector is examined for known file signatures. For instance, a JPEG file will always start with the bytes 0xFF 0xD8 0xFF then normally a 0xE0 or 0xE1. A clever carving program will then go a few stages further and analyse the data. CnW will try and reconstruct a file name based on metadata within a file, so most JPEGs will be recovered with an original date.

The problem with data carving is that directory structure is retained.

When the file is deleted, so is all the information of where different setions of the file have been saved. Fortunately, most MAC files are sequential so a high recovery rathe can be expected.

Sunday, August 1, 2010

Lost file or directory on NTFS

Occasionally a file, or complete subdirectory may go missing on an NTFS disk. The most common reason actually is operator error, maybe by accidently dragging adirectory into another directory. The way to recover from this situation is to search the disk for a known file, and then work out what has been moved where.

The same problem can also occur when a critical sector fails or is corrupted. This can leave the directory tree with a logical break, and so leave files with no correct location. CnW recovery software has a good solution to this problem. as part of the recovery options, it allows for recovery from file entries. It will either scan the known $MFT (NTFS directory file) for individual MFT entries, or it can scan the complete disk. When an MFT is found it is tested to see if the Master File Table entry is for a file or a directory. If for a file it is recovered, and the directory path then reconstructed as much s possible. For the files that have been lost, a dummy direvctory entry will be created, eg lostdir123, and all files related to the lost directory will be placed together. To find your lost file, either the recovered filoes can be searched, or the log examined to determine the new location