Brainteaser for datarecovery
October 24th, 2007, 14:37
Hi guys,
I've got a good brainteaser here!
I was brought in a harddisk, where a bad person deleted the files from, and than ran the defragmenter for three consecutive times.
Anyone has an idea how to recover the data ?
i can find a lot of partial files, but mostly garbled.
All suggestions welcome.
Dobre
I've got a good brainteaser here!
I was brought in a harddisk, where a bad person deleted the files from, and than ran the defragmenter for three consecutive times.
Anyone has an idea how to recover the data ?
i can find a lot of partial files, but mostly garbled.
All suggestions welcome.
Dobre
Re: Brainteaser for datarecovery
October 24th, 2007, 15:48
First the good news .. The second and third passes by defrag
probably did nothing ..
Now for the bad .. the first pass was enough to make it very
difficult ..but not impossible..
depending on the file types you are looking for , I would probably
Use Encase or Forensic Tool Kit. and of course a hex editor
The one thing to remember is that the files ALWAYS start on a
Cluster boundary, and if they are bigger than 1 cluster , the
fragments fill an entire cluster ( except for the last fragment)
So instead of examining sectors , examine clusters.
Word/text docs are fairly easy to recognise, Encase will show picture
files ( and partial pic files ) in the gallery view..
Other files may be much harder to recognise.
I don't know if GetDataBack or R-studio will have any luck , but
they are worth a try to start with .
If you have found the remains of the files original mfts, you can use
that info for file sizes then build a blank file of that size to store the
pieces of each file . then you will just have to move the clusters
into the right order.
There will definately be a lot of manual work involved.
This is an extremely large task to undertake and depending on
the amount of files needed to be recovered may not be worth the
effort needed to succeed.
Steve
probably did nothing ..
Now for the bad .. the first pass was enough to make it very
difficult ..but not impossible..
depending on the file types you are looking for , I would probably
Use Encase or Forensic Tool Kit. and of course a hex editor
The one thing to remember is that the files ALWAYS start on a
Cluster boundary, and if they are bigger than 1 cluster , the
fragments fill an entire cluster ( except for the last fragment)
So instead of examining sectors , examine clusters.
Word/text docs are fairly easy to recognise, Encase will show picture
files ( and partial pic files ) in the gallery view..
Other files may be much harder to recognise.
I don't know if GetDataBack or R-studio will have any luck , but
they are worth a try to start with .
If you have found the remains of the files original mfts, you can use
that info for file sizes then build a blank file of that size to store the
pieces of each file . then you will just have to move the clusters
into the right order.
There will definately be a lot of manual work involved.
This is an extremely large task to undertake and depending on
the amount of files needed to be recovered may not be worth the
effort needed to succeed.
Steve
Re: Brainteaser for datarecovery
October 24th, 2007, 16:00
Thanks for your reply Steve,
Yes, the first defrag was the bad part
I'm using winhex to search for signatures.
Found allready some files back. The good thing is the drive was only used for about 20%, so much of the files will be left unharmed by the defrag. Only the big files (like outlook) will be affected.
Still much manual work.
Dobre
Yes, the first defrag was the bad part
I'm using winhex to search for signatures.
Found allready some files back. The good thing is the drive was only used for about 20%, so much of the files will be left unharmed by the defrag. Only the big files (like outlook) will be affected.
Still much manual work.
Dobre
Powered by phpBB © phpBB Group.