Tailored Cyber Security.

Here Comes Fissure!

Have you ever accidentally cleared a whole SD card of vacation pictures on your way home? Deleted a copy of your master’s thesis? If you have, then I promise you’ve wanted whatever you deleted back. Enter Fissure. What is it?

Fissure is a file recovery software that works in a different way than most forensic/file recovery products. Warning: I’m going to get technical. We’ll start at the beginning. Your hard drive is organized by a file system. If you’re on Windows it’s more than likely that your filesystem is NTFS. It could be FAT/FAT32/exFAT but probably NTFS. Here’s the good news, Fissure doesn’t care.

Now that you have the simple background down, here’s how the other tools work. NTFS has what’s called a Master File Table (MFT). In that partition of the filesystem it keeps all of the file names and where they’re located on the disk and how long they are. This lets Windows piece together all the files and display them for you. When you delete a file it’s actually only marked for deletion in the MFT. It gets a special marker on it’s name to tell the file system that it can write over the spot on the hard drive that the actual data resides. This is important point numero uno. If you delete something, the sooner you try to recover it the more likely it is that you’ll actually be able to revive it. If you were to wait the file system will, in time, write over the data thus making it impossible to recover.

I say impossible but there were some crazy researchers that actually shaved the metal off of a hard drive and figured out the polarity of different segments of the physical drive. Thus piecing together some data. Fissure won’t be doing any shaving or checking of magnetism.

Next, most file recovery programs will read the MFT for the filename and location on disk. This is super efficient. However, it’s also a shortcut. Have you ever right-clicked a drive in My Computer and clicked “Format” to wipe everything on the disk? If so, have you ever wondered what the checkbox for “Quick Format” does vs. a non-quick format? Simply put, a quick format doesn’t erase any actual data. It just marks the entire disk for deletion. However, it does this by erasing the MFT instead of marking each file with the special mark. Thus, a vast majority of the file recovery programs out there won’t survive through even a quick format. A full on format will actually delete all of the data off the disk. I won’t claim to be able to recover data after that. However, the method Fissure uses can recover data after even a quick format.

How does Fissure do it? Well simply it will read the disk (no matter what filesystem is on it) in a raw bit-by-bit fashion. Each filetype (.png, .jpg, .docx, etc) has it’s own file header. A file header is a couple of characters that signify the beginning of the file. You won’t see these when you open say a .docx file with Microsoft Word because they’re binary bits of data. However, Fissure will find them. This allows Fissure to piece files back together independent of filesystem entirely.

But wait, there’s more! It’s fast. Like really fast. Fissure found 4,348 images (I didn’t include documents in this search) on my primary hard drive partition (C:\) of 190 GB in less than 3 minutes. Fissure was intended on being used on flash drives, SD cards, etc that probably aren’t more than 64 GB. However, apparently it does a pretty good job with bigger drives. With that being said, Fissure won’t let you search for some specific file. It will just search for all the files that exist physically on your disk but available to you via normal Windows tools. This means it’s going to potentially pull back a lot of erroneous files. You may still need to sift through the return to find what you need. It also won’t find the file’s name because of how it finds it. The file name is kept in the MFT which as previously stated, Fissure cares not about.

Fissure will be available in the Fracture Security store for rent. You’ll be able to use it for 24 hours as many times as you need. There is no guarantee Fissure will find what you’ve deleted but if something will, Fissure is the tool.

 

Filetypes it can attempt to recover:

Images: JPG, PNG, GIF, BMP

Documents: PDF, RTF, DOC(X), XLS(X), PPT(X)

Media: WAV

Leave a Reply