January 4th, 2019, 8:10
January 4th, 2019, 8:19
January 4th, 2019, 8:32
January 4th, 2019, 16:05
jerovsek wrote:Probably user restore windows from factory media.
MRT DE
But if he restore from factory media, then...
January 4th, 2019, 16:19
HaQue wrote:can you open one each file type with HxD and post screenshot of file from 0x0 ?
January 4th, 2019, 16:21
January 4th, 2019, 20:50
January 5th, 2019, 5:25
Spildit wrote:Ok, here :HddDonorMarket wrote:
- I have a Toshiba hdd.
-Customer have made Windows recover to old laptop hdd.
- New windows have made a new D partition. And he lost all data.
-I tried to remove HDD password and unlock with MRT. Nothing changed.
-I have a hdd had bit locker.
-My guess this hdd encrypted with bit locker.
1 - If a drive is LOCKED with ATA PASSWOR you will NOT HAVE any ACCESS TO LBA. Unlocking the HDD with MRT will do nothing. Drive was already unlocked to start with.
2 - Ask client if bitlocker was used and ask for bitlocker key.
3 - Your sectors are random garbage and not actual pictures. Data IS ENCRYPTED with 3rd party tools like Bitlocker, Truecrypt, etc.
4 - Re-Installing from the recovery CDs, etc did wipe the encryption keys and setting/partitons, etc ... so you are in for PAIN ...
5 - Most likely it's un-recoverable unless you can :
- Do a full clone
- Try to force full decryption with RepairBDE - http://www.hddoracle.com/viewtopic.php?f=94&t=542
- Use logic recovery ....
But most likely keys are gone and data is encrypted forever and un-recoverable ...
January 5th, 2019, 5:33
HaQue wrote:Hi, Googling for: PPM PBM PGM format
https://en.wikipedia.org/wiki/Netpbm_format
http://paulbourke.net/dataformats/ppm/
what folder were they in, or where were the files found relating to user file saving locations / OS worker files / Application specific folders? An application installed on the PC may provide some insight in what the files are for etc.
April 12th, 2019, 17:30
April 13th, 2019, 1:37
April 13th, 2019, 6:04
Spildit wrote:Try DMDE.
Use FULL scan of the drive from first LBA to last and check option to carve for files / raw recovery. Search for example for JPGs.
Most likely file alocation table is gone and you can't get any old data by searching by file alocation table. If you look in each LBA / sector by sector for file signature you should be able to get some old data even if by file type unless the user did clear the drive or have done a full format while restoring windows ...
April 13th, 2019, 8:24
abolibibelot wrote:It reminds me of this weirdness I had (starting from post #9) :
viewtopic.php?f=1&t=36574
Same scenario : Windows supposedly reinstalled over old data, then absolutely nothing could be extracted (using R-Studio and Photorec) beyond the new Windows files, despite the fact that the whole unallocated space was full of “something”. Yet the owner did not set any kind of encryption scheme (at least actively / purposely). I still have no explanation for this.
In R-Studio (and for “raw file carving” in general) it's a good practice to uncheck the file types that are unlikely to be found in a particular drive (Settings => Known file types), since the default list is unnecessary cluttered, so as to avoid getting too many false positives, i.e. “garbage” files which are erroneously detected based on fake “signatures” randomly found in the stream of data, which can be 1) part of valid files (for instance there can be a random JPG signature in the middle of a valid MP4 file – obviously that JPG file won't be readable, and in some cases the valid file may be truncated as a result, even though it was not fragmented and could have been recovered fully – although R-Studio is constantly improving and is pretty good at avoiding this, it still happens {*}), 2) remnants of older files which can no longer be fully recovered, 3) encrypted data. Better stick to the most common and most important file types (JPG, DOC/DOCX, XLS/XLSX, ODT/ODS, PDF...), then only if a client needs a particular uncommon type of files, and if the filesystem is too damaged to recover them based on metadata / file records with their original attributes and directory structure and full cluster list (very important in case of fragmentation), should you check them in the list (and warn the client that files recovered that way have a low probability of being 100% valid, especially large files, if the drive was nearly full and its contents were constantly changing). Or, conversely, if a client doesn't know what PBM / PGM / PPM files are, you probably shouldn't bother about those...
{*} With Photorec it's more frequent in my experience (even though it's still excellent for a freeware, and has even been compared favorably to very expensive file carving softwares); for instance I've seen perfectly valid and non fragmented video files be either truncated when a fake JPG signature was found inside, or missing small chunks of a few KB corresponding to fake MP3 files, and only after unchecking JPG and MP3 in the list of detected file types were those files flawlessly recovered...
Powered by phpBB © phpBB Group.