True Image tib - File Recovery of StickyNotes snt File

Using PhotoRec to recover lost data
Forum rules
When asking for technical support:
- Search for posts on the same topic before posting a new question.
- Give clear, specific information in the title of your post.
- Include as many details as you can, MOST POSTS WILL GET ONLY ONE OR TWO ANSWERS.
- Post a follow up with a "Thank you" or "This worked!"
- When you learn something, use that knowledge to HELP ANOTHER USER LATER.
Before posting, please read https://www.cgsecurity.org/testdisk.pdf
Locked
Message
Author
GreySlater
Posts: 4
Joined: 29 May 2020, 14:17

True Image tib - File Recovery of StickyNotes snt File

#1 Post by GreySlater »

Hello together...! my first post after hours of hours of searching for a solution

I have a full Acronis True Image Backup tib file from a Windows 7 machine which is corrupted and I can't mount it in Acronis anymore.
I guess the backup process wasn't complete but because of the backup size compared to working backups I can say that about 90% of all files must be within there.

I tried different ways to recover only one needed file - StickyNotes.snt
  • First attempt with MultiExtractor gave me certainty that I'm able to recover files but only those which are supported by MultiExtractor - unfortunately no snt support
  • Second attempt was to carve the file with foremost - I tried to write my "search pattern" in the form of a header (footer) but unfortunately I had to learn that StickyNotes.snt files are a type of OLE and I get way to many false positive results

I found PhotoRec and saw that snt file recognition is included in Doc Family Filetyes
  • unfortunately, the tib Archive when added as a raw image in qphotorec_win return only a few found files compared to MultiExtractor - with this knowledge I'm stuck now

Could somebody help me with a new approach:
  • Someone who carved out snt files successful (a property that makes snt files distinguishable over other OLE files)
  • a way to "transform" tib backup file (so I can understand why MultiExtractor finds a lot more files compared to PhotoRec)
Thank you
Top
User avatar
cgrenier
Site Admin
Posts: 5432
Joined: 18 Feb 2012, 15:08
Location: Le Perreux Sur Marne, France
Contact:
Contact cgrenier

Re: True Image tib - File Recovery of StickyNotes snt File

#2 Post by cgrenier »

PhotoRec doesn't parse TIB internal structures. It's why PhotoRec doesn't recover the files inside a TIB file. Information about tib format can be found at https://github.com/dennisss/acronis-tib

If you have recovered all OLE (snt/doc/xls/ppt/...) from the tib file, it's possible to use fidentify to identify the snt files.
Top
GreySlater
Posts: 4
Joined: 29 May 2020, 14:17

Re: True Image tib - File Recovery of StickyNotes snt File

#3 Post by GreySlater »

Thank you for your reply and help

In the meantime (before your reply) I came already a little bit further by transforming the TIB archive into a ZLIB Stream - this already looked promising and to verify it I made a Test Acronis Backup from known files including actual StickyNotes.snt files which i carved out with foremost "OLE filter"

Additionally I will compare my results with your mentioned dennisss/acronis-tib if my attempts bring me to a dead end.
  • so with my ZLIB attempt together with foremost I got a bunch of OLE files
does fidentify --check snt identify again the full OLE (snt/doc/xls/ppt/...) family?

btw: what makes snt files identifyable? PhotoRec (simple explained; because I'm not realy good at code reading) checks for the HEX String 'V E R S I O N' on a specific location?
  • basicaly something what I've tried with not so much luck: grep -obUaP "\x56\x00\x65\x00\x72\x00\x73\x00\x69\x00\x6f\x00\x6e"
Top
Locked

Return to “File recovery”