| Author | Message | ||
     Zeek Username: zeek Registered: N/A |
After a couple of *real* fun weeks of attempting to recover lost email, I'm about at the end of my rope and would sincerely appreciate any advice and/or help anyone can offer. Here is my situation: Shortly after sorting a bunch of Mozilla Thunderbird mail and compacting all folders, I literally clicked on a folder and watched it and all sub-folders within it disappear into thin air. The lost files are not seen within the OS (Win Server 2003), with a cmd prompt, nor with any of the several file recovery utilities I've tried. OS, the email client (including all other mail), and all hardware are otherwise functional and normal and I've never seen anything like this before. The one type of tool I've had limited success with is the disk editor, Winhex in particular. With it, I'm able to find bits and pieces of the missing text with references to file paths for the newly missing files, but not the files themselves...yet. I'm no stranger to computers, but certainly am with this type of tool - and so I'm looking for general advice and some answers to these specific questions, if anyone wouldn't mind please: 1. I'm aware files can sometimes be recovered by the signatures used in their headers, but am not sure the mbox files Thunderbird uses has such headers. The "file recovery by type" option under disk tools *does* list the mbox format as an option and seems to have some potential, but so far it's only recovered a small percentage of what I need and only in 1024 kb increments. I've tinkered a bit with the settings (unchecked "respect individual default sizes", etc.) but still seem to be getting 1024 kb chunks. Is there anything I should be doing differently? 2. The "Refine volume snapshot" search is supposed to be more powerful wrt searching for signatures, but the layout (for me, at least) is not making much sense. Again, this leads back to the same menu with the default file size issue and this is confusing me. 3. I've made a WinHex backup image of the affected drives (RAID 0 array...I know, I know) and this may be a stupid question, but: Can I work with (search through, extract from) that image, or is it necessary to re-do this as raw? The image file is on a separate disk, of course. 4. Are there other file formats that might be mistaken for mbox that I should consider using? For example, if I search for the text of some of that missing mail, I see occasional references to .eml and .tmp extensions. And, since Thunderbird mail doesn't use that format, that makes me wonder. (I do not see a signature search option for .eml files.) 5. Does anyone have any idea how the *hell* this may have happened in the first place and is there anything else I should be trying? Thanks very much for reading, if you've made it this far. And apologies for the long post. The lost data has a lot of personal value to it and I would definitely appreciate anyone's input. - Z | ||
| Stefan Fleischmann Username: admin Registered: 1-2001 |
1. You should specify a different default file size if you think your mbox files were larger, which I guess is likely. 2. The layout makes a lot of sense. It is more powerful and flexible because the files are not directly recovered, but merely listed in the directory browser, where they can be further processed in many ways. 3. Only raw images and .e01 evidence files can be interpreted by X-Ways Forensics (raw images also by WinHex with a specialist license), i.e. treated like a disk, such that the partitioning structure and the file systems are examined. 4. You can customize the signature definitions and carve individual e-mail messages (.eml files) that are not aligned at sector boundaries, too. | ||
| Zeek Username: zeek Registered: N/A |
Thanks very much for your reply. On that same line, a couple additional questions, and I'll try to be brief. 1. I've read a lot about file signatures, but is it possible an entire directory would have any recognizable structure? In Thunderbird, sub-folders show up as files - but the parent folder is listed as a directory. So in my case, for example, "Archived Mail.sbd" was seen by Windows as a folder - even though it had an "extension", and the critical mbox files (the sub-folders as shown in Thunderbird) within that folder had no extensions. Kind of an odd question I guess, but I'm wondering if I could open a sample sbd folder and look for similarities. So far, it looks like files only. 2. WRT signature definitions, as I think I mentioned, I don't *use* .eml files but evidently Winhex seems to think I do. And I see no default signature def for this type of file in the definitions list. If you know of any information I could use to customize signatures for that or any other type of file I should be looking for (suggestions please!), I'd certainly be all ears. Thanks again for your response. Cheers... | ||
| Alfons Kramer Username: admin3 Registered: 4-2004 |
1. The Windows Explorer makes use of the special folder concept. With this ordinary files can be treated as folders. One example is the treatment of ZIP-Archives. This reshaping is done by "shell extensions". In this case some index files (*.msf) together with some mbox-files will be represented as individual mails contained in folders, one per mbox. 2. File signatures will not only be used for carving, they will be used for file type recognition as well. The file type recognition in newer versions of WinHex does not rely on signatures but also on algorithms. That is the reason why some files get recognized as EML, even if there is no corresponding file signature. The signatures for EML and MBOX are very weak. One can customize and improve signatures by making use of regular expressions (GREP). One trick for improving signature entries for text formats is to add a footer \x00. | ||
| Zeek Username: zeek Registered: N/A |
Thanks, Alfons. #1 and #2 definitely make sense and, after my experience so far, your final point does as well. As as far as customizing and improving those signatures (and using GREP and a footer), though - you are losing me there. I'm pretty new to file recovery so, if you could go into more detail on that, I would appreciate it. Thanks again, and I will check back tonight. Z | ||
| Alfons Kramer Username: admin3 Registered: 4-2004 |
A MBOX file starts with a From_ line and followed by a blank line. A From_ line contains an account followed by a Unix C-date. This specification can be translated into a GREP expression. This GREP expression can be made more specific by specifying either a Unix or DOS line break, depending on your system. The year can be more specific: for example 200[3-7] and so on. | ||
| Zeek Username: zeek Registered: N/A |
Thanks again, Alfons. I'm currently looking at GREP 101 and it looks as though this will require some skill with command line arguments and that kind of thing. Unfortunately, that's not really my background. Do you have any *specific* examples you could post that I could follow or possibly some more detailed directions? At this point, I'm not sure I'd even know where to look to begin trying to add footers, much less use them. Your information is very helpful...it's just that I'm pretty limited in what I can do with it for now - and time is unfortunately not on my side. Anything you can post, send, or link me to will definitely be studied, but you should assume that my file recovery knowledge is minimal at this point. On the easier side of things, I'd like to export (copy/paste?) some text I have managed to locate and it seems this should be a pretty simple thing, but it hasn't been. I have the text right in front of me...it's plenty easy to highlight it, but I'm not sure how to get it out of there. Am I missing something? Thank you again... Z | ||
| Zeek Username: zeek Registered: N/A |
Sorry...please disregard that last question. I've got that one covered. |