Page 2 of 2 FirstFirst 12
Results 11 to 18 of 18

Thread: Stupid People Should Not Perform Recoveries !!!!

  1. #11
    Senior Member
    Join Date
    Oct 2003
    Location
    MA
    Posts
    1,052
    Haha Moria. Merge the threads!

  2. #12
    Senior Member nihil's Avatar
    Join Date
    Jul 2003
    Location
    United Kingdom: Bridlington
    Posts
    17,188
    This is actually a serious forensics question, even though the circumstances might belong in a humour thread. It's just Mark's posting style, and you obviously don't know him like I do.

    A lot depends on how the original deletion was carried out and how the recovery tool tries to work.

    If a proper deletion tool was used it will have deleted the file names, overwritten the files and overwritten the cluster nodes and slack space. You will recover nothing

    If it was a straightforwards Windows deletion then you should be able to recover it, as the file names and content should still be there. Only the index of files has been removed and the filespace has been allocated as available. That is why you should not use the drive until you have completed the recovery, as you will overwrite the data.

    The tool I suggested was Roadkil's "Unstoppable Copier". It does what it says on the box, even for screwed up and damaged HDDs. It won't work for drives that won't spin, you need to use other techniques there.

    What it gives you is a reconstituted picture of every file and partially recoverable file on the drive. It works for Windows and Linux.

    What worries me is the file names "XXXXXXXX.XXX". Now, if that is just the index, then the file names may still be there?. I can understand On-Track (which is a forensics tool rather than a data recovery one) not spotting it, as Windows will recreate the directory when you reboot it AFAIK.

    The tool that was used to attempt the recovery should not have done what it did. Or, at least it should have asked the user if they wanted to replace the existing files.

  3. #13
    Agony Aunty-Online Moira's Avatar
    Join Date
    Jun 2003
    Posts
    1,063
    oofki I'm not a moderator or I might
    77 111 105 114 97

    My PGP signature

  4. #14
    Senior Member
    Join Date
    Oct 2003
    Location
    MA
    Posts
    1,052
    I didnt realize that nihil, I didn't take the thread as a challenge. I guess because there was no direct question asked...

  5. #15
    Senior Member nihil's Avatar
    Join Date
    Jul 2003
    Location
    United Kingdom: Bridlington
    Posts
    17,188
    Well oofki,

    If we set aside Mark's Glaswegian (largest city in Scotland) sense of humour we have:

    Now we have 16000 files with cluster******.*** as the file names.

    The extensions are incorrect as are the file names.

    1. I am open to suggestion on other recovery methods for the original directory although even the mighty on-track suite doesn't see it as a deleted dir.

    2. Any idea of any program that will auto associate the files correctly ?
    Which is certainly a challenge if not "mission impossible"

    I guess we would have to know more?

    1. What sort of filenames are they and are they unique?
    2. What are the current file extensions?
    3. What are the applications that should open them?
    4. Are they of a consistent format by file/document type?
    5. Are they organised into directory groups (folders) and have these been preserved, and are they correct.

    You see, recovering the file contents (if this is indeed possible) is only part of the battle if there are 16,000 of them. That would still leave the enormous task of correctly re-naming them, titling them and referencing them?

    16,000 is one hell of a lot of documents for one guy, so I guess they must be small and be something like forms, e-mails or the like? I would also guess that the person has to be very much an offsite worker?........... after all why else have that many on your individual PC.

    This may give us some hope, as an external worker would normally synchronise their laptop with a server when they call into the office. That bit should at least be backed up somewhere on site?

    If we can recover the individual records and they do follow a strict format, then we could write a utility to read them and recreate the missing/corrupted data.

    This is actually not that much of a biggie. Not so long ago, the Alaska State Government had to pay around $250,000 to have some 600,000 records re-entered from paper copies due to a similar sort of foul up

  6. #16
    Senior Member Aardpsymon's Avatar
    Join Date
    Feb 2007
    Location
    St Annes (aaaa!)
    Posts
    434
    nihil, its not 16,000 documents its 16,000 document fragments that need to be stitched back together.

    note the file name "cluster" so, it might be that 100 of these make up one file.
    If the world doesn't stop annoying me I will name my kids ";DROP DATABASE;" and get revenge.

  7. #17
    Senior Member nihil's Avatar
    Join Date
    Jul 2003
    Location
    United Kingdom: Bridlington
    Posts
    17,188
    If that is the case then "unstoppable copier" should do the job if the clusters are still cross-related.

  8. #18
    Senior Member
    Join Date
    Aug 2006
    Location
    India
    Posts
    289
    Hi,

    I am no Expert here and have not gone through any serious forensic investigation of lost data. However I think I know some of the basics. So I am sorry for providing no solutions. However I have got a question:

    Nihil said that the data is recoverable if all the clustes are cross related. Well, I am not sure but I think this is what the statement means:

    Since the data is spread over the hard disk in fragments (in most of the cases), the files whioch actually act like a liner set of bytes split into smaller data units more like a linked list are spread all over the disk (randomly). This makes the pointer of each unit to point to the next cluster where the next chunk of data from the same file resides on the disk.

    Is this what is meant by cross related?

    One more question: I am not sure about the I/O faculty of the different OSes on earth but is there a chance that an OS will prefer to split a 10 MB file into small chuncks and place them in the GAPS created by deletion of files thus frangmenting the 10 MB file or should it prefer to place it on the disk where the 10 MB of space is free in series so that the file remains contiguous.
    "Everything should be made as simple as possible, but not simpler."

    - Albert Einstein

Similar Threads

  1. how stupid u r?
    By neohunk in forum Tech Humor
    Replies: 5
    Last Post: November 19th, 2003, 01:40 PM
  2. Drugs
    By whizkid2300 in forum Cosmos
    Replies: 20
    Last Post: October 21st, 2003, 06:14 PM
  3. how to be a hacker
    By TURBOWEST in forum The Security Tutorials Forum
    Replies: 4
    Last Post: September 23rd, 2002, 05:46 AM

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •