Urgent questions about recovering data and information - Page 3
Page 3 of 3 FirstFirst 123
Results 21 to 25 of 25

Thread: Urgent questions about recovering data and information

  1. #21
    Junior Member
    Join Date
    Jun 2012
    Posts
    7
    It will show you deleted files, and what condition they are in from a recovery viewpoint. It does not look at cluster tips as far as I know. If the user has simply deleted the files and emptied the recycle bin then RECUVA is a good enough tool for the job.

    I believe that you can with versions 5.0 and higher but if not, you can just select the partition. It is more of a bulk processing tool, and does find stuff in cluster tips, so I would be inclined to go for all partitions that have been used (I think you said c:/?) as you never know what you might find I would use RECUVA first though.
    Using RECUVA, it doesn't recover the pictures from the folder, but if you recover pictures, you don't know what folder they were in. Is it possible to know that with Roadkil or is there a software that can tell you that after recovering those pictures(all pictures on the hard drive)

    The short answer is "no", Windows locks the file on bootup, so you have to find a work around:

    3. With XP (not sure about Vista) go into Control Panel and Advanced Settings and change the "virtual memory" to manual and pick a different size...........this will move it to a new location (root of C:\ I think) but leave the old file there. Reboot and the old file will not be locked. If it is already manual then change it to "let Windows decide", as this will have the same effect apart from the unlocked file being in the other location.

    Can i change it back after doing that so it is not seen by the user(the change)? What size to pick?



    <START>
    <Control Panel>
    <System>
    <Advanced>
    <Performance> [Click the "settings" button]
    <Advanced> [Tab at the top]
    <Virtual Memory> [Click the "change" button]

    You have the choice of "Custom Size" or "System Managed Size" The size is in Megabytes.
    where is "Custom Size" or "System Managed Size"?

    If the setting is for system to manage then give the custom size twice the RAM amount in both boxes, then you will easily find which pagefile.sys is the old one............Windows will default to 1.5x
    I don't understand that. you said there is more than one file(pagefile.sys)

    They are a hidden part of a normal existing file, where there is any metadata. Office application files usually have metadata, as do pictures.
    Where do i find this hidden part? Can i find it even if it was deleted?
    Would i be able to recover the pictures from their metadata?

    Sorry, I don't think that you can with IE, as I don't believe that it makes automatic backups like FireFox? If it were done manually then only the user would know.
    How can i recover all of the browser history then?


    They could be anywhere just do a Windows search for *.bak, where * is a wildcard search parameter. They will be very large, as they are single files for each backup.

    If you have made an exact mirror or clone of the original drive then just make a second one. Remove the existing drive and start reinstalling the backups, looking at what appears with each one.

    If the user has simply backed up their files then this is simpler as you can do it on a spare machine and not get all the Windows DRM moaning that you would if they have done a complete system save.

    All this assumes, of course, that you have the media to launch the backup........
    Can't you just open the .bak file and see what's in it with a software?
    What would be in it that wouldn't be in the computer?

    Thanks

  2. #22
    Super Moderator: GMT Zone nihil's Avatar
    Join Date
    Jul 2003
    Location
    United Kingdom: Bridlington
    Posts
    17,191
    Using RECUVA, it doesn't recover the pictures from the folder, but if you recover pictures, you don't know what folder they were in. Is it possible to know that with Roadkil or is there a software that can tell you that after recovering those pictures(all pictures on the hard drive)
    Ah! you have several questions here, I think?

    1. If RECUVA does not recover pictures from what YOU think OUGHT to be the target folder, then they are NOT there. Now, that could be because you got the folder identification wrong, the files were moved prior to being deleted, or they haven't been deleted at all, and are still there on the HDD, only in a different location.

    2. I think that you need to change the RECUVA settings?........... if you are looking at a screen with a load of thumbnail images, then you need to look in the top right and click on the radio button called: "Switch to advanced mode". RECUVA will then give you a listing screen that has the access paths to the files.

    3. BE AWARE! RECUVA will only show files it has detected as deleted........... NOT MOVED. It will also only show you the location of the file when it was deleted; not where it might have been before.

    4. Roadkil would be totally useless as it doesn't use Windows file tables at all.

    Can i change it back after doing that so it is not seen by the user(the change)? What size to pick?
    1. Yes.
    2. Whatever it was before.

    where is "Custom Size" or "System Managed Size"?
    If you followed my instructions: on the screen in front of you

    I don't understand that. you said there is more than one file(pagefile.sys)
    Huh! blame Microsoft, not me..............it was the cat wot done it, honest guv!

    OK, joking apart............. there can be more than one pagefile...... one per HDD at least, but there will be two, where you have had a manually set drive and have then let Windows manage it, or vice versa. I was suggesting that we use this feature to allow you to copy the old pagefile.

    Where do i find this hidden part? Can i find it even if it was deleted?
    No

    Would i be able to recover the pictures from their metadata?
    No............they are a single file so if it ain't there it ain't.

    How can i recover all of the browser history then?
    You can't.

    Can't you just open the .bak file and see what's in it with a software?
    Please can you recommend what software to use for that task? I don't know of any.

    What would be in it that wouldn't be in the computer?
    Stuff that had since been deleted or corrupted. Assuming that the backup is on the same machine, which it isn't; and that you have the recovery media, which you don't.

    I ASKED YOU THREE QUESTIONS:

    1. Who owns the computer?
    2. How many people currently use it/have access to it?
    3. How many of those have system or local administrator privileges?

    I require answers to those in your next post.
    If you cannot do someone any good: don't do them any harm....
    As long as you did this to one of these, the least of my little ones............you did it unto Me.
    What profiteth a man if he gains the entire World at the expense of his immortal soul?

  3. #23
    THE Bastard Sys***** dinowuff's Avatar
    Join Date
    Jun 2003
    Location
    Third planet from the Sun
    Posts
    1,250
    Quote Originally Posted by antiforens View Post
    1. Vista and XP
    2. Internet Explorer, not sure about the version(s)
    3. MSN
    4. hotmail.com
    5. Regular Hard Disk Drive inside that comes with it when you buy it, I assume SDD means it is not inside?

    Is it possible? How?
    OK forum people, let's take a look at a few things here.

    First, the OP either knows ingrish as a second language or is a complete moron, n00b, troll, or all three. I give you the following proof in the above quote.

    Now to make things worse, the OP did not follow Spec's wonderful link on how to use google (The french definition was great btw)

    I have a PM from the OP asking me what is so special about EnCase - you know my post with the link to guideancesoftware dot com?

    So the OP isn't very good with:
    English
    Hardware Configuration
    Software Versions
    and/or how to use links and Google...

    AND NO ONE HAS FLAMED THIS ONE YET

    Shame on all of you!
    09:F9:11:02:9D:74:E3:5B8:41:56:C5:63:56:88:C0

  4. #24
    Super Moderator: GMT Zone nihil's Avatar
    Join Date
    Jul 2003
    Location
    United Kingdom: Bridlington
    Posts
    17,191
    AND NO ONE HAS FLAMED THIS ONE YET

    Shame on all of you!
    But dino~ ............whenever I do something like that, somebody slaps my wrist

    Anyways, if somebody doesn't understand English that well, it is rather rude to flame, be sarcastic, ironic, facetious or supercilious. Hell! there are five year olds in their country speak their language better than I do ........... well except for when I ask for the bill

    Hell! as you well know, I have upset people on this forum over the years ..... but only if it was a fair fight.

    I do see your point mate! but I am afraid that some people watch too much CSI/NCIS and I think that our pilgrim is one of those?

    BTW to those whom it may concern.......... I am NEVER condescending .... hey, that implies that you take prisoners doesn't it?
    If you cannot do someone any good: don't do them any harm....
    As long as you did this to one of these, the least of my little ones............you did it unto Me.
    What profiteth a man if he gains the entire World at the expense of his immortal soul?

  5. #25
    BS, EnCE, ACE, Cellebrite 11001001's Avatar
    Join Date
    Mar 2002
    Location
    Just West of Beantown, though nobody from Beantown actually calls it "Beantown."
    Posts
    1,228
    Quote Originally Posted by nihil View Post
    @BB

    Very true, but I don't think that the OP can afford the alternatives or even the learning curve required.......... and that is notwithstanding evidence acceptability requirements?

    I just suggested what I thought might be the best options for commonly available free stuff, given that my practical experiences have been almost exclusively simple disaster recovery situations.

    A while back an acquaintance did give me a copy of that Microsoft "Coffee" (spelling could be different?) to evaluate for her............... I cannot say that I was that impressed..... have you ever seen it or have any thoughts?
    Sorry Nihil... I really don't come here very often any more...

    I got my copy of Cofee and I was also unimpressed. Although Cofee is not really a "Forensics tool" when you get down to it. There are other tools that do what Cofee does, and much better.
    That's Officer 11001001 to you...
    Now you see me | Now you don't
    "Relax, Bender; It was just a dream. There's no such thing as two." ~ Fry
    sometimes my computer goes down on me

Similar Threads

  1. Windows Error Messages
    By cheyenne1212 in forum Miscellaneous Security Discussions
    Replies: 7
    Last Post: February 1st, 2012, 02:51 PM
  2. Port List
    By ThePreacher in forum Miscellaneous Security Discussions
    Replies: 17
    Last Post: December 14th, 2006, 09:37 PM
  3. Newbies, list of many words definitions.
    By -DaRK-RaiDeR- in forum Newbie Security Questions
    Replies: 9
    Last Post: December 14th, 2002, 08:38 PM
  4. The Worlds Longest Thread!
    By Noble Hamlet in forum AntiOnline's General Chit Chat
    Replies: 1100
    Last Post: March 17th, 2002, 09:38 AM
  5. Information Leakage from Optical Emanations
    By E5C4P3 in forum Miscellaneous Security Discussions
    Replies: 5
    Last Post: March 7th, 2002, 07:35 AM

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •