Portable Network Graphic (PNG)
Portable Network Graphic or PNG as it is more commonly referred to, is a file format for storing bitmapped (raster) images. The format supports lossles data compression and was created as an improved, non-patented replacement for Graphics Interchange Format (GIF). It is the most used lossless image compression format on the Internet.
In Blade® v1.13, we have developed an Intelli-Carve® Data Recovery Engine which understands the PNG file format; the software can verify the integrity of the data structures during the recovery process. It can also identify partial recovery scenarios and can recover those file fragments to a separate folder for examination.
To examine the full change log for this version, please see:.
OLE2 Compound Document Recovery
Microsoft Compound File Binary (CFB) file format is also known as the Object Linking and Embedding (OLE) or Component Object Model (COM) structured storage compound file implementation binary file format. CFB implements a simplified file system through a hierarchical collection of storage objects and stream objects.
A storage object is comparable to a file system directory in that just as a directory can contain other directories and files, a storage object can contain other storage objects and stream objects. A parent storage object can also track the locations and sizes of the child storage object and stream objects nested beneath it. A stream object is comparable to a file in that a stream contains user-defined data stored as a consecutive sequence of bytes. A compound file consists of the root storage object with optional child storage objects and stream objects in a nested hierarchy.
The file format has been used for a number of differrent file formats such as:
- Microsoft Word up to 2003
- Microsoft Powerpoint up to 2003
- Microsoft Excel up to 2003
- Windows Thumbnail files
- Windows Installer files
- Windows Sticky Notes files
- Windows Jump Lists
- Internet Explorer Tab Session and Recovery Store files
Blade® now has the ability to validate Compound Files in memory, as well as identify the file type from the stream data.
ZIP Archive Recovery
ZIP is one of the most widely used compressed file formats. It is universally used to aggregate, compress, and encrypt files into a single interoperable container. We have developed a methodology for recovery which has been embedded into an Intelli-Carve® recovery profile. Our software has the ability to read and validate ZIP archives directly from a stream.
In addition to being used as a compression file format, ZIP is also used in a number of proprietary file formats such as those used for the following file types:
- Microsoft Word from 2007
- Microsoft Powerpoint from 2007
- Microsoft Excel from 2007
- OpenOffice Documents
- StarOffice Documents
- Adobe AIR installation packages
Blade® now has the ability to validate ZIP Archive files in memory, as well as identify the file type from the contents.
DataDump allows you to dump segments of data from an original source image or physical/logical device. It can be accessed from Blade® by selecting Tools » Dump Data. It can be used for the following:
- Extract a stream of binary data from a source image or logical device
- Convert an entire image or a segment of an image to a single flat file
- Extract binary chunks of data from files, images or physical/logical devices
- Extract a partition from a source device as a single binary file
- Hash the output data using MD5, SHA-1, SHA-256 or SHA-512
Windows Jump Lists
The Jump List file format for Windows 10 has changed. Blade® has been updated to take this into account.
To examine the full change log for this version, please see: Change Log v1.12.
One of the goals for this release was to update the Blade® recovery engine. In Blade® v1.10, we updated the search engine with the specific aim of making it much faster and more capable, in that version we introduced parallel processing and an SQLite database back end. In this release, we have re-engineered the recovery/extraction engine and are very pleased to report, we have increased the speed and reliability.
In previous releases, we would sometimes experience Out of Memory exceptions and application hanging when dealing with extremely large files. This issue has now been resolved. Blade® is now considerably more stable during the recovery phase and can deal with extremely large data. As a consequence, we have removed the 400 MiB limit on the maximum file size parameter in the recovery profiles and increased it to 8 GiB.
We are always looking for new and improved recovery profiles to include with Blade®. If you have written a profile and wish to share it, please contact us so we can add it to Blade® in a future release. In Blade® v1.11 we have added some new profiles and updated some existing ones. The Waveform Audio File Format recovery profile has been updated and has been fixed. We have also added profiles for little and big endian TIFF files.
The full change log can be found here: Change Log v1.11
SQLite Database Recovery
SQLite is a software library that implements a self-contained, serverless, zero-configuration, transactional SQL database engine. It is the most widely deployed SQL database engine in the world and SQLite databases can be found on almost every digital device we may wish to examine. Our SQLite database recovery profile utilises Intelli-Carve® technology to find and extract SQLite databases. The recovery engine understands the structure of SQLite databases and can verify the integrity of the database during the recovery process.
As each database is recovered, it is checked for integrity. Any database which fails the integrity check is copied to a separate folder so that it may be manually checked at a later date. Any databases which are not fully recovered are also copied to a separate folder so they may be manually checked at a later date. All databases which pass integrity verification are copied to the main folder so that they may be examined first.
The data validation log keeps track of which databases failed the integrity check and also logs the reasons for their failure.
Jump List Recovery
Jump Lists are an interesting and common forensic artefact found when examining Microsoft Windows 7 or 8. They are a Taskbar feature that allow the user to quickly access recently accessed files and actions associated with a particular application.
Automatic Jump Lists (.automaticDestinations-ms files) are created by the operating system. These files are OLE Compound Files which contain in each stream a Windows Link File structure. There is also one special DestList stream which holds Most Recently Used (MRU) or Most Frequently Used (MFU) information for each of the Link File streams.
Our Jump List recovery profile deconstructs Automatic Jump Lists and for each Link File stream it writes out the recovered information to either CSV or Excel Specific CSV. The corresponding DestList information is prepended to each CSV Link File record. The user can also decide whether each Link File structure from the original source is also written out.
Other New Features
We have changed the way Blade® searches for artefacts and have implemented parallel processing which allows us to use more CPU processor cores. This should considerably increase the searching performance when multiple data recovery profiles are selected. We have now added support for installing Blade® on Microsoft Windows 8. In relation to supported image types, we have now added native support for EnCase® 7 ex01 image files.
Another important change in this version is a major upgrade to the recovery engine. Previously, Blade® would struggle to deal with the recovery of millions of files; this is no longer the case.
The full change log can be found here: Change Log v1.10
We are pleased to announce the release of Blade v1.9.
This release of Blade® brings a number of fixes and some great new features. This is the first release of Blade® to have evaluation capabilities which allow the user to test and evaluate our software for 30 days. When Blade® is installed on a workstation for the first time (and a valid USB dongle licence is not inserted) the software will function in evaluation mode.
The following list contains a summary of the new features:
- Support for Advanced Forensic Format (AFF®)
- Hiberfil.sys converter - supports XP, Vista, Windows 7 32 and 64bit
- Accurate hiberfil.sys memory mapping, not just Xpress block decompression
- Hiberfil.sys slack recovery
- Codepage setting for enhanced multi-language support
- SQLite database recovery
- 30 Day evaluation version of Blade® Professional
- New recovery profile parameters for more advanced and accurate data recovery
- Support for Logicube Forensic Dossier®
- Support for OMA DRM Content Format for Discrete Media Profile (DCF)
We have also been working on the data recovery engines to make them more efficient and much faster than before. The searching speed has been significantly increased.