I have just finished putting together the format specification for IE's RecoveryStore and Travel Log (Travelog) It is now uploaded and available. Get it from the Downloads page.
Wow! Yogesh this is awesome! One question though... Since this uses Structured storage format, also apparently know as MS-CFB (Microsoft Compound File Binary format), as described at http://msdn.microsoft.com/en-us/library/dd942138%28v=prot.13%29.aspx, is there a straightforward way of computing the file size that would let you reliably carve these from unallocated? It looks (from very brief examination) like you should be able to add up the header size and the computed sector size (two to the 'sector shift' power) times ( 'number of FAT sectors' plus 'number of directory sectors' plus 'number of DIFAT sectors' plus 'number of Mini-FAT Sectors') and get the complete size of the file, but I'm not sure. Also, it's not clear whether 'number of Mini-FAT Sectors' in in regular sectors or mini sectors. Thoughts? John
John, I haven't really tried to do that myself, but I do recall some others doing OLE document recovery the same way as you describe it. Guidance's "File Finder" module in Encase "Case Processor" also follows the same strategy. There is also a tool called RipRS written by john moran, which specifically carves only travelog files from raw images. http://www.jtmoran.com/tools/default.html
Wow! Yogesh this is awesome! One question though... Since this uses Structured storage format, also apparently know as MS-CFB (Microsoft Compound File Binary format), as described at http://msdn.microsoft.com/en-us/library/dd942138%28v=prot.13%29.aspx, is there a straightforward way of computing the file size that would let you reliably carve these from unallocated? It looks (from very brief examination) like you should be able to add up the header size and the computed sector size (two to the 'sector shift' power) times ( 'number of FAT sectors' plus 'number of directory sectors' plus 'number of DIFAT sectors' plus 'number of Mini-FAT Sectors') and get the complete size of the file, but I'm not sure. Also, it's not clear whether 'number of Mini-FAT Sectors' in in regular sectors or mini sectors.
ReplyDeleteThoughts?
John
John, I haven't really tried to do that myself, but I do recall some others doing OLE document recovery the same way as you describe it. Guidance's "File Finder" module in Encase "Case Processor" also follows the same strategy. There is also a tool called RipRS written by john moran, which specifically carves only travelog files from raw images.
ReplyDeletehttp://www.jtmoran.com/tools/default.html