-
June 29th, 2012, 01:16 PM
#21
Junior Member
It will show you deleted files, and what condition they are in from a recovery viewpoint. It does not look at cluster tips as far as I know. If the user has simply deleted the files and emptied the recycle bin then RECUVA is a good enough tool for the job.
I believe that you can with versions 5.0 and higher but if not, you can just select the partition. It is more of a bulk processing tool, and does find stuff in cluster tips, so I would be inclined to go for all partitions that have been used (I think you said c:/?) as you never know what you might find I would use RECUVA first though.
Using RECUVA, it doesn't recover the pictures from the folder, but if you recover pictures, you don't know what folder they were in. Is it possible to know that with Roadkil or is there a software that can tell you that after recovering those pictures(all pictures on the hard drive)
The short answer is "no", Windows locks the file on bootup, so you have to find a work around:
3. With XP (not sure about Vista) go into Control Panel and Advanced Settings and change the "virtual memory" to manual and pick a different size...........this will move it to a new location (root of C:\ I think) but leave the old file there. Reboot and the old file will not be locked. If it is already manual then change it to "let Windows decide", as this will have the same effect apart from the unlocked file being in the other location.
Can i change it back after doing that so it is not seen by the user(the change)? What size to pick?
<START>
<Control Panel>
<System>
<Advanced>
<Performance> [Click the "settings" button]
<Advanced> [Tab at the top]
<Virtual Memory> [Click the "change" button]
You have the choice of "Custom Size" or "System Managed Size" The size is in Megabytes.
where is "Custom Size" or "System Managed Size"?
If the setting is for system to manage then give the custom size twice the RAM amount in both boxes, then you will easily find which pagefile.sys is the old one............Windows will default to 1.5x
I don't understand that. you said there is more than one file(pagefile.sys)
They are a hidden part of a normal existing file, where there is any metadata. Office application files usually have metadata, as do pictures.
Where do i find this hidden part? Can i find it even if it was deleted?
Would i be able to recover the pictures from their metadata?
Sorry, I don't think that you can with IE, as I don't believe that it makes automatic backups like FireFox? If it were done manually then only the user would know.
How can i recover all of the browser history then?
They could be anywhere just do a Windows search for *.bak, where * is a wildcard search parameter. They will be very large, as they are single files for each backup.
If you have made an exact mirror or clone of the original drive then just make a second one. Remove the existing drive and start reinstalling the backups, looking at what appears with each one.
If the user has simply backed up their files then this is simpler as you can do it on a spare machine and not get all the Windows DRM moaning that you would if they have done a complete system save.
All this assumes, of course, that you have the media to launch the backup........
Can't you just open the .bak file and see what's in it with a software?
What would be in it that wouldn't be in the computer?
Thanks
-
June 29th, 2012, 06:15 PM
#22
Using RECUVA, it doesn't recover the pictures from the folder, but if you recover pictures, you don't know what folder they were in. Is it possible to know that with Roadkil or is there a software that can tell you that after recovering those pictures(all pictures on the hard drive)
Ah! you have several questions here, I think?
1. If RECUVA does not recover pictures from what YOU think OUGHT to be the target folder, then they are NOT there. Now, that could be because you got the folder identification wrong, the files were moved prior to being deleted, or they haven't been deleted at all, and are still there on the HDD, only in a different location.
2. I think that you need to change the RECUVA settings?........... if you are looking at a screen with a load of thumbnail images, then you need to look in the top right and click on the radio button called: "Switch to advanced mode". RECUVA will then give you a listing screen that has the access paths to the files.
3. BE AWARE! RECUVA will only show files it has detected as deleted........... NOT MOVED. It will also only show you the location of the file when it was deleted; not where it might have been before.
4. Roadkil would be totally useless as it doesn't use Windows file tables at all.
Can i change it back after doing that so it is not seen by the user(the change)? What size to pick?
1. Yes.
2. Whatever it was before.
where is "Custom Size" or "System Managed Size"?
If you followed my instructions: on the screen in front of you
I don't understand that. you said there is more than one file(pagefile.sys)
Huh! blame Microsoft, not me..............it was the cat wot done it, honest guv!
OK, joking apart............. there can be more than one pagefile...... one per HDD at least, but there will be two, where you have had a manually set drive and have then let Windows manage it, or vice versa. I was suggesting that we use this feature to allow you to copy the old pagefile.
Where do i find this hidden part? Can i find it even if it was deleted?
No
Would i be able to recover the pictures from their metadata?
No............they are a single file so if it ain't there it ain't.
How can i recover all of the browser history then?
You can't.
Can't you just open the .bak file and see what's in it with a software?
Please can you recommend what software to use for that task? I don't know of any.
What would be in it that wouldn't be in the computer?
Stuff that had since been deleted or corrupted. Assuming that the backup is on the same machine, which it isn't; and that you have the recovery media, which you don't.
I ASKED YOU THREE QUESTIONS:
1. Who owns the computer?
2. How many people currently use it/have access to it?
3. How many of those have system or local administrator privileges?
I require answers to those in your next post.
-
July 6th, 2012, 06:13 PM
#23
Originally Posted by antiforens
1. Vista and XP
2. Internet Explorer, not sure about the version(s)
3. MSN
4. hotmail.com
5. Regular Hard Disk Drive inside that comes with it when you buy it, I assume SDD means it is not inside?
Is it possible? How?
OK forum people, let's take a look at a few things here.
First, the OP either knows ingrish as a second language or is a complete moron, n00b, troll, or all three. I give you the following proof in the above quote.
Now to make things worse, the OP did not follow Spec's wonderful link on how to use google (The french definition was great btw)
I have a PM from the OP asking me what is so special about EnCase - you know my post with the link to guideancesoftware dot com?
So the OP isn't very good with:
English
Hardware Configuration
Software Versions
and/or how to use links and Google...
AND NO ONE HAS FLAMED THIS ONE YET
Shame on all of you!
09:F9:11:02:9D:74:E3:5B 8:41:56:C5:63:56:88:C0
-
July 7th, 2012, 07:05 PM
#24
-
August 2nd, 2012, 02:50 AM
#25
Originally Posted by nihil
@BB
Very true, but I don't think that the OP can afford the alternatives or even the learning curve required.......... and that is notwithstanding evidence acceptability requirements?
I just suggested what I thought might be the best options for commonly available free stuff, given that my practical experiences have been almost exclusively simple disaster recovery situations.
A while back an acquaintance did give me a copy of that Microsoft "Coffee" (spelling could be different?) to evaluate for her............... I cannot say that I was that impressed..... have you ever seen it or have any thoughts?
Sorry Nihil... I really don't come here very often any more...
I got my copy of Cofee and I was also unimpressed. Although Cofee is not really a "Forensics tool" when you get down to it. There are other tools that do what Cofee does, and much better.
Above ground, vertical, and exchanging gasses.
Now you see me | Now you don't
"Relax, Bender; It was just a dream. There's no such thing as two." ~ Fry
sometimes my computer goes down on me
-
March 27th, 2017, 07:45 AM
#26
Junior Member
There are a couple of free options you can try out for Windows based machines, such as Recuva, DiskDigger, TestDisk
-
April 6th, 2017, 09:36 AM
#27
Junior Member
-
September 16th, 2017, 09:05 AM
#28
Junior Member
Hello, nihil! I couldn't agree with you more. As you said that, OVERWRITTEN data cannot be recovered since they are GONE FOREVER. I accidentally deleted some pictures and video files on the SD card. Then I immediately stopped using my digital camera and took out the memory card. I think the lost multimedia files should not be overwritten. However, I do not know which data recovery tool should be selected. Please give me some advices. Thank you!
-
September 16th, 2017, 02:37 PM
#29
Originally Posted by Hill2017
Hello, nihil! I couldn't agree with you more. As you said that, OVERWRITTEN data cannot be recovered since they are GONE FOREVER. I accidentally deleted some pictures and video files on the SD card. Then I immediately stopped using my digital camera and took out the memory card. I think the lost multimedia files should not be overwritten. However, I do not know which data recovery tool should be selected. Please give me some advices. Thank you!
Why I have Recuva installed
https://www.piriform.com/recuva
-
September 17th, 2017, 07:21 AM
#30
Junior Member
Hello, Shay! Thank you very much! In fact, I tried a lot of data recovery tools, such as Stellar Phoenix, SoftHow Photo Recovery, EaseUS, Wondershare, etc. They are great data recovery tools. However, for financial reasons I would like to use the free data recovery software. According to your recommendation, I found a free version of Recuva. Thanks again!
Similar Threads
-
By cheyenne1212 in forum Miscellaneous Security Discussions
Replies: 7
Last Post: February 1st, 2012, 02:51 PM
-
By ThePreacher in forum Miscellaneous Security Discussions
Replies: 17
Last Post: December 14th, 2006, 09:37 PM
-
By -DaRK-RaiDeR- in forum Newbie Security Questions
Replies: 9
Last Post: December 14th, 2002, 08:38 PM
-
By Noble Hamlet in forum AntiOnline's General Chit Chat
Replies: 1100
Last Post: March 17th, 2002, 09:38 AM
-
By E5C4P3 in forum Miscellaneous Security Discussions
Replies: 5
Last Post: March 7th, 2002, 07:35 AM
Posting Permissions
- You may not post new threads
- You may not post replies
- You may not post attachments
- You may not edit your posts
-
Forum Rules
|
|