June 8th, 2007, 01:11 PM
Haha Moria. Merge the threads!
June 8th, 2007, 03:27 PM
This is actually a serious forensics question, even though the circumstances might belong in a humour thread. It's just Mark's posting style, and you obviously don't know him like I do.
A lot depends on how the original deletion was carried out and how the recovery tool tries to work.
If a proper deletion tool was used it will have deleted the file names, overwritten the files and overwritten the cluster nodes and slack space. You will recover nothing
If it was a straightforwards Windows deletion then you should be able to recover it, as the file names and content should still be there. Only the index of files has been removed and the filespace has been allocated as available. That is why you should not use the drive until you have completed the recovery, as you will overwrite the data.
The tool I suggested was Roadkil's "Unstoppable Copier". It does what it says on the box, even for screwed up and damaged HDDs. It won't work for drives that won't spin, you need to use other techniques there.
What it gives you is a reconstituted picture of every file and partially recoverable file on the drive. It works for Windows and Linux.
What worries me is the file names "XXXXXXXX.XXX". Now, if that is just the index, then the file names may still be there?. I can understand On-Track (which is a forensics tool rather than a data recovery one) not spotting it, as Windows will recreate the directory when you reboot it AFAIK.
The tool that was used to attempt the recovery should not have done what it did. Or, at least it should have asked the user if they wanted to replace the existing files.
June 8th, 2007, 04:14 PM
oofki I'm not a moderator or I might
June 8th, 2007, 05:35 PM
I didnt realize that nihil, I didn't take the thread as a challenge. I guess because there was no direct question asked...
June 9th, 2007, 12:24 AM
If we set aside Mark's Glaswegian (largest city in Scotland) sense of humour we have:
Which is certainly a challenge if not "mission impossible"
Now we have 16000 files with cluster******.*** as the file names.
The extensions are incorrect as are the file names.
1. I am open to suggestion on other recovery methods for the original directory although even the mighty on-track suite doesn't see it as a deleted dir.
2. Any idea of any program that will auto associate the files correctly ?
I guess we would have to know more?
1. What sort of filenames are they and are they unique?
2. What are the current file extensions?
3. What are the applications that should open them?
4. Are they of a consistent format by file/document type?
5. Are they organised into directory groups (folders) and have these been preserved, and are they correct.
You see, recovering the file contents (if this is indeed possible) is only part of the battle if there are 16,000 of them. That would still leave the enormous task of correctly re-naming them, titling them and referencing them?
16,000 is one hell of a lot of documents for one guy, so I guess they must be small and be something like forms, e-mails or the like? I would also guess that the person has to be very much an offsite worker?........... after all why else have that many on your individual PC.
This may give us some hope, as an external worker would normally synchronise their laptop with a server when they call into the office. That bit should at least be backed up somewhere on site?
If we can recover the individual records and they do follow a strict format, then we could write a utility to read them and recreate the missing/corrupted data.
This is actually not that much of a biggie. Not so long ago, the Alaska State Government had to pay around $250,000 to have some 600,000 records re-entered from paper copies due to a similar sort of foul up
June 14th, 2007, 11:06 AM
nihil, its not 16,000 documents its 16,000 document fragments that need to be stitched back together.
note the file name "cluster" so, it might be that 100 of these make up one file.
If the world doesn't stop annoying me I will name my kids ";DROP DATABASE;" and get revenge.
June 14th, 2007, 02:15 PM
If that is the case then "unstoppable copier" should do the job if the clusters are still cross-related.
June 19th, 2007, 09:46 AM
I am no Expert here and have not gone through any serious forensic investigation of lost data. However I think I know some of the basics. So I am sorry for providing no solutions. However I have got a question:
Nihil said that the data is recoverable if all the clustes are cross related. Well, I am not sure but I think this is what the statement means:
Since the data is spread over the hard disk in fragments (in most of the cases), the files whioch actually act like a liner set of bytes split into smaller data units more like a linked list are spread all over the disk (randomly). This makes the pointer of each unit to point to the next cluster where the next chunk of data from the same file resides on the disk.
Is this what is meant by cross related?
One more question: I am not sure about the I/O faculty of the different OSes on earth but is there a chance that an OS will prefer to split a 10 MB file into small chuncks and place them in the GAPS created by deletion of files thus frangmenting the 10 MB file or should it prefer to place it on the disk where the 10 MB of space is free in series so that the file remains contiguous.
"Everything should be made as simple as possible, but not simpler."
- Albert Einstein
By Ennis in forum Newbie Security Questions
Last Post: May 26th, 2011, 01:49 AM
By neohunk in forum Tech Humor
Last Post: November 19th, 2003, 12:40 PM
By whizkid2300 in forum Cosmos
Last Post: October 21st, 2003, 06:14 PM
By TURBOWEST in forum The Security Tutorials Forum
Last Post: September 23rd, 2002, 05:46 AM