Office document recovery using PhotoRec and wrong file extensions. Directory Opus to the Rescue!
Madmex
-----Back story----
Recently I switched jobs, I backed up my files to a 500 gig external, verified the data, unplugged the drive, wiped my work laptop and went home. I get home to find my external has died on the drive home... of course..
So, out come the tools and it appears that the MFT file must have corrupted some how, sections of it appear to be damaged/corrupt and unreadable, hex editors either crash or just show zero's as they are unable to read it. However, the rest of the disk appears to be ok, so I pulled out photorec which is still one of my favorite (free) raw data carving tools. It has great abilities and has tons of file extensions that it can recover, including office documents.
---- Interesting Finding ----
So, 18 hours later, PhotoRec has carved out many pictures, office documents and zip files. In going through some of the recovered Office documents and encountering my usual share of Office documents that won't open. HOWEVER!!! One (of the many) great things I learned in Scott's class is to use Directory Opus as a replacement to my windows explorer. I fired up directory opus and selected "Filmstrip" mode, and started to see that several of these so called "corrupt" documents actually were fine, just had the wrong Office document extension! If I tried to open by double-clicking the file, I would get an error, but Directory Opus clearly shows that the file is fine, it's just not the right extension. I renamed the extension on a few files and have been able to get them all to open just fine. See attached picture of mis-labeled file.
Pictures and Documents have got to be the number one asked for items to recover. Increasing your successful percentage for document recovery can make the difference between a satisfied customer and someone who doesn't want to pay or won't recommend you.
-----------Cause-----------
I don't know. I have not had time to see if this is a "feature" of PhotoRec that sometimes miss labels documents or a "feature" of Office 2003 documents and how they are written or ??? All I know is I was able to recover a lot more documents than I would have ordinarily if I had just trusted the old-school "double-click and cross your fingers" method.
-----------Summary---------
I *highly* recommend Directory Opus' filmstrip ability as a method to quickly analyze office documents to determine if they are actually bad or simply miss-named. Directory Opus is well worth the $70 US, and it comes with a free 30 day full-ware trial to evaluate it. If anyone else has encountered any other tricks for how to determine good files from corrupt ones, please share!
----- Links -----
PhotoRec: http://www.cgsecurity.org/wiki/PhotoRec
Directory Opus: http://www.gpsoft.com.au/
Scott Moulton
I have been having the same problems with the new Docx Format. Several times PowerPoint has saved the document with the right data, and the incorrect extension and when you try to open it you would think it would resolve it on its own since you saved it with Office and it did the extension and it supports both file types. But no, that does not work and it does not resolve it, I figured out that it was bad, renamed it and it worked then. Stupid software.
Thank you,
----------------------------------------------------------
Scott A. Moulton / CCFS CCFT CDRP DREC
Certified Computer Forensic Specialist
Certified Computer Forensic Technician
Certified Data Recovery Professional
Data Recovery Expert Certification
SANS Instructor for SEC606
Forensic Data Recovery
http://www.sans.org/training/description.php?mid=1237
----------------------------------------------------------
Forensic Strategy Services, LLC &
My Hard Drive Died, DBA
----------------------------------------------------------
601b Industrial Court, Woodstock, Ga 30189
Phone: 770-926-5588 Fax: 770-926-7089
DATA RECOVERY UPDATES VIA TWITTER: @scottamoulton
----------------------------------------------------------