Архив группы, в которой осуществляется поддержка пользователей и обмен опытом использования UFS Explorer для восстановления данных между специалистами из различных организаций.
Для присоединения к группе перейдите по ссылке (@ufs_explorer_support_ru).
Если интересует консультация именно специалистов R.LAB, то её можно получить на нашем форуме или через телеграмм-бота @rlabsupportbot.
советую использовать выражение sector-by-sector иначе я попрошу считать какой-нибудь случайный бит с жесткого диска
или есть выражение "посекторная копия" или имидж диска
❯ В смысле глупости? Это принятое, формализованное, технически корректное и допустимое словосочетание в DFIR и eDiscovery комьюнити 💁🏻♀️
И да, я из другого "комьюнити"
Ребят не ссорьтесь, не знаю какие термины в каких комьюнити , но когда-то использовалось понятие побитовая копия как полная копия со служебной информацией и контрольными суммами , а посекторная или постраничная как копия используемой информации поэтому до сих пор думаю есть оба понятия
❯ Ребят не ссорьтесь, не знаю какие термины в каких комьюнити , но когда-то использовалось понятие побитовая копия как полная копия со служебной информацией и контрольными суммами , а посекторная или постраничная как копия используемой информации поэтому до сих пор думаю есть оба понятия
Никакой ссоры. Вполне обычный и обыденный диалог людей из разных комьюнити 💁🏻♀️
❯ советую использовать выражение sector-by-sector иначе я попрошу считать какой-нибудь случайный бит с жесткого диска
Данный совет применим в весьма и весьма редких случаях. По объективным причинам как на русском, так и на английском языке уже достаточно давно стараются не использовать выражения "посекторное копирование" или "посекторная копия" | (sector-by-sector copy или sector-by-sector clone). Ни один в мире форензикатор|DFA (специалист в области КИ и КТЭ) без существенных уточнений не будет использовать выражение "посекторная копия" (sector-by-sector copy) или другие производные от данного выражения. И эта тенденция характерна не только для указанных мной комьюнити, но и для целого ряда смежных. BtW: в графическом интерфейсе UFS используется как формулировка "bit-to-bit disk image file", так и "Specific sets of sector ranges to include/exclude from the image". Когда я указала, что речь идёт о побитовой копии, то даже в рамках нейминга в UFS вполне конкретно было понятно о чём именно идёт речь.
Для максимальной наглядности та ситуация, которую я описывала ранее💁🏻♀️
📎 /m/tga/ufs_explorer_support_ru/document/2203/1623_rep-ufs-img.jpg9.6 http://www.sysdevlabs.com/download/ufsxpci.exe https://www.ufsexplorer.com/ufs-explorer-professional-recovery.php * Updated function of opening LVM thin-provisioned volumes: - Added interface to choose from volumes, defined in text configuration; - Support of QNAP thin volumes implemented via Tier/Thin technology (tiering is not supported); - Support of segmentation for thin-provisioned volumes; - Opened volume now contains proper LVM ID, name and Unix-path;\* Added support of WD Apollo 'cloud storage'; * Added activity monitor for DeepSpar USB Stabilizer/Guardonix; * USB Stabilizer/Guardonix configuration: added option for 'Auto-repower by UFS Explorer'; * Disk imaging with DeepSpar USB Stabilizer: - Added explicit configuration of re-power options for read timeout and read errors; - Error recovery after 'storage loss' now includes re-power cycle; * General disk imaging: - Fixed issue with handling error of creation of plain disk image file; - Fixed support of 4GB image chunk size on FAT32 target file system; * Restoration of file/folder attributes (hidden flag, permissions etc.) was made optional; * Mac software version now comes with native Apple Silicon CPU support and requires macOS 10.15 or later. ---------------------- Release summary: Version: 9.6 Last update: 11.04.2022 Type of update: major ---------------------- Find more information about this software on the program web site.
9.7 http://www.sysdevlabs.com/download/ufsxpci.exe https://www.ufsexplorer.com/ufs-explorer-professional-recovery.php * Linux LVM recovery module: - Added 'address translation' of found text configurations to the base storage; - Found text configuration now can be displayed with embedded viewer; * Added basic support of LVM thin-provisioned volumes (Linux only) via 'Find LVM' tool; * In Disk imager: - Added option to shut down the source after completion (when power control is available); - 'Entry name' field for EnCase format now can be customized (by default is the same as file name); * Reworked operations with defect maps: - Updated 'map loader' GUI (more obvious configuration, added map preview function); - Software now enables file-based maps (when possible) to speed up loading and reduce memory usage; - New type of storage object with applied map now supports indication of imaged/defect/free spaces; * Fixed some reported bugs/issues: - In hex viewer: incorrect base position for 'big block search', loss of colorer function for cached data; - File system module: silent crash bug with bad F2FS; - Handling of soft-defect blocks: extending of file map to whole block in scan result; - LUKS decryption: using of SHA512 for hash function caused problems with decryption; - Some minor GUI-related issues (under Windows OS). ---------------------- Release summary: Version: 9.7 Last update: 12.05.2022 Type of update: major ---------------------- Find more information about this software on the program web site.
9.8 http://www.sysdevlabs.com/download/ufsxpci.exe https://www.ufsexplorer.com/ufs-explorer-professional-recovery.php * Added tool and tab for displaying of a map of block states (defects) applied to a storage; * Map of block states is now integrated with Explorer and with the 'Go to content'/'Go to descriptor' tools; * Added 'View map of file' function (displays the imaging status of a specific file); * Information about defect blocks, recognized by a pattern now can be saved (cached) to a map file; * Loading of maps of sector states (defective sectors): - For maps in the ACE Lab format, added automatic section of sector size using the map size to drive size ratio; - When the ACE Lab RAW map format is selected, software now also recognizes the range-based format (to avoid mistakes); - For drives with DDI metadata: added an option to enable an external map of defective blocks; * Block state information is now also passed to 'sub-range', 'transformed' and RAID0/RAID1/JBOD storages; * Fixed bug with scan of chunks on VMFS6; * SDLSP and VHDX image file formats now preserve information about the source storage (name and ID); * Date/time entry fields replaced with the date/time selection dialog; * In hex viewer, the 'hex search' function: - Added a function to pause it to release the source storage for other operations; - When stopped, the last searched position is stored as 'Next location' to allow a jump to it; * NTFS file system: fixed issue with support of very fragmented files when the FileName attribute is outside of the main MFT entry; * Fixed bugs with creation of big VHDX files (over 4TB); * General modifications of maps of block states/defects: - Native 'sdmf' map format is changed to the "sparse" format for better speed and lower storage usage; - Reworked internal functions of the disk imager tool to support the sparse format; - Information about the source storage is now saved to a map and is displayed when the map is loaded; * SDLSP and VHDX image file formats now preserve information about the source storage (name and ID). ---------------------- Release summary: Version: 9.8 Last update: 10.06.2022 Type of update: major ---------------------- Find more information about this software on the program web site.
❯ 9.1 http://www.sysdevlabs.com/download/ufsxpci.exe https://www.ufsexplorer.com/ufs-explorer-professional-recovery.php * Added Drive/Bridge Security tool: - Decryption of WD drives encrypted with JMS538E, Inic-1607E, OXUF943SE and SW6316 USB bridges; - Support of key block detection both on storage area and in SMART Log pages; - Support of standard AES-256 ECB mode (also AES-128/256 ECB/CBC/XTS modes, depending of chip); - Unlocking of password-locked WD drives (no need to install and run WD Security software); * emulation by pattern recognition in 'read ahead' mode now uses cache (for speed); * Support of macOS ".sparsebundle" disk image format (open as disk-on-disk storage); * Microsoft Data Deduplication: - Software now automatically asks to open and enable MSDDD when file system is opened; - Fixed support of big (over 1GB) files deduplicated with Windows Server 2012/2012-R2; - Fixed issue with opening files from relocated segments; * Decryption of encrypted Apple DMG disk images (version 2/'encrcdsa' format); * Fixed bug with data caching in hexadecimal editor; * Recovery of lost address translation leafs in Btrfs scan (for correct deleted data recovery); * FS with address translation (Btrfs) is now supported for 'status indication' in Explorer; * File and Folder hardlinks deduplication is now made optional; * Fixed few issues with disk imager (corrected number of retries, read block size etc.) ---------------------- Release summary: Version: 9.1 Last update: 18.10.2021 Type of update: major ---------------------- Find more information about this software on the program web site.
Начиная с версия 9.1 в UFS есть возможност разшифроват WD на базе JMS538E, Inic-1607E, OXUF943SE и SW6316. Информация в виде видео ролики есть, но они для Битлокер, верактипт и т.д. Собственно вопрос по OXUF943SE. Как процесс запустить?
Там кнопка наверху детект, оно если найдёт ключ на поляне или в Са само предложит
Ну и для оксфорда самому не мешает проверит наличие ключа
Большое спасибо! Нашел в TOOLs> Bridges/Security.
❯ Ну и для оксфорда самому не мешает проверит наличие ключа
Ключ нашел как на блинах, так и на внешней РОМ. Прикольно что UFSом раздел без лишних вопросов открил. А вот другой комерчиский продукт просить пароль.
Это какой продукт пароль спросил ? Лаба кмк оксфорд неумеет
Дата Екстрактор
Как минимум лаба опознала мост .
9.9 http://www.sysdevlabs.com/download/ufsxpci.exe https://www.ufsexplorer.com/ufs-explorer-professional-recovery.php * Added 'activity monitor' tool to display the activity of the software instance with disks; * iSCSI support: - Initiator (client) now doesn't require multi-host/cluster mode and works on single connection; - The Target (server): fixed several network communication issues; * Microsoft Storage Pools (Storage Spaces): - Added support of 'Parity of mirrors' internal configurations; - Added support of 'Three-way mirror' configurations (when the number of components is a multiple of three); - Basic support of so-called 'dual parity' on Windows Server 2012R2 (also with adaptive reconstruction with single missing); - Fixed bug with 'Two-way mirror' (in span, not rotation mode), created on Windows Server 2016 and later; * When image file has associated map of defects, added automatic recognition of presence of that map: - Software asks to load associated 'Attr.map' for 'TaskImage.bin' when it is present in the same folder; - Added support of saving of map association to image files in VHDX format and software asks to load the map if the file is found; * Software now uses 'storage with map' icon for 'defects recognition' and SDLSP with enabled internal map of block states; * Linux software version: - Addes support of indication of OwnerID/GroupID for Btrfs, EXT2-4, UFS1-2, XFS and ZFS; - OwnerID/GroupID is also preserved for scan results of these file systems; - OwnerID/GroupID can also be preserved when data is copied (when copying of 'standard' attributes is enabled); - Fixed one scenario of GUI-related crash bug; * Fixed few bugs related to XFS file system scan; * Updated HFS+ scan procedure to support file system recovery when main metadata locations are wiped; * Updated Btrfs file system scan procedure for finding fragments of very fragmented deleted files; * Fixed issues with support of text LVM configurations created by CentOS 8. ---------------------- Release summary: Version: 9.9 Last update: 11.07.2022 Type of update: major ---------------------- Find more information about this software on the program web site.
Добрый день. К сожалению, его нынче не купить. Попробуйте воспользоваться R. Saver.
Купите английскую версию
9.10 http://www.sysdevlabs.com/download/ufsxpci.exe https://www.ufsexplorer.com/ufs-explorer-professional-recovery.php * Added a tool to open Microsoft Storage Space volumes manually (to select metadata source and volume); * Assembled Storage Space volumes now provide sector map information (allocation and defects, if available); * Reworked RAID1E module: added support of multiple missing drives and optimized data access procedure; * Rework to Microsoft Storage Spaces module: - Reworked procedure of automatic assembly of volumes to use only the latest version of metadata; - Automatic assembly of volumes is now made optional (it can be disabled in the settings); * Scan result (VRFS) now also can be saved from context menu of the root folder of a scan result; * Added support of map files (log files) created by GNU ddrescue; * Using of maps of defect blocks: - Support of maps after storage transformation/remapping (e.g. for BitLocker encrypted volumes); - Indication of defects on assembled RAID1E when pair of components missing or contain map of defects; - Software-generated defects now do not interrupt quickly the partition detection procedure; * Update to ReFS3 scan: fixed a couple of bugs in the scan completion procedure; * Update to FAT32 scan: better file system recovery when superblocks are lost AND FAT tables are damaged; * Simplification to disk imager: single 'location' for metadata and automatic creation of log/map files; * BitLocker decryption now supports multiple recovery keys (when available) for the same volume; * For BitLocker-encrypted volumes, partition properties panel now displays properties of encryption. ---------------------- Release summary: Version: 9.10 Last update: 21.09.2022 Type of update: major ---------------------- Find more information about this software on the program web site.
9.11 http://www.sysdevlabs.com/download/ufsxpci.exe https://www.ufsexplorer.com/ufs-explorer-professional-recovery.php * Added possibility to import existing (completed or 'in progress') images to 'imaging tasks' of UFS Explorer; * Minor re-arrangements to 'imaging task' UI; * In the Manager of Storage Spaces: the display of the list of participating disks has been added (from loaded metadata); * Tool for applying 'delta' was modified to: - Exclude storages with capacities that don't match to delta file; - Select the last component with the matching ID (if available); - Remove this option from context menu of base (not differencing) VHDX; * In disk imager: - Target write speed (in MB/sec) is replaced with more informative indication (Slow/Normal/Good), relative to the overall copying process; - Replaced window for 'disk lost' notification with automatic 'yes' response to 'retry' request after 60 seconds of inactivity; - Fixed bug in handling of SDMF map tail; * In LVM manager: when there is a problem opening thin LVM volume, added detailed error message with indication of problem on the metadata area; * Few fixes and minor update to 'search partitions' dialog; * Added indication of encryption information for APFS encrypted volumes and LUKS; - This indicator now also can be used to start decryption dialog; * Storage ID for VHD and VHDX now contains their GUID value (Write GUID for VHDX); * Added indication of parent virtual disk for delta-file of VMDK, AVHD and AVHDX formats: - All formats include indication of the 'parent path' hint; - Microsoft AHDX and AVHDX files also indicate GUID of parent virtual disk. ---------------------- Release summary: Version: 9.11 Last update: 25.10.2022 Type of update: major ---------------------- Find more information about this software on the program web site.
Helo all
❯ Helo all
Hi
Кто-то подскажет, по какому принципу часть файлов выделена зеленым цветом?
Шифрование ?
нет
В зависимости от атрибутов файлов скорее всего.
Проверил. Одинаковые атрибуты у черных и зеленых
Может ntfs сжатие?
Примонтировать не могу, чтобы проверить, но содержимое не сжатое. И еще, для понимания, это NTFS со SPAN диска.
Это хард линки
Файловая то какая?
🤝 Спасибо! NTFS
9.12 http://www.sysdevlabs.com/download/ufsxpci.exe https://www.ufsexplorer.com/ufs-explorer-professional-recovery.php * TrueCrypt/VeraCrypt: - Added support of 'chained' encryptions (such as AES over TwoFish etc.); - Added support of VeraCrypt PIM (non-system volumes); * Reworked dynamic HTML report to different data model: this allows to open it much faster and to support hard links; * In the 'Open thin-provisioned LVM volume' tool: - Opening of volumes with damaged metadata is now made optional (it is possible to cancel it after notification about an error); - Added the dialog window to display error location (with possibility to copy the offset) and with the option to open error location in hexadecimal viewer; - Sub-partitions or encryption on the start of LVM data volume now don't mask it from detection by this tool; * Activation of a LUKS-encrypted partition now activates the decryption procedure; * Default 'activate' action for a BitLocker partition is now changed to 'decrypt' with automatic opening of the decrypted partition (on success); * List of file copying events is now limited to prevent uncontrolled memory consumption: - Added configuration for maximum number of log records; - In case of log overflow, added configuration how to handle it (stop logging, remove old items, log to a file); * Added BitLocker properties indication for an incompletely decrypted BitLocker; * In the scan finalization GUI now added more detailed indication of currently running operations, including number of found files; * Added support of empty folders in scan results (to recover folder structures without files); * NTFS file system scan: - Added support of recovery of empty files, including files with only named data streams; - Added procedure of restoration of lost file placeholders when there is no file descriptor (only a reference from a directory index); * EXT3/4 file systems: - Added support of empty folders and files of zero size in scan result; - Fixed few issues with processing of journal and file names recovery; * In disk imager: added support of import/export for lists of imaging ('include'/'exclude') fragments. ---------------------- Release summary: Version: 9.12 Last update: 07.12.2022 Type of update: major ---------------------- Find more information about this software on the program web site.
Здравствуйте! Очень нужна помощь. Готовы заплатить. Случайно удалили виртуальную машину VMware. Сервер сразу остановили, подключили дополнительный диск, поставили на него WIndows и UFS Professional Recovery 9.12. Данные разбросаны по четырем физическим жестким дискам. 2 диска SATA по 4 Тб и 2 диска NVMe по 2 Тб. Нужные SQL базы сканирование показывает, но при восстановлении они оказываются битыми, не загружаются в SQL. Хотя внешне файлы выглядят нормально, имеют размер. Многие мелкие файлы текстовые, катринки, таблички нормально открываются. Пробовали восстанавливать другими программами R-studio, Resorer Ultimate, Easy Recovery - результат тот же.
Вы сканом цепляете виртуальную машину как один файл(кусок) а сначала нужно ее собрать из кусков , и потом уже сканить . Ну и вопрос, а сколько там было ещё виртуальных машин и были ли ещё дельта файлы ?
❯ Вы сканом цепляете виртуальную машину как один файл(кусок) а сначала нужно ее собрать из кусков , и потом уже сканить . Ну и вопрос, а сколько там было ещё виртуальных машин и были ли ещё дельта файлы ?
Всего было 6 виртуалок. Удалили 2 из них.