Using a hex editor to find remnants of an oferwritten file?

Discussion in 'General Software' started by Dimitri, Sep 13, 2019 at 2:00 PM.

  1. Dimitri

    Dimitri Member

    Messages:
    453
    I had windows crash recently and a .rtf file that I was working on and which was saved on my HDD got mangled. All the contents of it were replaced with empty spaces (like what you get when you press tab). I'm desperate to recover the file and someone suggested I might use a hex editor to look for the contents of the file on the drive.

    I've never used a hex editor and don't even really know what one is exactly, so I'm wondering:
    1) is this something that could work
    2) how do I do this?
     
  2. Cromewell

    Cromewell Administrator Staff Member

    Messages:
    15,357
    Use recovery software to examine the drive for lost files. It takes care of most of the work for you. Something like https://www.ccleaner.com/recuva/download

    You can do it by hand (and I have) but why bother.
     
  3. Dimitri

    Dimitri Member

    Messages:
    453
    I tried recovery software, but it didn't work. I actually managed to find a version of the file, but it was all gibberish inside, which is different than the current mangled version of the file (That one has just empty spaces in it), but still not the real thing.

    I installed HxD and opened the partition and found some text strings that might be part of the file, but it's all amidst gibberish. How would I convert all this stuff to the actual file, assuming I've indeed found scraps of the orgiinal file.
     
  4. Dimitri

    Dimitri Member

    Messages:
    453
    Here's the situation right now:

    I created a test .rtf file (not on the HDD I'm trying to recover from) and copy pasted a bunch of text into it and saved it and then I opened the file in HxD, just to see what it would look like. I could see the whole text no problem in HxD, preceeded by some technical stuff about font type, size etc.

    Well, I did a search in my HDD for a string of text and found a string of text that beyond any doubt belongs to the file I lost, but it doesn't show up like it does in the test file. In the test file it's just normal text, on my HDD, the text is constantly interrupted with gibberish and it's scattered around. I can see large sections of the file, a lot of it is there, but it's spotted with gibberish.

    Any idea why that might be and what I might do about it?
     

Share This Page