July 1st, 2018, 5:51
July 2nd, 2018, 0:53
Spildit wrote:Rar file is encrypted (as it have password) and most likely FRAGMENTED as it's very big - 10 GB.
..... as the encryption will look like random noise.
July 2nd, 2018, 8:02
July 8th, 2018, 11:46
I used "GetDataBack" and it found the file name but 0 Bytes of file size.
Your only hope is if the master file alocation table is still intact and does still have the entries for your deleted file, and i believe that at this point it doesn't so it's game over....
https://forum.piriform.com/topic/36987- ... ecover-it/If it's more than 4 gb (or was, and I guess an image file could well be) then Windows erases the file cluster adresses on deletion. The data is still on disk but the entry in the MFT no longer points to it.I think that Recuva has, in the last release or two, changed the way large files are reported. Previously, deleted files over 4 gb in size would be reported as zero bytes, and unrecoverable. Now it appears that the file size is reported, but with the comment that 'File's data could not be found on the disk.' Although NTFS zaps both the file size and the cluster run info in the $Data attribute in the MFT record, the original file size is still available in the $File_Name attribute (although not necessarily accurate). Perhaps this is where Recuva finds the info. If the file is under 4gb but in many extents then it may have forced the $Data attribute to become non-resident, i.e. to be held in a second MFT record for the file. In this case NTFS will, on deletion, zap the cluster run info in the MFT extension record, so the file is unrecoverable. It appears that Recuva also reports these files as 'File's data could not be found on the disk.'
https://forum.piriform.com/topic/38062- ... -and-more/I have found, from experiment and from comments elsewhere, that NTFS manages deletion of files larger than 4GB differently from those smaller than 4GB. In the smaller files the entry in the MFT is (relatively) simply flagged as deleted, and the dataruns – the fields that hold the address and number of clusters for each extent – are untouched. This is how Recuva can find and recover the file data. In files larger than 4GB the dataruns are overwritten by NTFS. Although the file size is still available, the addresses of the data are not, and Recuva will show the Data not Found on Disk message. In this case no recovery programme can recover data from information in the MFT.
This also happens in smaller files which are in many extents. If the list of extents is too long to fit into a single MFT record it is placed in a MFT extension record. These too are erased on file deletion, leaving the file data unrecoverable.
You might want to try R-Studio, UFS explorer, DMDE, etc ...
But doesn't the blocks of file stored on the drive have headers info about the next block? something like "Linked Lists"?
I suppose there must be some headers and also the header is not encrypted. Correct me if I'm wrong
July 8th, 2018, 17:45
I read that when files larger than 4GB get deleted, the complete cluster chain can no longer be retrieved, since it's too large to fit in a single MFT record.
I have found, from experiment and from comments elsewhere, that NTFS manages deletion of files larger than 4GB differently from those smaller than 4GB. In the smaller files the entry in the MFT is (relatively) simply flagged as deleted, and the dataruns – the fields that hold the address and number of clusters for each extent – are untouched. This is how Recuva can find and recover the file data. In files larger than 4GB the dataruns are overwritten by NTFS. Although the file size is still available, the addresses of the data are not, and Recuva will show the Data not Found on Disk message. In this case no recovery programme can recover data from information in the MFT.
This also happens in smaller files which are in many extents. If the list of extents is too long to fit into a single MFT record it is placed in a MFT extension record. These too are erased on file deletion, leaving the file data unrecoverable.
July 8th, 2018, 20:07
1. The size of a runlist (cluster chain stored in MFT) does not depend on file size, it depends on number of fragments in file and also if NTFS compression is enabled for the file.
2. Any first-line tool can assemble cluster chains from multiple MFT records, if all records are available (that is, not overwritten).
This statement is not technically correct. This may be applicable to Recuva if it does not have a capability to look up and link to extension records, but in general case, the runlists are still available after file is deleted.
July 8th, 2018, 22:47
It is noted in the quotes above that files smaller than 4GB can be affected by that issue, but is it correct that all files above 4GB are concerned by this issue ?
How does NTFS compression interfere with this aspect ?
And what do you call a “first-line” tool ?
July 8th, 2018, 23:30
am117 wrote:Hi friends.
I had a 10 GB rar file which was password protected. It got deleted from a partition which the OS was NOT on. I'm 90% sure nothing was written on the drive.
I used "GetDataBack" and it found the file name but 0 Bytes of file size. Then I gave the disk to a friend who has a MRT recovery card (don't know which model) and he tried. But he got the same result.
I searched and there are both positive and negative answers that "There is no data, don't try. It's gone" and "There are ways to recover 0 Bytes files".
So what should I do, Is there any hope?
July 9th, 2018, 2:45
July 9th, 2018, 12:15
July 10th, 2018, 3:31
Amarbir[CDR-Labs] wrote:Hi,
Is its fragmented ,which 100% it will be game over ,If it was a text file no issue ,Its a Encrypted File By RAR "Compressed Technically " And Actually Compressed and Encrypted .
July 10th, 2018, 3:52
DR-Kiev wrote:Amarbir[CDR-Labs] wrote:Hi,
Is its fragmented ,which 100% it will be game over ,If it was a text file no issue ,Its a Encrypted File By RAR "Compressed Technically " And Actually Compressed and Encrypted .
That is unprofessional opinion. If you dont know how to pick up fragments, dont say 100% it is not possible.
fzabkar wrote one of the way to do that even for compressed or encryted files.
Same way could be done for outlook.pst files with huge size and lost MFT entries, and it works great for them.
From my side , i would tell best tool to exclude filled area with files and work only with unfilled ones, is Data Extractor.
Powered by phpBB © phpBB Group.