There are many occasions when files have to be restored from corrupted media, and many time that not all files are required, or maybe only a few files are actually required. If all files are restored, and may be copied onto DVDs as a backup, a lot of space may wasted on temporary files that are never required. The file filter lets the user chose which files to restore, and which to ignore.

The requirements for which files to restore vary with the application. For a home user, it may only be necessary to restore pictures and word processing documents. Definitely, there is no requirement for for restoring any temporary internet files. For a police, or forensic investigation, temporary files, swap files are very important as well as files that have been renamed to try and hide their origin. However, for forensic users, it is nice to eliminate files from the operating system that have not been changed. The CnW File Filter will allow these different modes of operation to be selected, and logged.

There are several elements of the file filter, so that files may be selected or skipped in different ways. When ever a selection has been made, it may be saved and used at any time.

Selection by date
All files on disks have at least one date associated with them. Most forms of media actually have 3 dates, creation, modified, and accessed. By selecting files by date it is possible to restore file that have for instance only been changed in the week before a disk crash. A forensic investigator may be interested in files that were created at a certain time. CnW Recovery software will allow selection of dates, or date windows for all three standard date types. Date selection may be

● Date before a set date
● Date after a set date
● Date between two set dates
● Date outside two set dates
A date test is done on a daily basis, and so hours, minutes and seconds are ignored.

Selection by directory
When doing a recovery of a damaged PC, most users do not want all the files back. Typically temp files - and these can be a very significant number can be skipped, so one may chose to skip ‘Temporary Internet’ directory, and all ‘temp’ directories. Some users may decide not to recover Windows, or ‘Program Files’. The file filter allows directories to be skipped to be entered into a table, including wild characters.
Selection by directory can work in one of two ways, chose the directories to copy from, or chose the directories to skip.

Selection by file name
Selection by file name is very similar to the directory selection above. File names are entered into a list, allowing for wild characters, eg Peter* for all files starting with the letters Peter. Again the choice is to select, or skip the files that match the name. It is quite acceptable to set directories to skip, and files to include. Uses of the name filter may include making sure that that certain working files are not restored. For a normal recovery, pagefile.sys is a large file with no useful information, while for a forensic investigation, this may be a very valuable file. Other times, it may be required to restore just jpeg, bmp, tif files, and all other can be ignored.

Selection by MD5 hash value
A files hash value is unique. Thus by having a table of hash values for files, they can be matched by file content, rather than by file name. A simple application of this can be seen when forensically investigating a disk. By using a hash table of all standard operating system files, these will not be restored, unless they have been changed in any way, ie even a single bit will cause the hash value to be different. Tables for file hash values can be found at

https://www.nsrl.nist.gov

By using this file as part of the file filter, all known files can be skipped, as long as they have not been changed in any way. Files may downloaded and processed via “Import NSRL hash tables” in the Tools menu.