I Lost My Data!

Recently I was invited to attend an Instructor Development Course (IDC) for a well-known, global digital forensics company, for which training is a component of their business.  The IDC was run by two of the managers of training and, having attended other IDC’s (or train-the-trainer classes) in the past, I knew the rough format would be a review of the material to be taught and some sort of teach-back or presentation. Turns out, I was right!

On day one of the IDC, the 6 participants in the class were chosen by lottery to pick a random topic upon which to present on the afternoon of day three of the class.  I drew topic #3 of 6, so my randomly drawn topic was “File Headers and Signatures.”  Not bad.  Far better than numbering systems or 7-bit PDU encoding, if you ask me!  So I got to work on my presentation that evening.  The length was to be 20-25 minutes. We could use whatever resources we need and they had to facilitate the presentation.  No biggie, but I wanted to be prepared and well-versed because having given dozens of presentations in the past and having it reinforced during the first two days of the IDC, I know that’s what makes a good presentation – Preparation!

So I spent a few hours putting together what I thought was a clever presentation on File Signatures & Headers.  What they are, what they look like, how they can be utilized, how automated tools find files using them, how we can manually search using them within a particular tool and how to validate our findings.  It was pretty good.  By the time afternoon of the final day came around, I tweaked and adjusted and walked through the presentation multiple times.  After all, I didn’t want to screw up the opportunity to teach for this company, because it’s a fantastic opportunity!  Then, Murphy paid a visit (no, not the well-known Forensicator Cindy!)…

The Wheels Come Off

When constructing the original presentation in my hotel room, I composed it on a 17” MacBook Pro with Bootcamp on the Windows partition running Windows 7 Pro in MS Power Point.  Everything went smoothly.  The presentation was saved on an 8 GB USB 2.0 thumb drive formatted in FAT 32, which was a marketing freebie (first clue, perhaps?) and previously unused.  When I refined, tweaked and updated the presentation, I did so on a MacBook Pro 15” retina on Mac OS High Sierra, also in MS Power Point.  There were no issues reading or saving the presentation, or so I thought.

When it came time for me to present, I popped up out of my chair, properly ejected the thumb drive from the MacBook Pro and brought it into the presentation room along with my other necessary materials.  I plugged my thumb drive into the presentation computer and this is what I saw:

My heart sank.  I clicked “Cancel” only to be presented with this from Windows:

So I thought maybe, just maybe, I could get it to work on the MacBook Pro.  So I ejected the drive from the PC and plugged it into the Mac, which was the last computer to touch the presentation.  Here’s the message I received:

A series of expletives began to spew forth from my mouth, or at least that’s how it felt.  But I do forensics for a living, right?  I have to know SOME way to recover this presentation!  I knew the original 17” MacBook Pro, which is my backup forensic laptop as well, was back at the hotel room with a box full of dongles.  Something in my forensic bag of tricks MUST work, right?

I told the other two students to go ahead of me and raced back to the hotel to work my forensic data recovery magic on the thumb drive and recover my presentation.  I was sure I had my X-Ways Forensics license with me!  That’ll get it in no time!  Except I didn’t.  Any tools I brought me were either for Mac forensics or mobile devices, neither of which had the capability to recover anything off of this thumb drive, at least not quickly.  I searched for auto-saved documents on both Windows and Mac.  No dice.  I searched the extended metadata in Mac.  Nothing found.  I Googled locations of temp files and other potential sources of auto-save or system-generated copies, whether hidden or not.  No luck.  So after about 40 minutes of trying what I could with what I had, I resigned myself to the reality of the situation:  I either had to try and re-construct the presentation from memory or go without a Power Point, which would have looked horribly unprepared and unprofessional.

Fortunately, the last student before me had about 25 minutes left to go when I got back to the training site, so I hurriedly composed what I could remember from my previous presentation and got it about 85% of the way to where it was before it was my turn to present.  I did it and it turned out very well.

But what about the original presentation?

The Recovery

I’m an investigator at heart.  I want to get to the truth of the matter, no matter what the truth may tell me.  And yes, curiosity and tenacity play a pretty big role in that.  So instead of trashing the thumb drive in frustration, I decided to see if the original presentation was on there.  Back at my office (where my X-Ways license was the whole time), I created an image of the thumb drive in X-Ways.

Once the image was created, I used the Refined Volume Snapshot to conduct a File Header Signature search.  Hmm, this is sounding a lot like my presentation!

For the sake of time and because I already know what I’m looking for, I only searched for MS Office Documents.  It didn’t take long…

Sure enough, after a few minutes, X-Ways carved not one, but three copies of my presentation on the disk.  They are all of different size and contain slightly different data:

Yes, that’s page one of my presentation.  And yes, that’s a bust of Dick Butkus from the Pro Football Hall of Fame.

Being that the presentation was about file signatures and headers, I decided to double-check the header on the recovered files.  A quick Google search reveals that the file header for a .PPTX (or Power Point) file in hex is: 50 4B 03 04 14 00 06 00.  Cross-referencing that with the data of the recovered files reveals the same header, serving to further validate the findings: