2025-05-20

JPEG Files

DATARECOVERYUNION.COM07 mins

JPEG FilesNext we will look at carving JPEG graphic files, as specified in the document “Description of Exif file format.” For complete details of the file format specification, please refer to the hyperlink to the document, listed on page 1 of this paper.

The JPEG graphic file starts with a Start of Image (SOI) signature of “FF D8”.  Following the SOI are a series of “Marker” blocks of data used for file information.  Each of these “Markers” begin with a signature “FF XX”, where “XX” identifies the type of marker.  The 2 bytes following each  marker header is the size of the marker data.  The marker data immediately follows the size and then the next marker header “FF XX” immediately follows the previous marker data.  There is no standard as to how many markers will exist, but following the markers, the signature “FF DA” indicates the “Start of Stream” marker.  The SOS marker is followed by a 2-byte value of the size of the SOS data and is immediately followed by the Image stream that makes up the graphic. The end of the image stream is marked by the signature “FF D9”.

In the event that a thumbnail graphic exists within the file, the thumbnail graphic will have the exact same components as the full-size graphic, with “FF D8” indicating the start of the thumbnail and “FF D9”, indicating the end of the thumbnail.  Since thumbnails are significantly smaller and less likely to experience fragmentation than their larger parent full-size graphic, they can be used as a comparison tool for evaluating what the entire jpeg graphic is supposed to look like, in the event you must do a manual visual review of the carved graphic.

By searching first for all locations of the “FF D8 FF” signature, you identify the beginning of each jpeg graphic. The reason for searching for “FF D8 FF” is that there are different versions of jpeg  files, some that start with “FF D8 FF E0” and some with “FF D8 FF E1”, and leaving off the 4th byte in your signature will catch all instances, but may result in some false hits.

Rather than carve a specific length of data, in this case we will start at the beginning signatureand carve until we find “FF D9”.  In the event of a non-fragmented jpeg graphic, without a thumbnail, this will carve the whole file.  If we slightly modify our logic, by including a “if  “FF D8” occurs again before “FF D9”, then carve to the 2nd instance of “FF D9″” statement in our search for jpegs, then we will carve entire files including their thumbnail as long as they are not fragmented.  Without this “if” logic, the first search would stop carving at the end of the thumbnail and result in an invalid jpeg.  In the event of a fragmented jpeg file, the above carving method results in either a partial jpeg file or a complete jpeg file that contains extraneous data in the middle of it.

After carving all jpeg files based on these rules, we next quickly review which carved jpeg files are complete, versus which ones are fragmented and need further analysis.  By carving all jpeg files to a folder, you next add that folder to your forensic tool that has partial graphic file viewing capabilities, such as the “Outside In” viewer that is built into many existing forensic tools.  Using a gallery view, you can quickly identify which files are not displaying properly, only showing a partial file, and require further analysis.

Once all fragmented or partial jpegs are identified, manual visual inspection of each of these files was used to determine at what point the fragmentation occurred.  This was done by approximating the percentage of the file that displayed correctly in the viewer before displaying  corruptly.  The raw data of the carved file was then reviewed at the data at that percentage of the file to attempt to identify where the valid graphic data ended.  For this process it was assumed that the extraneous data started at an offset that was a multiple of 512-bytes from the beginning of the file.  Once the extraneous data was identified, it was then removed from the partial jpeg and re-evaluated as possible sector data for other fragmented files that had previously been identified

Read More

USB Flash Drives – Instant Storage

DATARECOVERYUNION.COM07 mins

Alternate Names: USB flash drives | USB keys | USB memory stick | USB sticks | Flash Drives | Jump Drives | Key Drives | Pen Drives | Thumb drives

What is the hottest back-to-school item this year? So red-hot that Mom and Dad will see it and want it too? It’s a tiny portable data storage device that plugs into the computer’s USB (Universal Serial Bus) port. Just a few of the brand names explain what it is. Here are some examples: TravelDrive™ from Memorex, Mini Cruzer™ from Sandisk, JumpDrive™ from Lexar. These small, pocket-sized storage devices are easy to work with, can plug in to any type of computer that is less than 8 years old or that has a USB port.

The great thing is that USB flash drives are really affordable now and for less than $100 you can get a 1GB USB storage device. Although flash drives have many uses, a common one is for transferring files from your work computer to your home computer, eliminating the need for lugging a laptop back and forth. (Although these devices go by many names, for purposes of this article, we will use the term flash drive.)

This article will take a look at this micro-technology, its history and future; you’ll be surprised to find out how prevalent this technology is and how long it has been around. As always, we will take a look at recovery options for these devices.

Flash Drives
In order to better understand the flash devices we have now, let’s take a moment and look at their history. Rudimentary flash memory began as integrated circuit chips that would come to be a standard in all electronic devices. These were known as CMOS (Complementary Metal-Oxide-Semiconductor, pronounced ‘see-moss’) circuits. These small, low power, high-density circuits could be designed to perform a variety of functions and operations. Initially designed in 1963 and first produced in 1968, these little chips were the beginning of the digital integrated circuit. Perhaps you had a computer 17 years ago and remember the importance of the CMOS chip; the CMOS chip controlled the basic system settings and is similar to the BIOS (Basic Input/Output System) on today’s computers.

CMOS integrated chips were a fantastic innovation; however, they were vulnerable to electro-static discharge, had to be handled carefully, and these chips always needed a constant power source to maintain the data. Did you ever have to replace the CMOS battery on your 8088 or 8086 computer? Then you remember that once the power was gone, you had to re-enter all of your computer’s settings.
A new style of chip called EEPROM (Electrically Erasable Programmable ROM or Read Only Memory) was the successor to the CMOS chip and had significant improvements. The major innovation was that the chips were designed to be written to and then to hold data without power. The on-board memory usually held 64k (65,536 bytes). However, the materials inside the chip would wear out over time due to the number of write operations, so the lifetime of these chips were 10,000 to 100,000 write cycles.

Flash memory was an improvement over the EEPROM circuits in that they provided faster access to the data. Originally designed by Intel in 1988 and followed up by Samsung and Toshiba in 1989, these chips started popping up everywhere as embedded memory on electronic devices. Most of the applications for this non-volatile memory storage were for devices where the chip was part of the internal electronics, for example mobile phones, VCRs, automotive electronics, and handheld devices. In fact, flash memory storage (NAND-type flash memory as it is known) could be used for any electronic application that required the storage of data without electrical current; even hard drives use flash memory chips!

After flash technology had proven its reliability, retail products were the next step. M-Systems (NasdaqNM:FLSH) lead the industry with the flash disk concept in 1989 and in 1995 started to offer retail products that were designed for cameras, PDAs, and removable memory sticks or cards. Quite a long history, wouldn’t you agree? As you read this, flash storage is replacing the floppy diskette for portable, temporary data storage. The beauty of the USB flash drive is that it is universal. Remember the Great Floppy Diskette Debate? Do we install 5¼” drives? 3½” drives? Both? The manufacturers have wisely stuck to a standard this time.

Read More

How To Protect Your Computer From Viruses?

DATARECOVERYUNION.COM06 mins

What is a computer virus and how do you get one?

If you depend on the information stored on your personal computer, you need to understand how computer viruses spread, and you should use anti-virus software to reduce the chance that a computer virus will infect your programs and files.

A computer virus is a program that makes copies of itself and infects files. Computer viruses can spread to other computers and files whenever infected files are exchanged. Often infected files come as email attachments, even from people you know. The email senders have no idea that they are passing on a file with a virus in it.

Some computer viruses can erase or change the information stored on your computer, other viruses may do little or no harm to your system. Writing and releasing any virus is prohibited by university policy, and anyone who does so will be held legally accountable for damages.

How to protect your computer?

There are several things that you should do to protect your computer from virus infections:

  • Use a high-quality anti-virus program, and be sure to update it regularly. Use it to scan any files, programs, software, or diskettes (even new software from a commercial company) before you use them on your computer.
  • Make back-up copies of important documents or files and store them on separate diskettes. Making backups will also protect your information against accidental file deletion, diskette failure, and other damage.
  • Whenever you use a computer in a campus lab, be sure to reboot or run “cleanup” before you start your session and log out when you end your session.
  • Do not share commerical software with anyone. It is a violation of the author’s copyright to distribute such material, and it is a way to spread viruses.
  • When you get public domain (PD) software for which the author has granted permission to make copies, get it from a reliable source. (For example, and individual you do not know is not a reliable source.) Before you run PD material, use an anit-virus program to inspect for known viruses.
  • Always scan your disks and files after using them on another computer.
  • Always scan all files you download from the Internet.
  • Always scan Word or Excel file email attachments before you read them.

What if your computer gets a virus?

Not all damage to your programs and files is caused by viruses: worn out floppies, failing hard drives, user error, and poorly written programs can all cause you to lose data. If your computer is behaving strangely, or if you think your computer has a virus, use an anti-virus program to find out.

If your computer is infected with a virus, DON’T PANIC! Use an anti-virus program to remove the virus yourself, or turn your computer off and find someone who knows how to remove the virus.

If a virus is active in memory, it may prevent anti-virus programs from working correctly. To be sure no virus is active, turn off your computer and reboot from a known-clean system diskette before you begin the disinfection process.

Eliminate all copies of the virus as quickly as possible. Check all your diskettes, and warn anyone else who may have infected files or disks.

Remember, most viruses can be removed without permanent damage to your system, and most virus infections can be prevented. With proper care, your computer can remain virus-free.

Read More

Magnetic disc drive head alignment system

DATARECOVERYUNION.COM06 mins

hard disk alignment1. In a disc drive which includes a plurality of read/write magnetic heads and a servo magnetic head mounted for simultaneous movement by an actuator in response to a servo signal from the servo head, and in which the positions of the read/write heads are individually adjustable with respect to the servo head, a system for indicating any misalignment of the individual read/write heads as the particular head produces a cyclic position signal in response to position signals pre-recorded on alignment tracks of an alignment disc, each cycle of said cyclic position signal having a first segment with positive and negative peak amplitudes and a second segment with positive and negative peak amplitudes, the positive and negative peak amplitudes of said first and second segments being equal when the particular head is in registry with the corresponding alignment track, and the positive and negative peak amplitudes of one or the other segments decreasing when the particular head moves out of registry with the alignment rack to one side or the other thereof; said system including balanced gating circuitry having four output circuits for respectively producing four gating signals respectively timed to occur in time coincidence with respective ones of the positive and negative peak amplitudes of said first and second segments; a balanced input circuit connected to the particular head and including first and second outputs respectively applying the cyclic position signal and its complement to said gating circuitry to cause said gating circuitry to cause said gating circuitry to produce said four gating signals at the respective output circuits thereof; peak detector circuitry including four peak detector circuits respectively connected to said four output circuits of said gating circuitry to be individually gated by respective ones of said four gating signals, means connecting two of said peak detector circuits to the first output of said balanced input circuit and further means connecting the other two of said peak detector circuits to the second output of said balanced input circuit, said four peak detector circuits collectively detecting the positive and negative peak amplitudes of each of the two segments of each cycle of said position signal and providing four analog outputs corresponding thereto; and output circuitry connected to the outputs of said four peak detector circuits in said peak detector circuitry for producing an analog output signal having an amplitude corresponding to the difference between the algebraic sum of the positive and negative peak amplitudes of the first segment and the algebraic sum of the positive and negative peak amplitudes of the second segment.

2. The system defined in claim 1, in which said balanced input circuit includes a linear amplifier, and in which said system includes a summing circuit connected to said four peak detectors in said peak detector circuitry for producing an output signal representing the algebraic sum of the outputs of the four peak detector circuits, and an automatic gain control circuit connected to said summing circuit and responsive to the output thereof for producing an automatic gain control signal for said linear amplifier.

3. The system defined in claim 1, in which said gating circuitry contains a frequency-independent phase-shifting circuit so that the system may be used with a wide variety of recorded signals without adjustment.

4. The system defined in claim 1, and which includes circuitry connected to said peak detector circuitry for limiting the analog outputs thereof to a predetermined maximum.

5. The system defined in claim 1, and which includes an analog/digital converter coupled to the output of said output circuitry to convert the analog output signal therefrom into a corresponding digital signal; and a digital display device coupled to the output of the analog/digital converter.

6. The system defined in claim 1, in which said gating circuitry includes first and second comparators interconnected to provide a quadrature shift to the cyclic position signal from said balanced input circuit which is independent of frequency.

 

Read More

Windows 7 – How to stop readyboost from rebuilding cache after every restart on SD cards and flash drives?

DATARECOVERYUNION.COM05 mins

On my computers (running windows 7 and vista and using SD cards and flash drives) ReadyBoost rebuilds cache after every reboot. Because of this and 5400RPM HDD, it takes several minutes for computer to start working normally. I gave up on using ReadyBoost because of that. Today I read in comments on this answer that…

Read More

BIOS Limitation/BIOS Capacity Barrier

DATARECOVERYUNION.COM07 mins

BIOS Limitation/BIOS Capacity Barrier The BIOS limitation or BIOS capacity barrier is the computer’s inability to recognize hard drive capacities larger than allowed by the hard-coded programming contained in your system BIOS. For example, your system BIOS might only be capable of understanding a hard drive capacity of up to 32 GB. If you then attempt to install and auto-detect a 40 GB hard drive, the system will freeze because the BIOS is not capable of understanding the capacity reported by the hard drive. In short, that particular BIOS cannot count past 32 GB.

Seven Major BIOS Limitations:

  • Systems with BIOS dated prior to July 1994 (504 MB Limitation).
    Typically these BIOS will have a 504 megabyte (1,024 cylinders) limitation. Prior to this date, most manufacturers’ BIOS did not provide the Logical Block Address (LBA) feature needed for proper translation. Some BIOS had LBA mode in the setup, but the feature did not work properly.
  • Systems with BIOS dated after July of 1994 (2.048 GB Limitation).
    Typically, these BIOS provide support for hard drives with capacities larger than 504 megabytes. However, depending on the manufacturer’s release date and version number, different limitations may be encountered. The major limitation that surfaces is the 4,093-4,096 cylinder limitation. This barrier is derived from the fact that some BIOS manufacturers implemented Logical Block Addressing (LBA) translation in their BIOS with a 4,093 – 4,096 cylinder limitation. System hangs would occur when the cylinder limitation threshold is exceeded. A system hang is defined when the operating system hangs during initial loading, either from floppy diskette or existing hard drives. If these symptoms of system hang occur or there are questions whether the system BIOS will support the drive, contact the system or motherboard manufacturer for assistance.
  • 4.2 GB Limitation.
    The maximum parameters at the 4.2 GB barrier are 8,190 cylinders, 16 heads and 63 sectors for a capacity of 4.2 GB. A system hang is defined when the operating system stops responding during initial loading, either from floppy diskette or existing hard drives. This can be caused by the BIOS reporting the number of heads to the operating system as 256 (100h). The register size DOS/Windows 95 uses for the head count has a capacity of two hex digits. This is equivalent to decimal values 255. If these symptoms of system hang occur or there are questions whether the system BIOS will support the drive, contact the system or motherboard manufacturer for assistance.
  • 8.4 GB limitation.
    The maximum parameters at the 8.4 GB barrier are 16,383 cylinders, 16 heads and 63 sectors for a capacity of 8.455 GB. To go beyond this boundary, a new extended INT 13 function is needed from the BIOS as a support feature for the drives. The BIOS listed below are all “CORE” BIOS that will support drives larger than 8.4 GB. Even though a BIOS is dated correctly or is the current version, it may not be able to support extended interrupt 13 because of modification done to the “CORE” of the BIOS from the motherboard manufacturer.
  • 32 GB limitation.
    This condition is caused by the Award BIOS inability to address hard drives greater than 32GB. Award has been made aware of this issue and has fixed their “core” BIOS as of 6/99. They are passing this information along to the motherboard manufacturers’ that use their BIOS. Updates for the BIOS should be available soon from individual motherboard manufacturers’ to correct this problem.
  • 64 GB Limitation
    There is no 64GB BIOS Capacity Barrier. If you use FDISK to format a drive that is larger than 64 GB, FDISK will report the incorrect disk size.
  • 137 GB Limitation
    Some system BIOSes are limited to 137 GB because they can only support 28 bit Logical Block Addressing (LBA).

Procedure on how to overcome the BIOS capacity limitation:

  • Check with the system or motherboard manufacturer for any BIOS upgrades for the system. If there are no BIOS updates from the manufacturer you can visit www.esupport.com for a BIOS update.
  • (Recommended) Purchase a PCI ATA controller card that will support the capacity of the drive. The two benefits of ATA controller cards are:
    1. the ability to support large capacity drives
    2. the ability to support the faster transfer rates of the drive.
Read More

Glossary of Western Digital Hard Disk Drive (Letter D)

DATARECOVERYUNION.COM08 mins

Data Lifeguard Tools™
A set of software utilities that work in conjunction with embedded Data Lifeguard features to make hard drive installation, drive management diagnostics, and repair simple and worry-free.

Data Lifeguard™
A WD-exclusive data reliability feature that automatically detects, isolates, and repairs problem areas on a hard drive and prevents data loss.

data synchronizer
An electronic circuit that uses a clock signal to synchronize data.

data transfer rate
The rate that digital data transfers from one point to another, expressed in bits per second or bytes per second. Data transfer rate to disk (internal disk transfer rate) is expressed in megabits per second (Mb/s). Data transfer rate from buffer to host (transfer of buffered data) is expressed in megabytes per second (MB/s).

database
A collection of data stored on a computer system medium, such as a hard drive, CD-ROM, etc., that can be used for more than one purpose.

dedicated landing zone
The designated radial zone of a disk, usually at the inner portion, where heads are stored to avoid contact with data cylinders when power to the drive is off.

defect free
A term to describe recording surfaces that have no detectable defects.

defect management
A general method of eliminating data errors on a recording surface by mapping out known media defects. Defective areas are rendered inaccessible, so that subsequent operations write data only to non-defective locations.

desktop
A personal computer sized to fit on or under your desktop. WD internal hard drives are designed to fit into a desktop PC.

DHCP
Dynamic host configuration protocol. A protocol for assigning IP addresses to devices on a network. With dynamic addressing, a device can have a different IP address each time it connects to the network. In some systems, the device’s IP address even changes while it is still connected. DHCP also supports a mix of static and dynamic IP addresses.

differential SCSI
An electrical signal configuration that uses pairs of lines for data transfer, primarily in applications requiring cable lengths up to 82 feet (25 meters).

disk
A rigid platter, usually constructed of aluminum or Mylar® and with a magnetic surface that allows the recording of data.

disk controller
A chip or circuit that controls data transfers between disk and buffer. See also disk drive controller and interface controller.

disk drive controller
Hard disk drive controller electronics, which include the disk controller and interface controller. See also disk controller and interface controller.

disk transfer rate
Speed at which data is transferred to/from disk (platter); a function of the recording frequency. Typical units are bits per second (b/s), or bytes per second (B/s). A hard drive disk transfer rate increases from the inner diameter to the outer diameter of the disk.

distribution channel
Electronics distributors and retail chains that deliver electronic goods to end users through value-added resellers and retail stores.

DLNA
Digital Living Network Alliance. The group of consumer electronics, computing industry, and mobile device companies that sets standards for product compatibility, thus enabling users to share content in their home.

DMA
Digital Media Adapter. A device that gives home entertainment devices the ability to transfer media such as music, photos, and videos to and from other devices over the network.

DMA
Direct memory access. A process that transfers data directly to/from main memory, without passing through a CPU. DMA improves speed and efficiency by allowing a system to continue CPU processing while transferring data to/from a hard drive.

DNS
Domain Name Service. A system that allows a network name server to translate text host names into numeric IP addresses used to uniquely identify any device connected to the Internet.

DOS
Disk Operating System. A 16-bit operating system developed by Microsoft that was formerly the standard operating system for IBM-compatible PCs. DOS does not support multiple users or multitasking.

DPP
Data Path Protection. A feature that prevents possible electronic failures by preventing corruption of data on the hard drive.

DSA
Dual Stage Actuator. DSA is an improvement to the overall capability of the Servo system. It provides a mechanical benefit to improve the response time (higher bandwidth capability) of moving and maintaining the head position over the media.

dual interface
An external storage device with two interfaces available for connection to the computer.

dual-option backup
The ability to back up a drive either manually (on demand) or automatically.

DuraStep Ramp™
WD technology that locks the heads of a data disk to provide additional shock protection.

duty cycle
The time a component, device, or system is actually operating as compared to the time it is powered on; can be expressed as a ratio or percentage.

DVR
Digital video recorder.

Read More