Challenger Rocket File System View ============================= Introduction ------------------------------------- File System View is a Task Integrated Tool for analysis, display, forensic tasks and data recovery of Partitions and Files. File System View Will use Current Device Task Options for any operations or command. Opening File System View ------------------------------------- File System View will be displayed clicking on ``File System View Button`` located on Rocket Toolbar. .. image:: images/filesystemselect.png :width: 80% :align: center .. raw:: latex \newpage Opening Partition Table ------------------------------------- Most Devices are configured with a legacy MBR ( master boot record ) located at default sector 0. Usually Sector 0 Contains the Partition Table Scheme. Modern devices are configured with GPT Partition Table, an extension of a legacy mbr which points to a partition type 0xEE usually located at sector 1. .. hint:: On a direct volume, the first sector of device is the partition boot sector. To read and expand current partition table double click on device name located on top left on File System View .. image:: images/openpartitions.png :width: 80% :align: center .. raw:: latex \newpage Inspecting Master Boot Record ```````````` In a Device Diagnostic Process, inspection of master Boot Record Sector should be performed in ANY CASE. Since Master Boot Record has Big Relevance in any Data Recovery Task, first check effective status of the logical block address, next inspect partition offsets and their offset status. Most of common Error in Hard Disk Drives are related to Master Boot Record or GPT Corruption. Reading Master Boot Record in Hex Mode ```````````` .. raw:: latex \newpage Partition Table ------------------------------------- Rocket File System View will display Partition Table Result as an expanded Tree and as textual information log. .. hint:: To Open File System Content ``double click`` on Desired Partition in Partition Tree. Most of common hard disk devices damages affect Master Boot Record ( sector 0 ). Please Check Log and Lba Map for errors when opening partitions. .. hint:: Lba Errors on ``Sector 0`` can be fixed using ``Scan For Lost Partition Function`` .. image:: images/partitions.png :width: 80% :align: center .. raw:: latex \newpage Partition Common Errors ```````````` If one drive cannot be mounted from os properly or resident operating system cannot boot and you receive it for data recovery, expect to meet errors scenarios. 1. Damaged or Missing Master Boot Record 2. Damaged or Missing GPT 3. Damaged or Missing Main Partition SuperBlock 4. Damaged or Missing $MFT Record ( on NTFS File Systems ) 5. Damaged or Missing Root Node 6. Combination of Cases Above .. hint:: If in the diagnostic process many damaged block will be discovered, consider to create a complete image of the source drive. This will reduce Damaged Device stress and Risk of Definitive Failure. .. note:: Please Refer to Section **Data Recovery Samples** to solve Partitions Common Errors. .. raw:: latex \newpage File System View Interface ------------------------------------- .. image:: images/filesystem.png :width: 80% :align: center .. raw:: latex \newpage File System view tools ------------------------------------- File system View offers several analysis utilities, just select file / folders and press right mouse button to open context menu. .. image:: images/filesystemcontext.png :width: 80% :align: center 1. Open File 2. Save File 3. Evaluate Folder Size 4. Check File Consistency 5. Read File Chains 6. Secure Delete Files Chains 7. Build Allocation Bitmap 8. Read Bitmap Allocated Sectors 9. File Search 10. FIle Binary Search 11. Hash Calculation 12. LBA Map ( related to file chains ) 13. Move to File Record 14. Move to File Offset 15. Create Snapshot 16. Export File List 17. Expand File System 18. File Fragment Table 19. Display 20. Sort Records 21. Properties Open File ```````````` Save selected Files to Temp Folder and launch associated application. This can be accomplished selecting "Open File" , Double Click on File or pressing Right Arrow on Keyboard. .. note:: Big Files cannot be opened to avoid memory saturation. Save File ```````````` Save Selected Files and Folders to Target device or location. This can be accomplished selecting "Save File" or pressing "F2" key on keyboard. .. raw:: latex \newpage Evaluate Folder Size ```````````` Evaluating Folder Size can be useful to determine size of a dataset before saving it. Evaluation does not read files content but metadata only. .. hint:: On Huge File Systems could be useful disable LBA Map while evaluating to increase nodes analysis speed. Check File Consistency ```````````` Consistency function can be useful to determine quality of a dataset. All selected folders and files content will be read without saving files. If any node will contain bad block, file chain reading process will be interrupted and logged in current test log. .. hint:: Using Check File Consistency in a Cloning Task will result in automated transfer of selected File Chains into target device sectors. This will be really useful while recovering damaged devices. Read File Chains ```````````` Like Check File Consistency, all selected File Chains will be read with no process interruption after errors. This should be used on single Huge Damaged files like Databases and Mailboxes which could be recovered with specialized tools in a second process. .. hint:: Using Read File Chains in a Cloning Task will result in automated transfer of selected File Chains into target device sectors. .. raw:: latex \newpage Secure Delete Files Chains ```````````` All Selected Files Chains will be Shredded and Erased Permanently. Secure Delete Files Can be accomplished in several modes: 1. SHREDDER TYPE ZERO 2. SHREDDER TYPE RANDOM 3. SHREDDER TYPE XOR 4. SHREDDER TYPE FAST XOR .. raw:: latex \newpage Build Allocation Bitmap ```````````` Each File has an allocation and often a fragmented chain. Reading a file system structure using iNode order usually cause overheads and heads seeking latencies ( devices seeks in several lba areas to rebuild a single file chain ). Building Allocation Bitmap aims to merge zones of selected files saving allocations information on Task zMap in a linear global allocation. This will be useful to inspect SLACK SPACE and optimize reading process. .. hint:: Build Allocation Bitmap needs Lba Map flag enabled. Read Bitmap Allocated Sectors ```````````` Read Bitmap can be launched with a filled bitmap created with function **Build Allocation Bitmap** to perform disk reading of allocated sectors. .. note:: Build Bitmap and Read Bitmap should be used in a cloning or imaging Task. Like Check File Consistency, all selected File Chains will be read with no process interruption after errors. This should be used on single Huge Damaged files like Databases and Mailboxes which could be recovered with specialized tools in a second process. .. hint:: Using Read File Chains in a Cloning Task will result in automated transfer of selected File Chains into target device sectors. .. raw:: latex \newpage File Search ```````````` Searching File is essential in a data recovery Task. File Search can be performed on global file system ( starting from root node ) or selecting folders to search into. To launch a File Search Thread just press **F3** key or Select Search From Context menu. You can enter a part of file you are looking for (eg. doc) or simply extension (.doc) .. note:: Challenger Rocket has an embedded Search System with Enabled Snapshot. Every File Search performed in a snapshot is Very Fast. MBR Partition Table ```````````` GPT Partition Table ```````````` Opening a Partition ```````````` Adding Virtual Partitions ```````````` .. raw:: latex \newpage Navigation in File System View -------------------------------------