Introduction
This version of Blade adds Intelli-Carve® support for the recovery of Zip Archive based files and OLE2 compound based files. It includes a stand-alone version of our DataDumper tool for extracting data sub-sets and an updated Jump List deconstructor.
For a list of the changes made in this version, please see Change Log v1.12.
OLE2 Compound Document Recovery
Microsoft Compound File Binary (CFB) file format is also known as the Object Linking and Embedding (OLE) or Component Object Model (COM) structured storage compound file implementation binary file format. CFB implements a simplified file system through a hierarchical collection of storage objects and stream objects.
A storage object is comparable to a file system directory in that just as a directory can contain other directories and files, a storage object can contain other storage objects and stream objects. A parent storage object can also track the locations and sizes of the child storage object and stream objects nested beneath it. A stream object is comparable to a file in that a stream contains user-defined data stored as a consecutive sequence of bytes. A compound file consists of the root storage object with optional child storage objects and stream objects in a nested hierarchy.
The file format has been used for a number of differrent file formats such as:
- Microsoft Word up to 2003
- Microsoft Powerpoint up to 2003
- Microsoft Excel up to 2003
- Windows Thumbnail files
- Windows Installer files
- Windows Sticky Notes files
- Windows Jump Lists
- Internet Explorer Tab Session and Recovery Store files
Blade® now has the ability to validate Compound Files in memory, as well as identify the file type from the stream data.
ZIP Archive Recovery
ZIP is one of the most widely used compressed file formats. It is universally used to aggregate, compress, and encrypt files into a single interoperable container. We have developed a methodology for recovery which has been embedded into an Intelli-Carve® recovery profile. Our software has the ability to read and validate ZIP archives directly from a stream.
In addition to being used as a compression file format, ZIP is also used in a number of proprietary file formats such as those used for the following file types:
- Microsoft Word from 2007
- Microsoft Powerpoint from 2007
- Microsoft Excel from 2007
- OpenOffice Documents
- StarOffice Documents
- Adobe AIR installation packages
Blade® now has the ability to validate ZIP Archive files in memory, as well as identify the file type from the contents.
DataDump
DataDump allows you to dump segments of data from an original source image or physical/logical device. It can be accessed from Blade® by selecting Tools » Dump Data. It can be used for the following:
- Extract a stream of binary data from a source image or logical device
- Convert an entire image or a segment of an image to a single flat file
- Extract binary chunks of data from files, images or physical/logical devices
- Extract a partition from a source device as a single binary file
- Hash the output data using MD5, SHA-1, SHA-256 or SHA-512