Using a hex editor to find remnants of an oferwritten file?

D

Dimitri

Member
I had windows crash recently and a .rtf file that I was working on and which was saved on my HDD got mangled. All the contents of it were replaced with empty spaces (like what you get when you press tab). I'm desperate to recover the file and someone suggested I might use a hex editor to look for the contents of the file on the drive.

I've never used a hex editor and don't even really know what one is exactly, so I'm wondering:
1) is this something that could work
2) how do I do this?
 
D

Dimitri

Member
Cromewell said:
Use recovery software to examine the drive for lost files. It takes care of most of the work for you. Something like https://www.ccleaner.com/recuva/download

You can do it by hand (and I have) but why bother.
Click to expand...

I tried recovery software, but it didn't work. I actually managed to find a version of the file, but it was all gibberish inside, which is different than the current mangled version of the file (That one has just empty spaces in it), but still not the real thing.

I installed HxD and opened the partition and found some text strings that might be part of the file, but it's all amidst gibberish. How would I convert all this stuff to the actual file, assuming I've indeed found scraps of the orgiinal file.
 
D

Dimitri

Member
Here's the situation right now:

I created a test .rtf file (not on the HDD I'm trying to recover from) and copy pasted a bunch of text into it and saved it and then I opened the file in HxD, just to see what it would look like. I could see the whole text no problem in HxD, preceeded by some technical stuff about font type, size etc.

Well, I did a search in my HDD for a string of text and found a string of text that beyond any doubt belongs to the file I lost, but it doesn't show up like it does in the test file. In the test file it's just normal text, on my HDD, the text is constantly interrupted with gibberish and it's scattered around. I can see large sections of the file, a lot of it is there, but it's spotted with gibberish.

Any idea why that might be and what I might do about it?
 
Cromewell

Cromewell

Administrator
Staff member
The gibberish might be necessary. If you are trying to get back a binary file type that other stuff is important. Just because it is a document doesn't mean that it is necessarily plain text on disk.
 
D

Dimitri

Member
I did a test on a normal .rtf file and there should only be some gibberish at the beginning (not completely gibberish, some you can make out as relating to font type and size) and then the rest is plain text.

I've made quite a bit of headway with this since the last post. I've found a lot of pieces of this document thrown around various parts of the partition. Oddly, some of it repeats. I have a lot of the document now, but not all of it.

I've been using the method of searching for the last few words of any paragraph I find (in hope of finding the continuation) and there's a good chance I won't be able to find everything with that method, so if anyone has any better ideas, please do say.
 
Cromewell

Cromewell

Administrator
Staff member
It is not unusual for parts of the file to be all over the disk. If it doesn't fit in a contiguous space, the fs will fragment it and stick parts all over. If you understand how to read the sectors in the tool you can follow the links. The reality is, this is all the software will do for you to.
 
D

Dimitri

Member
Cromewell said:
It is not unusual for parts of the file to be all over the disk. If it doesn't fit in a contiguous space, the fs will fragment it and stick parts all over. If you understand how to read the sectors in the tool you can follow the links. The reality is, this is all the software will do for you to.
Click to expand...

You're saying there's some way to tell where the other parts of the file are once I've found one part? How do I do that? I can see the sector numbers in HxD.
 
You must log in or register to reply here.
Top