Searching for files on unknown/proprietary filesystem

Question

I am attempting to find any files or folders on an SD card.

Currently I've been looking at it with Foremost, but with no success. I know for certain that the file-system on the SD card is non-standard one that is not publicly available/ I believe this is causing issues with Foremost's data carving detection.

Is my only option to examine the memory its self? If so, what tool or text is best to utilize for this task?

Foremost is a file carver, it knows nothing about file systems. As for many other file carvers, it will work well for contiguous (non encrypted) files and not for other situations. BTW your question is not very detailed: you haven't provided any information about the file system, like some brief excerpts of hex dumps of interesting parts or other information. We don't even know if the data is encrypted or not. Where does it come from? Please elaborate. — Andrea Lazzarotto, Dec 24 '16 at 17:02

mikato · Answer 1 · 2016-12-22T14:59:09.210

Data carving (with something such as Foremost) works outside the file system, looking just at the data storage directly, so in some ways it is not affected by the file system. But of course it does somewhat depend on how the file system stores the data. Most common file systems commonly store data in contiguous areas and that is why file carving works and can recover whole files. It is possible for some unknown file system to scatter small data chunks all around I suppose, making it much more difficult to detect files and really really difficult to put together whole files. It's also possible for the data to be encrypted or encoded somehow by it.

Photorec works well recovering files from raw data (disregarding any file system) for many different file types based on identifiers for each file type supported). It's free and open source. There are also other good non-open source tools for that such as R-studio and ReclaiMe.

What file types are you going for? Some are easier to carve than others. Some you may even have to carve completely manually. As I said it's also possible the data is encrypted or encoded somehow if you're not finding anything with common file types. Have you looked at some of it in a hex editor? Winhex is a good one for Windows. That might be a good next step to get an idea of what is there. Otherwise you might be spinning your wheels.

This is a good answer and it's really crazy someone downvoted it. — Andrea Lazzarotto, Dec 24 '16 at 17:01
@AndreaLazzarotto I'm guessing it was user400344. It looked like that person downvoted the other two answers and then claimed victory saying "Mine is the glory!". What a boob. Thanks though. — mikato, Jan 04 '17 at 21:42

score 0 · Accepted Answer · answered Dec 22 '16 at 15:27

Image the SD to a raw file on an SSD, then use magicrescue, foremost, photorec, scalpel. When this fails (it will fail) search for magic numbers to find the desired filetypes (HEX workshop is good), and dump them in hex. From hex, rebuild the files with python/perl. Perl's excellent pack() function is your friend, and python has it as well.

score -1 · Answer 3 · answered Dec 21 '16 at 09:43

-1

A tool called Scalpel can work on non standard file systems. Check it out here

answered Dec 21 '16 at 09:43

Brandon Skerritt

101

Searching for files on unknown/proprietary filesystem

3 Answers3