Reading File Signature, and Using It to Recover Lost Data

by Edwin Liu | May 22, 2013 18:07 PM
All the data recovery technologies we mentioned so far in this guide have one thing in common: these technologies rely on the file allocation table that can read at least one disk. The file allocation table is very important. If your file allocation table is completely damaged, all of your data will lose.

Now, I’d like to introduce you an ultimate data recovery technology, which will enable you to deal with the following situations: the file allocation table is lost or damaged; other data recovery methods have failed.

Note: The process of ultimate data recovery technology is very lengthy and has the possibility to cause more damage. So you could use this method when you have no other choices.

Windows uses the file extension name to confirm what is related to the file. For instance, if you double click a file with .doc as its file extension, Windows will automatically try to open it by using Microsoft Word program.

However, there still exist many other file types beside this file extension. If you rename a .pdf file and make .doc as its file extension. Then, double click this renamed file and Windows will try to use Microsoft Word program to open it, but you may be told that it is an invalid Word file. No matter what the file is named, Microsoft will show you the difference between Word and files of other types. Other apps will do the same thing and that’s because most files have a file header to identify this file belongs to what application.

From the viewpoint of data recovery, this means that many types of data have a file header as their unique mark. This header is a string of bytes at the beginning of the file. So, if you want to recover the whole Microsoft Word files in a damaged hard drive, you can find out the Word file signature, and then use a data recovery software to search for the Word files based on the unique signature. Once you locate the file, you can recover it to another hard drive. It is easier said than done. You need to know what the file signature is before you could imagine recovering files based on signatures.

How to determine a file signature?

It is the hardest thing in the data recovery process to point out what a file signature is, because different file types use different signature technologies. Some file types put the signature at the beginning of a file; some put it in the end; others even put the signature at both the beginning and end of a file.

Here is a skill to determine the signature of a file: use the already known file to determine a file signature. To do this, you have to install a spare hard drive to the machine that is used to carry out the recovery process. Then use the same file format that is used to recover the hard drive to format this spare hard drive. Meanwhile, use the full format (not quick format) to delete all the existing data in the hard drive. You don’t want to let the remaining data make things become complicated.

Once you have prepared this spare hard drive, you need to copy some files to it. For example, if you want to recover some files created in Word 2003, you can use Word in your spare hard drive first.

Create some sample files with Word 2003. (Do not create files with big size. Small files are easily to analyze.)

Now you can use "UltraEdit", a text editor to find out the bytes string of the files and then check about 50 bytes at the beginning or end of each sample file and find out hexadecimal bytes they could have in common. These common bytes are the file signatures. (Note: You should use a little more files to avoid accidentally similar bytes of some files.)


