June 29th, 2012, 02:16 PM
Using RECUVA, it doesn't recover the pictures from the folder, but if you recover pictures, you don't know what folder they were in. Is it possible to know that with Roadkil or is there a software that can tell you that after recovering those pictures(all pictures on the hard drive)
It will show you deleted files, and what condition they are in from a recovery viewpoint. It does not look at cluster tips as far as I know. If the user has simply deleted the files and emptied the recycle bin then RECUVA is a good enough tool for the job.
I believe that you can with versions 5.0 and higher but if not, you can just select the partition. It is more of a bulk processing tool, and does find stuff in cluster tips, so I would be inclined to go for all partitions that have been used (I think you said c:/?) as you never know what you might find
I would use RECUVA first though.
The short answer is "no", Windows locks the file on bootup, so you have to find a work around:
3. With XP (not sure about Vista) go into Control Panel and Advanced Settings and change the "virtual memory" to manual and pick a different size...........this will move it to a new location (root of C:\ I think) but leave the old file there. Reboot and the old file will not be locked. If it is already manual then change it to "let Windows decide", as this will have the same effect apart from the unlocked file being in the other location.
Can i change it back after doing that so it is not seen by the user(the change)? What size to pick?
where is "Custom Size" or "System Managed Size"?
<Performance> [Click the "settings" button]
<Advanced> [Tab at the top]
<Virtual Memory> [Click the "change" button]
You have the choice of "Custom Size" or "System Managed Size" The size is in Megabytes.
I don't understand that. you said there is more than one file(pagefile.sys)
If the setting is for system to manage then give the custom size twice
the RAM amount in both boxes, then you will easily find which pagefile.sys is the old one............Windows will default to 1.5x
Where do i find this hidden part? Can i find it even if it was deleted?
They are a hidden part of a normal existing file, where there is any metadata. Office application files usually have metadata, as do pictures.
Would i be able to recover the pictures from their metadata?
How can i recover all of the browser history then?
Sorry, I don't think that you can with IE, as I don't believe that it makes automatic backups like FireFox? If it were done manually then only the user would know.
Can't you just open the .bak file and see what's in it with a software?
They could be anywhere just do a Windows search for *.bak, where * is a wildcard search parameter. They will be very large, as they are single files for each backup.
If you have made an exact mirror or clone of the original drive then just make a second one. Remove the existing drive and start reinstalling the backups, looking at what appears with each one.
If the user has simply backed up their files then this is simpler as you can do it on a spare machine and not get all the Windows DRM moaning that you would if they have done a complete system save.
All this assumes, of course, that you have the media to launch the backup........
What would be in it that wouldn't be in the computer?
By cheyenne1212 in forum Miscellaneous Security Discussions
Last Post: February 1st, 2012, 02:51 PM
By ThePreacher in forum Miscellaneous Security Discussions
Last Post: December 14th, 2006, 09:37 PM
By -DaRK-RaiDeR- in forum Newbie Security Questions
Last Post: December 14th, 2002, 08:38 PM
By Noble Hamlet in forum AntiOnline's General Chit Chat
Last Post: March 17th, 2002, 09:38 AM
By E5C4P3 in forum Miscellaneous Security Discussions
Last Post: March 7th, 2002, 07:35 AM