[ale] OT: Data recovery from CD-ROM?

Greg Freemyer greg.freemyer at gmail.com
Mon Feb 20 10:56:04 EST 2006 

On 2/19/06, Michael B. Trausch <fd0man at gmail.com> wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> Pat Regan wrote:
> >
> > What kind of physical damage?  If it is just a scratch it can probably
> > be buffed out.
> >
>
> Oh, if only.  :)  The CD not only has lots of cosmetic damage on the
> bottom causing it to probably throw the laser all over the place, but
> some actual chunks of the recorded (burned) data layer are missing,
> which makes the filesystem on the disc unreadable since the filesystem
> itself really isn't intact anymore.
>
> The foremost(1) program looks promising.  It's recovered a good bit of
> the data from the disc, completely intact, much to my surprise.
> However, the really important data that we're looking for out of it has
> yet to be found.  This means one of two things:  It wasn't there, is no
> longer there, or foremost(1) needs a bit more help with it.  I'm leaning
> towards the latter of the options, with the middle one coming in at a
> really close second.  The problem is that I am not seeing foremost be
> able to detect Microsoft Word and other file formats outside of really
> popular, really open ones, with any accuracy.
>
> I did some (manual) analysis of Microsoft Word files, and have come to
> the conclusion that the patterns included with foremost(1) are not well
> suited for finding Microsoft Office files.  This is based on ~500 files
> I have that were written in either probable version of Microsoft Office
> that saved the data on the CD in the first place.  *sigh*
>
> So I'm hacking together (rather, attempting to hack together) a program
> that can do some batch analysis and confirm my conclusions.  If that can
> find me a more stable pattern to feed to foremost and net me the files
> back, Erica will be very, very happy (and had better provide me with
> dinners for a long, LONG time...)  :)
>
>         Thanks,
>         Mike

Foremost is a data carver right.  (ie. it scans through a dataset
looking for headers/trailers and pulls docs / images out of the mess.)

If that it is what your having to do, I've got FTK (Forensic Toolkit)
(commercial ~$1500).

It does data carving and I've seen it pull out various office docs. 
(primarily word).  If you want to bring the CD by my office we could
see if it can recover anything.

Greg
--
Greg Freemyer
The Norcross Group
Forensics for the 21st Century

More information about the Ale mailing list