I'm in a big jam, and would appreciate anyone's $0.02 on the following lost email issue:

This past weekend, immediately after spending hours sorting and archiving the one master copy of the last 6 mos worth of my email I have (had), it went completely south on me. The archived folder and all sub-folders disappeared as the program was running and I was working with them. Just like that. I was working with Mozilla Thunderbird on a laptop running a RAID0 array (I know...I know) and, just prior to the death of my mail, this is what happened:

1. Sorted many emails
2. Renamed/added a few folders
3. Compacted emails a couple of times with no issues/no problems.

A few mins. later, I was looking over things and getting ready to move them to a 2nd backup drive. Last thing I remember is clicking on something (probably a sub-folder) and seeing the entire thing...folder, sub-folders and all, just disappear. This isn't a case of some missing mails where one could go in and reflag to "un-delete" them. The folders are/were NOT in the trash, are not visible via explorer or through a cmd prompt, and the OS see no trace of them anywhere. Everythign else is intact, T-Bird still works, and Windows is fine.

Multiple file recovery tools found nothing, with the exception of R-Studio...and this is where it gets a bit interesting. The "recovery tree" in R-Studio, for lack of a better expression, does not see the missing files - but the disk editor that comes with R-Studio *does* find remnants of them. A text search for pretty much whatever yields encouraging results, so the data is obviously still on there, but there is no structure to it.

So there's my problem. I can see a lot of it, but extracting it is another matter entirely since I'm not familiar with these tools. Done in hex, my assumption is that I'd need to select from sector A to sector B and then extract/convert to text multiple times, but I've no idea how to do this. And then there's the fact that this is a *lot* of missing mail. It would be the mother of all recovery projects.

Still, since it's the text (body/dates/etc.) I'm really after, I would think that would be in my favor. And if anyone has any idea of how to proceed from here, I would definitely appreciate your input. Maybe a script or utility that could search for Thunderbird email headers ("X-Mozilla", etc.) and wrap up relevant text from that point on? Of course, I could do that myself manually, but that's a lot of hunting.

If anyone can shed any light on this, please, please advise. Thanks for reading my post...

If I remember my Thunderbird correctly, it should be in standard "mbox" format.

The problem is that the file is huge and probably fragmented all over the disk. That's basically a job for forensic analysis tools as they are designed to find such evidence. I use them at times when I deal with recovering data from a deceased person's computer, for example. You can try X-ways Winhex software.

That RAID0 will not help. You should at the very least image the entire array and dump it onto a single disk.

What's in your favor is that the messages are dated.

Also look at the MSF files.

I am not about to do in-depth research for you, for free anyway, but here are a few tips:

Run searches for "Thunderbird mbox" "Recover mbox" "Thunderbird MSF" "mbox file format" "mbox structure". Sorry, can't be more helpful.

Good luck!

Any help is appreciated, and this was helpful. Thanks for your reply.

Hi,
In R-studio you will find a load of folders at the bottom of the tree with a red 'X' on them.
In cases similar to yours the 'lost' files/folders will often be found in one of them.
So make an image and then use R-studio on the image to see if you can find your files.

Thank you, dick. I've also learned a few new things since last posting:

1. Recovery through identification of file signature is possible in some cases, but it doesn't look like this is one of them. I've looked at sample healthy mbox files with a disk editor, and the files all begin with the text of the first message itself. (In other words, it seems there is no header.) For example, all files start with 46 72 6F 6D 20 2D in hex, which is "From - " in ANSI, followed by the date and time of the first message.

2. Bearing #1 in mind, even that alone might be something I could work with except for the fact that there is no consistent set of characters at the end of these files, since they vary depending on the content of the message.

3. In spite of 1 & 2, clearly there is still something there. Random searches for text with R-Studio turn up pretty much whatever I want to search for (across 10 billion instances, that is) - but that's better than nothing, I suppose. It's just that there is no file structure.


And now, a couple of questions. If anyone can answer, I'd appreciate it.

A. In all the time I've used computers, I've really never had much need for imaging an entire drive. I do have an external I could use for this, but it has information on it. Since I'll presumably be going over this thing with a fine-toothed comb, I'm sure a blank and newly formatted drive will be necessary. Correct? Will a brand new, never-before-used drive be needed, or will just a formatted one suffice?

B. How the hell could this have happened? Sure, I can see losing data - but on just this one folder within this one program and with no other problems at all with the program, OS, or disk? That's damned peculiar. Why has the file structure been lost with just this one set of data and nothing else and why do *none* of the several file recovery utils I've tried so far see a thing? Yeah, I did compact my mail shortly before all of this happened, but it was all still there after doing so, and this came out of the blue later on, completely unannounced and with no other problems attached. I'm stumped, and *really* a mess over the lost mail. There were a lot of things of personal value in that folder.

How did happen? For me, something went wrong during low level access to file system, or a failed delayed write due to problems in memory or controller. It happens and what's worst, without crash, out of the blue. For your case I developed some tools for internal use that can search for predefined patterns if filesystem structure is destroyed and data scattered, usually works, except for attachments if data was heavily spread across the disk.

Tools? By all means, I'd like to hear about em.