Jump to content

Document recovery


eldumbo

Recommended Posts

What exactly means "machine language"; can you post a screenshot?

 

Most likely the file association launches a different program than it should. With rich text document you mean .rtf, or is it .doc / .docx? What program opens it?

Link to comment
Share on other sites

I clicked on this and got a 12 kByte hex dump utility.

http://freefr.dl.sourceforge.net/project/gnuwin32/hextools/1.0/hextools-1.0-bin.zip

I unzipped it and obtained an 8 kByte tool named hexdump.exe.

Using Notepad I created a text file into which I pasted this text :-

hexdump -n TEST.RTF | more > TEST.LST

And after saving it I renamed it as HEXIT.BAT

 

By Using Windows Explorer to copy both hexdump.exe and HEXIT.BAT to the folder holding a file with the name TEST.RTF,

and then double clicking HEXIT.BAT I created a Hex Dump named TEST.LST

 

This was the original content of TEST.RTF

This is a RTF document

That is all.

This is a HEX DUMP that was created by hexdump.exe in TEST.RTF,

00000000: 7B 5C 72 74 66 31 5C 61 - 6E 73 69 5C 64 65 66 66 |{\rtf1\ansi\deff|

00000010: 30 7B 5C 66 6F 6E 74 74 - 62 6C 7B 5C 66 30 5C 66 |0{\fonttbl{\f0\f|

00000020: 6E 69 6C 5C 66 63 68 61 - 72 73 65 74 30 20 43 61 |nil\fcharset0 Ca|

00000030: 6C 69 62 72 69 3B 7D 7D - 0D 0A 7B 5C 2A 5C 67 65 |libri;}} {\*\ge|

00000040: 6E 65 72 61 74 6F 72 20 - 4D 73 66 74 65 64 69 74 |nerator Msftedit|

00000050: 20 35 2E 34 31 2E 32 31 - 2E 32 35 31 30 3B 7D 5C | 5.41.21.2510;}\|

00000060: 76 69 65 77 6B 69 6E 64 - 34 5C 75 63 31 5C 70 61 |viewkind4\uc1\pa|

00000070: 72 64 5C 73 61 32 30 30 - 5C 73 6C 32 37 36 5C 73 |rd\sa200\sl276\s|

00000080: 6C 6D 75 6C 74 31 5C 6C - 61 6E 67 39 5C 66 30 5C |lmult1\lang9\f0\|

00000090: 66 73 32 32 20 54 68 69 - 73 20 69 73 20 61 20 52 |fs22 This is a R|

000000a0: 54 46 20 64 6F 63 75 6D - 65 6E 74 5C 70 61 72 0D |TF document\par |

000000b0: 0A 54 68 61 74 20 69 73 - 20 61 6C 6C 2E 5C 70 61 | That is all.\pa|

000000c0: 72 0D 0A 5C 70 61 72 0D - 0A 7D 0D 0A 00 |r \par } |

000000cd;

 

The first few lines are the "header".

Experts here may be able to identify from the header the nature of the original file,

and whether the header is damaged and could somehow be fixed.

 

This should work on any file regardless of whether the original files was a damaged PDF, RTF, or executable binary.

 

If you are able to use the above, changing the names TEST.RTF and TEST.LST to suit your needs,

and can paste no more than the first 16 lines of of the *.LST output, you might get relevant advice from others

 

P.S.

Inserted link that was dropped whilst editing and fighting with code box incompatibility with fixed format font

Edited by Alan_B
Link to comment
Share on other sites

™P#�]uy!
«¡j¹Èÿl©#ÚÇBåO¼
'Yºj!Uöt‡YNàDÉGðàw圆“n Š¤b u#y§ÉŠ{9ý½,;Έl`:\##«�@ƒ¤ß-#© ê7ÖÃø©­ONPéÈ^�”$Û²º·²¢Œ©~{—ze#ƒžWà#¶ø 9Ž8'+WáÏmæK8L£±�‘A½u:™±
çÅU zwêË#žä2‡NîI#˜Ò#Ø_#ØZzÏ`�;.@#š\èt›#º†Ÿö#uÖ5¤4u~Ý#ùÒH‰1óKní´#̈,ÕA²™¯¶—ý‰ß#LÈ#fü˜$}#‘#( £õè•‚/à“±Nž°ûv#×ÊK—Whî##`œóæÿM±‘¬•fòæ¬ }##÷—üWK_æŸ#H­g#NZ²#b  ÿÑx÷ K8UÏ8#Š#—#[‚gÏ÷ÿkz#¦mØNê×€#‚’¡¦;¤F!ÿßè†###ÃáQ¨#QÕ G¾Ê—Ä8v#ÛDš:+¸>Ï‚OųÕ%A£ÂoôõŽ½Û)eÀ‡~ŠC‰ƒ##”#ó|I#Ù:Ü'ÆÉ#d§D¦0?í�PU#Ö¬Uâz#7dÃ|{ê    QM#b‘O#Ù@‡z—�ß‹Êä#Ò¥DrKöox#¹%ÛŽuÞ‡uáåG!õ#gÛÖ#ç6u5à¢:#ˆùQ÷ÚêÔIùÜBq

\
ª'±�.­sr³6îÌI`IF#?nÒëÒŸ#Š–+#ÆvGGº#½õCù¬\˜G#ø«zj+;�ÑD#×\Y2Tg&±æÿ7Ó#‰ÉðЭ%$õÊïš#à†

This is what I get, sure doesn't mean anything to me,

Edited by Nergal
code tags
Link to comment
Share on other sites

Guest Keatah

I'd have left the raw text alone, it would be easier for anyone attempting to fit to a filetype. Now there are added characters replacing original data.

 

In any case, it is best work with the complete file.

Link to comment
Share on other sites

This is what I get, sure doesn't mean anything to me,

I do not know what you did, but I do not see how my suggestion could produce the output you have produced.

 

My suggestion does NOT modify the original file,

it only reads the input file and produces an output file with a hex dump output that is about twice the size of the original.

My very first test was NOT upon the RTF file TEST.RTF but on the executable HEXDUMP.EXE itself, and it worked as expected.

I am therefore confident that no matter how corrupt the input file may be, and no matter what type (e.g. RTF, PDF, DOC, etc etc),

the output file has to be in the format that I posted.

 

QUESTIONS :-

 

Did you use the Windows text editor Notepad.exe or something else to create the file HEXIT.BAT,

AND did it contain nothing other than the single line :-

hexdump -n TEST.RTF | more > TEST.LST

 

What were the names and sizes of the file you had recovered and the file produced with my suggestion ?

Link to comment
Share on other sites

Guest Keatah

I didn't see anything immediately recognizable. One of my pro tools will look at the file and compare it against 5,000 filetypes and formats. It will also shift coding up and down a scale looking for recognizable dictionary patterns. It will also look for crosslinked and partly overwritten sections and see if any known application and os files are intermixed with the original contents. If so it can separate them out and roll it up and down the ansi/unicode scale again. From there we could reconstruct parts of the file. Maybe all. If overwritten, or if Recuva didn't get the right clusters, next would be a full-disk scan and further work.

 

And if that was the case I'd recommend pro-services, but you will pay. My code of ethics (and forum regs) prevent me from selling you my services. But there are plenty of outfits on the net that do this style of work.

 

Since we already suspect this is .RTF and is only one file I'd be happy to give it a once over at no cost. Just the file that is.. Maybe get some direction and next steps.

 

How important is this file? And (roughly speaking) what are the overall contents?

Link to comment
Share on other sites

Guest Keatah

My suggestion does NOT modify the original file,

it only reads the input file and produces an output file with a hex dump output that is about twice the size of the original.

 

I know. I was referring to that the snippet of file posted by the OP was changed into coding format. Now there's added text to it. But I suppose we should just play with the original file or the hex output.

 

Let's see what the hex output looks like..

Link to comment
Share on other sites

  • Moderators

the same text that was originally there is still there,no additional charActers were added via code tags

 

ADVICE FOR USING CCleaner'S REGISTRY INTEGRITY SECTION

DON'T JUST CLEAN EVERYTHING THAT'S CHECKED OFF.

Do your Registry Cleaning in small bits (at the very least Check-mark by Check-mark)

ALWAYS BACKUP THE ENTRY, YOU NEVER KNOW WHAT YOU'LL BREAK IF YOU DON'T.

Support at https://support.ccleaner.com/s/?language=en_US

Pro users file a PRIORITY SUPPORT via email support@ccleaner.com

Link to comment
Share on other sites

Guest Keatah

The original text was:

 

™P# ]uy!

«¡j¹Èÿl©#ÚÇBåO¼

'Yºj!Uöt‡YNàDÉGðàw圆“n Š¤b u#y§ÉŠ{9ý½,;Έl`:\##« @ƒ¤ß-#© ê7ÖÃø©­ONPéÈ^ ”$Û²º·²¢Œ©~{—ze#ƒžWà#¶ø 9Ž8'+WáÏmæK8L£± ‘A½u:™±

çÅU zwêË#žä2‡NîI#˜Ò#Ø_#ØZzÏ` ;.@#š\èt›#º†Ÿö#uÖ5¤4u~Ý#ùÒH‰1óKní´#̈,ÕA²™¯¶—ý‰ß#LÈ#fü˜$}#‘#( £õè•‚/à“±Nž°ûv#×ÊK—Whî##`œóæÿM±‘¬•fòæ¬ }##÷—üWK_æŸ#H­g#NZ²#b ÿÑx÷ K8UÏ8#Š#—#[‚gÏ÷ÿkz#¦mØNê×€#‚’¡¦;¤F!ÿßè†#B)##ÃáQ¨#QÕ G¾Ê—Ä8v#ÛDš:+¸>Ï‚OųÕ%A£ÂoôõŽ½Û)eÀ‡~ŠC‰ƒ##”#ó|I#Ù:Ü'ÆÉ#d§D¦0?í PU#Ö¬Uâz#7dÃ|{ê QM#b‘O#Ù@‡z— ß‹Êä#Ò¥DrKöox#¹%ÛŽuÞ‡uáåG!õ#gÛÖ#ç6u5à¢:#ˆùQ÷ÚêÔIùÜBq

 

The code-tag version is:

™P#�]uy!

«¡j¹Èÿl©#ÚÇBåO¼

'Yºj!Uöt‡YNàDÉGðàw圆“n Š¤b u#y§ÉŠ{9ý½,;Έl`:\##«�@ƒ¤ß-#© ê7ÖÃø©­ONPéÈ^�”$Û²º·²¢Œ©~{—ze#ƒžWà#¶ø 9Ž8'+WáÏmæK8L£±�‘A½u:™±

çÅU zwêË#žä2‡NîI#˜Ò#Ø_#ØZzÏ`�;.@#š\èt›#º†Ÿö#uÖ5¤4u~Ý#ùÒH‰1óKní´#̈,ÕA²™¯¶—ý‰ß#LÈ#fü˜$}#‘#( £õè•‚/à“±Nž°ûv#×ÊK—Whî##`œóæÿM±‘¬•fòæ¬ }##÷—üWK_æŸ#H­g#NZ²#b ÿÑx÷ K8UÏ8#Š#—#[‚gÏ÷ÿkz#¦mØNê×€#‚’¡¦;¤F!ÿßè†#B)##ÃáQ¨#QÕ G¾Ê—Ä8v#ÛDš:+¸>Ï‚OųÕ%A£ÂoôõŽ½Û)eÀ‡~ŠC‰ƒ##”#ó|I#Ù:Ü'ÆÉ#d§D¦0?í�PU#Ö¬Uâz#7dÃ|{ê QM#b‘O#Ù@‡z—�ß‹Êä#Ò¥DrKöox#¹%ÛŽuÞ‡uáåG!õ#gÛÖ#ç6u5à¢:#ˆùQ÷ÚêÔIùÜBq

 

\

ª'±�.­sr³6îÌI`IF#?nÒëÒŸ#Š–+#ÆvGGº#½õCù¬\˜G#ø«zj+;�ÑD#×\Y2Tg&±æÿ7Ó#‰ÉðЭ%$õÊïš#à†

 

A difference to be sure. But in any case, the complete file needs to be seen. Snippets don't work in cases like this.

Link to comment
Share on other sites

  • Moderators

Keetah I can assure you I did not add

\

ª'±�. sr³6îÌI`IF#?nÒëÒŸ#Š–+#ÆvGGº#½õCù¬\˜G#ø«zj+;�ÑD#×\Y2Tg&±æÿ7Ó#‰ÉðÐ %$õÊïš#à†

it was there when I added the code tags. And the addition of tags allowed for hard returns that were there to be shown, I added Nothing at all except

[code]
[/code]

Edited by Nergal

 

ADVICE FOR USING CCleaner'S REGISTRY INTEGRITY SECTION

DON'T JUST CLEAN EVERYTHING THAT'S CHECKED OFF.

Do your Registry Cleaning in small bits (at the very least Check-mark by Check-mark)

ALWAYS BACKUP THE ENTRY, YOU NEVER KNOW WHAT YOU'LL BREAK IF YOU DON'T.

Support at https://support.ccleaner.com/s/?language=en_US

Pro users file a PRIORITY SUPPORT via email support@ccleaner.com

Link to comment
Share on other sites

I copied the text and pasted into Notepad.exe,

BUT when I saved as a file I was told that using default ANSI setting there would be errors,

and to avoid data loss I should choose one of the Unicode settings.

 

I strongly suspect that there were numerous transitions and data-loss due to ANSI/Unicode/Unicode BigEndian/UTF-8 transitions in many stages.

e.g. between the Recuva'ed file and what the O.P read into a text editor and then pasted into this topic and eventually rendered in my browser and then copied and pasted into my Notepad text file.

and this ignores any peculiarities with the forum software.

Link to comment
Share on other sites

Guest Keatah

OP should post original file from Recuva in ZIP container, provided it is non-confidential information.

Link to comment
Share on other sites

I though that when, I posted this, there would be a simple fix, for maybe somthing I'd done wrong.

The file is not really that important, is's not one that I can't live without but, I do appreciate everyone's imput.

I'm sure from what has been posted, that it is corupted as I didn't imediatly.realize that it was deleted.

Link to comment
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
×
×
  • Create New...

Important Information

By using this site, you agree to our Terms of Use.