Data Recovery on SSD - Where did I go wrong?
March 29th, 2018, 14:37
Hey all,
I recently read an article about data recovery and was backing up my phone's pics when I had the curious idea to test some data recovery. I basically failed at what I wanted to do and I'm happy this was just a test run. However, I'm sure I'll have to do this for real some time, and I want to find out what I did wrong:
To test recovering files, I copied two folders of pictures on my second laptop (that were already backed up on my main laptop) which were over 10GB in size on the desktop.
Then I deleted them ("perma deleted" as they were too large to go on recycle bin).
The laptop was left closed for 2 hours doing nothing before I went to try and restore the pictures:
These were the steps I took with the laptop in which the files were deleted:
1. Googled deleted data recovery
2. Found out about TOKIWA DataRecovery software which requires no install and is only 200kb size.
3. Downloaded software directly to laptop's same drive as deleted pictures (Mistake 1?)
4. Ran the scan on the drive - Twice the scan crashed at about 20% complete, no idea why.
5. Third scan I manually stopped the search at about 15% as I could see that enough of the pics that I deleted that day were there (based on name and modified date).
6. I selected and pressed to recover the pics that were the right date onto an external hard drive.
7. Once restored, the pics would not open. I also took the external drive with restored pics to another laptop and tried to open them but still nothing.
8. They would not open even though they were the correct size and file extension.
9. I read online that renaming/ changing file extension occasionally works so tried that. Also tried opening them with VLC player which I've had success in opening weird file extension pics before, and repairing images with repair programs but nothing worked.
10. I went back to the laptop with deleted files and installed Panda Recovery. Software found all the pics deleted but claimed they were overwritten and no preview available. All other pics and files that were found from previous periods were intact and previewed fine. Recovering the correct pics, again they could not be open.
11. Then I installed a few other recovery software and had similar results. Only the pics I deleted that day were not open-able when recovered/previewed.
12. Last software I tried was photoRec. With it I gave up at about 30% scan of the drive as it was taking forever. It recovered 16,000 images but I could not find a single one from the recently deleted ones. I didn't check all the files as there were so many but I'm pretty sure it did not recover them.
Some info on the Laptop in which the files were deleted:
Windows 10
Sandisk 256GB SSD: Had 100GB left and has never been or close to being full
Questions:
1) How bad is downloading small files prior to recovering? I understand overwriting makes most retail software struggle, but surely 200kb and a few Mbs of temporary browsing data can't overwrite 10+GB of pics?
2) I assume the first recovery software may have done some damage, but I had stopped the scan when it had only found about 20-30% of all the pics deleted and only attempted to recover some of those. Therefore even if it corrupted those files, the other pics found later should have been fine if that was the issue?
3) Why was it possible to recover so many old pictures and not a single one had a problem opening except the pics that I intended to restore?
4) Is there any way to still attempt to recover these photos without professional help? Just for completeness of the test.
5) If this was a real data recovery, what software / method / steps would you have taken to increase chance of restoring the data?
Many thanks all in advance for any tips
I recently read an article about data recovery and was backing up my phone's pics when I had the curious idea to test some data recovery. I basically failed at what I wanted to do and I'm happy this was just a test run. However, I'm sure I'll have to do this for real some time, and I want to find out what I did wrong:
To test recovering files, I copied two folders of pictures on my second laptop (that were already backed up on my main laptop) which were over 10GB in size on the desktop.
Then I deleted them ("perma deleted" as they were too large to go on recycle bin).
The laptop was left closed for 2 hours doing nothing before I went to try and restore the pictures:
These were the steps I took with the laptop in which the files were deleted:
1. Googled deleted data recovery
2. Found out about TOKIWA DataRecovery software which requires no install and is only 200kb size.
3. Downloaded software directly to laptop's same drive as deleted pictures (Mistake 1?)
4. Ran the scan on the drive - Twice the scan crashed at about 20% complete, no idea why.
5. Third scan I manually stopped the search at about 15% as I could see that enough of the pics that I deleted that day were there (based on name and modified date).
6. I selected and pressed to recover the pics that were the right date onto an external hard drive.
7. Once restored, the pics would not open. I also took the external drive with restored pics to another laptop and tried to open them but still nothing.
8. They would not open even though they were the correct size and file extension.
9. I read online that renaming/ changing file extension occasionally works so tried that. Also tried opening them with VLC player which I've had success in opening weird file extension pics before, and repairing images with repair programs but nothing worked.
10. I went back to the laptop with deleted files and installed Panda Recovery. Software found all the pics deleted but claimed they were overwritten and no preview available. All other pics and files that were found from previous periods were intact and previewed fine. Recovering the correct pics, again they could not be open.
11. Then I installed a few other recovery software and had similar results. Only the pics I deleted that day were not open-able when recovered/previewed.
12. Last software I tried was photoRec. With it I gave up at about 30% scan of the drive as it was taking forever. It recovered 16,000 images but I could not find a single one from the recently deleted ones. I didn't check all the files as there were so many but I'm pretty sure it did not recover them.
Some info on the Laptop in which the files were deleted:
Windows 10
Sandisk 256GB SSD: Had 100GB left and has never been or close to being full
Questions:
1) How bad is downloading small files prior to recovering? I understand overwriting makes most retail software struggle, but surely 200kb and a few Mbs of temporary browsing data can't overwrite 10+GB of pics?
2) I assume the first recovery software may have done some damage, but I had stopped the scan when it had only found about 20-30% of all the pics deleted and only attempted to recover some of those. Therefore even if it corrupted those files, the other pics found later should have been fine if that was the issue?
3) Why was it possible to recover so many old pictures and not a single one had a problem opening except the pics that I intended to restore?
4) Is there any way to still attempt to recover these photos without professional help? Just for completeness of the test.
5) If this was a real data recovery, what software / method / steps would you have taken to increase chance of restoring the data?
Many thanks all in advance for any tips
Re: Data Recovery on SSD - Where did I go wrong?
March 29th, 2018, 20:43
1 - Its bad. You just need to corrupt a few bytes to make the archive unusable, so that 200kb could, in theory, be enough to corrupt a lot of files.
As it was a SSD, possibly it has TRIM enabled , or win10 ran it, so that would explain your results.
Also, even if you are using some strange recovery software, you should wait for them to complete their scannint. Stopping it in the middle won´t bring good results, because the software may wait for doing some organization of its lists after the end of the scanning.
As it was a SSD, possibly it has TRIM enabled , or win10 ran it, so that would explain your results.
Also, even if you are using some strange recovery software, you should wait for them to complete their scannint. Stopping it in the middle won´t bring good results, because the software may wait for doing some organization of its lists after the end of the scanning.
Re: Data Recovery on SSD - Where did I go wrong?
March 29th, 2018, 23:46
You just need to corrupt a few bytes to make the archive unusable, so that 200kb could, in theory, be enough to corrupt a lot of files.
In this case, if I understand it correctly, “dada55” attempted to recover folders containing individual files, not compressed archives.
Also, even if you are using some strange recovery software, you should wait for them to complete their scannint. Stopping it in the middle won´t bring good results, because the software may wait for doing some organization of its lists after the end of the scanning.
With Recuva in “quick scan” mode (and other softwares which have that option like GetDataBack) it only takes a few seconds, a minute at most, to scan the whole filesystem. In a case like this, where files were recently deleted, if the files are still recoverable, meaning, if they were not yet overwritten, the quick scan is enough in most situations. (Although I've discovered recently that large files could be unrecoverable that way.)
A software which I use sometimes when I just need to recover a file I just deleted on Windows is HandyRecovery (the 1.0 version which was completely free) : it lets you browse the file tree while it is still building it, you can stop it as soon as it displays the wanted file, it will be able to recover it completely (unless it's been overwritten but then nothing will), and for a large partition with many many files on it and a huge MFT it can be way quicker than to wait for Recuva to complete its quick scan. Also the .exe can be run with no install, even from an external device.
1) How bad is downloading small files prior to recovering? I understand overwriting makes most retail software struggle, but surely 200kb and a few Mbs of temporary browsing data can't overwrite 10+GB of pics?
3) Why was it possible to recover so many old pictures and not a single one had a problem opening except the pics that I intended to restore?
Could be explained by Murphy's Law, or indeed if it's a SSD the Trim command is designed to overwrite the deleted files as a background process.
2) I assume the first recovery software may have done some damage, but I had stopped the scan when it had only found about 20-30% of all the pics deleted and only attempted to recover some of those. Therefore even if it corrupted those files, the other pics found later should have been fine if that was the issue?
Any half decent recovery software should not write anything to the scanned drive – neither during the scan, nor after the completion when choosing the location where the files should be extracted, it shouldn't even let you attempt to write on it if you want to. But some of them are less than half decent...
Recently I tried to remotely help someone who had accidentally deleted an important Powerpoint file he was working on, which was stored only on a USB pen drive, 16GB capacity, about 8GB of free space which should be plenty ; he had tried a bunch of recovery softwares, to no avail. I made a quick scan with Recuva, which indicates if the deleted files have been overwritten and if so, by which file (it's not 100% reliable in my experience but most of the time it does provide accurate information) : the wanted file had been overwritten precisely by files extracted with one of those recovery softwares (which did not prevent him to do so), or, ironically, by files from a “FileHistory” directory, which is apparently related to an automatic recovery function in Windows 8+ (I'm still using Windows 7 so I didn't know about it). You'd think that it should have been unlikely, considering the large amount of free space, but it did happen. And even Recuva (which is otherwise an efficient tool) doesn't display a warning when the user attempts to recover a file on the same device and partition.
4) Is there any way to still attempt to recover these photos without professional help? Just for completeness of the test.
Again, Recuva should tell you by which files the files you want have been overwritten, if any. It can also display the header of each file, which is the begining of the file in hexadecimal : with some experience, you instantly recognize if a JPEG file has a valid JPEG header or not. If there's garbage instead, or just zeroes, then nothing can be done, even by a professional, the original file is gone.
Alternatively, you can open some of the files in an hexadecimal editor, like WinHex (commercial) or HxD (free), and see what they look like inside. If the file is supposed to be a JPEG picture, first open a few valid JPEG files, you'll see that they always begin with the characters “ÿØÿ”, or “FF D8 FF” in hexadecimal. If a recovered JPEG file starts with anything else, then nothing can “fix” it. If the header is correct but the second half has been overwritten, you typically can see half of the picture, the rest appears as random strips of colors – and again, nothing can fix this.
5) If this was a real data recovery, what software / method / steps would you have taken to increase chance of restoring the data?
Doing what you're doing right now is definitely a very good idea : test various methods when you don't need them, so that you know what to do and don't panic when you actually need to recover something and failure is not an option !
Otherwise, you should sort out the good softwares from the crappy ones, know their strenghts and weaknesses, which type of situation best fits each of them, and have them installed on your computer from then on, preventively. You can also run some of them in “portable” mode, if you need to scan your system partition, but if you absolutely need a file which was deleted on your system partition, the best course of action is to shut down the computer immediately, and then scan the drive as an external device from another computer (or better yet, perform a complete image of the relevant partition and scan this instead of the drive itself), because each second you run the drive, data could be written at the exact spot where that file is / used to be.
For instance, Recuva is usually less efficient than R-Studio to rebuild a file tree (which is an advanced commercial software, as opposed to a freeware), but it completes its quick scan in a matter of seconds, whereas R-Studio can take hours, so if you just want to recover one file which has just been deleted it might be overkill, and even counterproductive if the drive is a SSD with Trim enabled : each second the wanted data could be wiped, so the quicker the scan the better. Photorec is designed to recover files in “raw file carving” mode, meaning, it does not rely at all on the filesystem and the metadata, it just extracts files based on their “signature”, which is their header / footer patterns, specific to each file type (one caveat, beyond the fact that you lose the original name as well as the timestamps, is that it's unlikely to fully recover fragmented files). If the files you want have been found by a recovery software with their actual names and sizes and timestamps, it means that the MFT records containing the metadata for those files and their exact locations are still there, but if they have been overwritten then Photorec will not be able to detect them because they no longer have any characteristic header, they now appear as random data (or empty data).
Re: Data Recovery on SSD - Where did I go wrong?
March 29th, 2018, 23:47
You just need to corrupt a few bytes to make the archive unusable, so that 200kb could, in theory, be enough to corrupt a lot of files.
In this case, if I understand it correctly, “dada55” attempted to recover folders containing individual files, not compressed archives.
Also, even if you are using some strange recovery software, you should wait for them to complete their scannint. Stopping it in the middle won´t bring good results, because the software may wait for doing some organization of its lists after the end of the scanning.
With Recuva in “quick scan” mode (and other softwares which have that option like GetDataBack) it only takes a few seconds, a minute at most, to scan the whole filesystem. In a case like this, where files were recently deleted, if the files are still recoverable, meaning, if they were not yet overwritten, the quick scan is enough in most situations. (Although I've discovered recently that large files could be unrecoverable that way.)
A software which I use sometimes when I just need to recover a file I just deleted on Windows is HandyRecovery (the 1.0 version which was completely free) : it lets you browse the file tree while it is still building it, you can stop it as soon as it displays the wanted file, it will be able to recover it completely (unless it's been overwritten but then nothing will), and for a large partition with many many files on it and a huge MFT it can be way quicker than to wait for Recuva to complete its quick scan. Also the .exe can be run with no install, even from an external device.
1) How bad is downloading small files prior to recovering? I understand overwriting makes most retail software struggle, but surely 200kb and a few Mbs of temporary browsing data can't overwrite 10+GB of pics?
3) Why was it possible to recover so many old pictures and not a single one had a problem opening except the pics that I intended to restore?
Could be explained by Murphy's Law, or indeed if it's a SSD the Trim command is designed to overwrite the deleted files as a background process.
As to why you still can find old pictures, I couldn't say. Are you sure that they were actually deleted, that they weren't stored somewhere as (still allocated) temporary files ?
2) I assume the first recovery software may have done some damage, but I had stopped the scan when it had only found about 20-30% of all the pics deleted and only attempted to recover some of those. Therefore even if it corrupted those files, the other pics found later should have been fine if that was the issue?
Any half decent recovery software should not write anything to the scanned drive – neither during the scan, nor after the completion when choosing the location where the files should be extracted, it shouldn't even let you attempt to write on it if you want to. But some of them are less than half decent...
Recently I tried to remotely help someone who had accidentally deleted an important Powerpoint file he was working on, which was stored only on a USB pen drive, 16GB capacity, about 8GB of free space which should be plenty ; he had tried a bunch of recovery softwares, to no avail. I made a quick scan with Recuva, which indicates if the deleted files have been overwritten and if so, by which file (it's not 100% reliable in my experience but most of the time it does provide accurate information) : the wanted file had been overwritten precisely by files extracted with one of those recovery softwares (which did not prevent him to do so), or, ironically, by files from a “FileHistory” directory, which is apparently related to an automatic recovery function in Windows 8+ (I'm still using Windows 7 so I didn't know about it). You'd think that it should have been unlikely, considering the large amount of free space, but it did happen. And even Recuva (which is otherwise an efficient tool) doesn't display a warning when the user attempts to recover a file on the same device and partition.
4) Is there any way to still attempt to recover these photos without professional help? Just for completeness of the test.
Again, Recuva should tell you by which files the files you want have been overwritten, if any. It can also display the header of each file, which is the begining of the file in hexadecimal : with some experience, you instantly recognize if a JPEG file has a valid JPEG header or not. If there's garbage instead, or just zeroes, then nothing can be done, even by a professional, the original file is gone.
Alternatively, you can open some of the files in an hexadecimal editor, like WinHex (commercial) or HxD (free), and see what they look like inside. If the file is supposed to be a JPEG picture, first open a few valid JPEG files, you'll see that they always begin with the characters “ÿØÿ”, or “FF D8 FF” in hexadecimal. If a recovered JPEG file starts with anything else, then nothing can “fix” it. If the header is correct but the second half has been overwritten, you typically can see half of the picture, the rest appears as random strips of colors – and again, nothing can fix this.
5) If this was a real data recovery, what software / method / steps would you have taken to increase chance of restoring the data?
Doing what you're doing right now is definitely a very good idea : test various methods when you don't need them, so that you know what to do and don't panic when you actually need to recover something and failure is not an option !
Otherwise, you should sort out the good softwares from the crappy ones, know their strenghts and weaknesses, which type of situation best fits each of them, and have them installed on your computer from then on, preventively. You can also run some of them in “portable” mode, if you need to scan your system partition, but if you absolutely need a file which was deleted on your system partition, the best course of action is to shut down the computer immediately, and then scan the drive as an external device from another computer (or better yet, perform a complete image of the relevant partition and scan this instead of the drive itself), because each second you run the drive, data could be written at the exact spot where that file is / used to be.
For instance, Recuva is usually less efficient than R-Studio to rebuild a file tree (which is an advanced commercial software, as opposed to a freeware), but it completes its quick scan in a matter of seconds, whereas R-Studio can take hours, so if you just want to recover one file which has just been deleted it might be overkill, and even counterproductive if the drive is a SSD with Trim enabled : each second the wanted data could be wiped, so the quicker the scan the better. Photorec is designed to recover files in “raw file carving” mode, meaning, it does not rely at all on the filesystem and the metadata, it just extracts files based on their “signature”, which is their header / footer patterns, specific to each file type (one caveat, beyond the fact that you lose the original name as well as the timestamps, is that it's unlikely to fully recover fragmented files). If the files you want have been found by a recovery software with their actual names and sizes and timestamps, it means that the MFT records containing the metadata for those files and their exact locations are still there, but if they have been overwritten then Photorec will not be able to detect them because they no longer have any characteristic header, they now appear as random data (or empty data).
Re: Data Recovery on SSD - Where did I go wrong?
March 30th, 2018, 7:06
rogfanther wrote:1 - Its bad. You just need to corrupt a few bytes to make the archive unusable, so that 200kb could, in theory, be enough to corrupt a lot of files.
As it was a SSD, possibly it has TRIM enabled , or win10 ran it, so that would explain your results.
Also, even if you are using some strange recovery software, you should wait for them to complete their scannint. Stopping it in the middle won´t bring good results, because the software may wait for doing some organization of its lists after the end of the scanning.
The files weren't compressed, just 2 folders with separate files. I just checked and the laptop does have TRIM enabled.
It was getting very late at night and as this was just a test I was getting a bit tired of first software crashing. Probably should have done more research on which software to use first. Recuva sounds decent.
abolibibelot wrote:You just need to corrupt a few bytes to make the archive unusable, so that 200kb could, in theory, be enough to corrupt a lot of files.
In this case, if I understand it correctly, “dada55” attempted to recover folders containing individual files, not compressed archives.
That is correct.
With Recuva in “quick scan” mode (and other softwares which have that option like GetDataBack) it only takes a few seconds, a minute at most, to scan the whole filesystem. In a case like this, where files were recently deleted, if the files are still recoverable, meaning, if they were not yet overwritten, the quick scan is enough in most situations. (Although I've discovered recently that large files could be unrecoverable that way.)
A software which I use sometimes when I just need to recover a file I just deleted on Windows is HandyRecovery (the 1.0 version which was completely free) : it lets you browse the file tree while it is still building it, you can stop it as soon as it displays the wanted file, it will be able to recover it completely (unless it's been overwritten but then nothing will), and for a large partition with many many files on it and a huge MFT it can be way quicker than to wait for Recuva to complete its quick scan. Also the .exe can be run with no install, even from an external device.
Most of tools i tried did have the quick or deep scan and quick scan did find the files indeed. However as they were not open-able, I attempted deep scan a few times and stopped them after it had identified a number of the files in question. I understand this is not advised but I would have had no sleep if I waited for it to complete. The first tool seemed to only have deep scan though.
Could be explained by Murphy's Law, or indeed if it's a SSD the Trim command is designed to overwrite the deleted files as a background process.
As to why you still can find old pictures, I couldn't say. Are you sure that they were actually deleted, that they weren't stored somewhere as (still allocated) temporary files ?
i just checked and TRIM is enabled.
As for old pictures, you may actually be right that at least some of them are temporary files. Reason being is that there were a lot of emoticons and random icons that look like they were part of software etc recovered. There were definitely some old pictures recovered that were deleted, but those pictures were duplicates (When I backup pics, I have a 'best' and 'all' pics folder and then usually delete 'best' folder after) and hence I can't be sure if it recovered them or just found temporary versions of the pic still on the laptop?
Anything I can do to check whether they are actually deleted files?
Any half decent recovery software should not write anything to the scanned drive – neither during the scan, nor after the completion when choosing the location where the files should be extracted, it shouldn't even let you attempt to write on it if you want to. But some of them are less than half decent...
Recently I tried to remotely help someone who had accidentally deleted an important Powerpoint file he was working on, which was stored only on a USB pen drive, 16GB capacity, about 8GB of free space which should be plenty ; he had tried a bunch of recovery softwares, to no avail. I made a quick scan with Recuva, which indicates if the deleted files have been overwritten and if so, by which file (it's not 100% reliable in my experience but most of the time it does provide accurate information) : the wanted file had been overwritten precisely by files extracted with one of those recovery softwares (which did not prevent him to do so), or, ironically, by files from a “FileHistory” directory, which is apparently related to an automatic recovery function in Windows 8+ (I'm still using Windows 7 so I didn't know about it). You'd think that it should have been unlikely, considering the large amount of free space, but it did happen. And even Recuva (which is otherwise an efficient tool) doesn't display a warning when the user attempts to recover a file on the same device and partition.
It is a bit sneaky of most software to not give large warnings prior to use tbh. Knowing what I do now, I would probably take out the storage device straight to professional help if it had really important files.
The reason I even attempted this was I read a post by someone that apparently worked as a data recovery specialist who claimed that some files could be recovered even with multiple wipes and what not by using some statistical tools or something. I felt a bit silly that I couldn't even recover files in a 'controlled test' haha. Though I think he was talking about mechanical hard drives, not sure if TRIM on SSDs may affect his answer.
Again, Recuva should tell you by which files the files you want have been overwritten, if any. It can also display the header of each file, which is the begining of the file in hexadecimal : with some experience, you instantly recognize if a JPEG file has a valid JPEG header or not. If there's garbage instead, or just zeroes, then nothing can be done, even by a professional, the original file is gone.
Alternatively, you can open some of the files in an hexadecimal editor, like WinHex (commercial) or HxD (free), and see what they look like inside. If the file is supposed to be a JPEG picture, first open a few valid JPEG files, you'll see that they always begin with the characters “ÿØÿ”, or “FF D8 FF” in hexadecimal. If a recovered JPEG file starts with anything else, then nothing can “fix” it. If the header is correct but the second half has been overwritten, you typically can see half of the picture, the rest appears as random strips of colors – and again, nothing can fix this.
Doing what you're doing right now is definitely a very good idea : test various methods when you don't need them, so that you know what to do and don't panic when you actually need to recover something and failure is not an option !
Otherwise, you should sort out the good softwares from the crappy ones, know their strenghts and weaknesses, which type of situation best fits each of them, and have them installed on your computer from then on, preventively. You can also run some of them in “portable” mode, if you need to scan your system partition, but if you absolutely need a file which was deleted on your system partition, the best course of action is to shut down the computer immediately, and then scan the drive as an external device from another computer (or better yet, perform a complete image of the relevant partition and scan this instead of the drive itself), because each second you run the drive, data could be written at the exact spot where that file is / used to be.
For instance, Recuva is usually less efficient than R-Studio to rebuild a file tree (which is an advanced commercial software, as opposed to a freeware), but it completes its quick scan in a matter of seconds, whereas R-Studio can take hours, so if you just want to recover one file which has just been deleted it might be overkill, and even counterproductive if the drive is a SSD with Trim enabled : each second the wanted data could be wiped, so the quicker the scan the better. Photorec is designed to recover files in “raw file carving” mode, meaning, it does not rely at all on the filesystem and the metadata, it just extracts files based on their “signature”, which is their header / footer patterns, specific to each file type (one caveat, beyond the fact that you lose the original name as well as the timestamps, is that it's unlikely to fully recover fragmented files). If the files you want have been found by a recovery software with their actual names and sizes and timestamps, it means that the MFT records containing the metadata for those files and their exact locations are still there, but if they have been overwritten then Photorec will not be able to detect them because they no longer have any characteristic header, they now appear as random data (or empty data).
I'm pretty sure I saw only zeros in one of the software that allowed me to see the hex data and since TRIM is enabled, I'm gonna say I have no chance of recovering. Funny thing is that I think Recuva was the one software out of the ones I tried with that capability which said the files were not overwritten. However still not open-able when recovered.
I also read a bit about TRIM and why its good in regards to performance of SSDs but it does mean that essentially you have no margin for error when deleting files...
Apart from people that do want things to be unrecoverable, surely a better version of the TRIM function would be to setting a delay, i.e. The function starts after say 24 hours in the background.
I read a few other topics in this forum where people are recovering files off SSDs which have disabled TRIM . Do people disable it because they prefer the safety over the speed degradation?
Think I'm going to have to start backing stuff on cloud as well as external drives as both my laptops have only SSDs running.
Thanks for the detailed answer btw!
Re: Data Recovery on SSD - Where did I go wrong?
March 31st, 2018, 5:35
I'm pretty sure I saw only zeros in one of the software that allowed me to see the hex data and since TRIM is enabled, I'm gonna say I have no chance of recovering. Funny thing is that I think Recuva was the one software out of the ones I tried with that capability which said the files were not overwritten. However still not open-able when recovered.
Trim function, from what I understand, operates at a lower level than the NTFS filesystem, it must be triggered by the SSD's firmware and most likely leaves no trace of which sectors were wiped within the filesystem, so Recuva can't be aware that those sectors were wiped, since they have not been overwritten by another file, they haven't been re-allocated. It will probably not be aware either if you manually wipe a file with an hexadecimal editor (with WinHex for instance : right-click then “Wipe securely”).
Anything I can do to check whether they are actually deleted files?
If you don't know their exact location, and the software didn't make it explicit if they were deleted or not, I can't see how, now. But for instance, if you extract files with Photorec, you can choose to scan the “free space” only, and each extracted file is named after the number of its first sector (i.e. “f123456.jpg” > first sector of that file is nr. 123456), so even if files were extracted from the whole space, with WinHex you can open the volume, and go to that sector (Navigation > Go to sector) (if files were extracted from the whole device the sector number is “absolute” has to be corrected with the partition offset to obtain the sector number relative to a given partition), it will indicate if that sector belongs to an allocated file or is considered as “free space”.
In R-Studio, files found by signature search are located in a separate folder called “Extra found files” ; but in that folder there are files which have only be found as “raw” files (usually with a random number, or named after their characteristics, like their dimensions for picture files), and files which have also been identified as part of the regular folders, which appear with their native names and timestamps, with a blue arrow symbol, meaning that they are “hard-linked”, they are actually the same file appearing in both locations, if you right-click on such a file and left-click on “Links”, it displays the other location, and clicking on the name of the file directly leads to the other location. There's also a red cross symbol for files/folders which are recognized as having been deleted (they are no longer allocated but still have their metadata intact in the MFT).
The reason I even attempted this was I read a post by someone that apparently worked as a data recovery specialist who claimed that some files could be recovered even with multiple wipes and what not by using some statistical tools or something. I felt a bit silly that I couldn't even recover files in a 'controlled test' haha. Though I think he was talking about mechanical hard drives, not sure if TRIM on SSDs may affect his answer.
From what I know, that pretty much a urban legend (after a single wipe nothing can be recovered, at least with software means, and even with the most advanced technology available I doubt that it's actually feasable to recreate usable files out of those hypothetical faint magnetic traces), but I'd be curious to read that post.
I also read a bit about TRIM and why its good in regards to performance of SSDs but it does mean that essentially you have no margin for error when deleting files...
That's indeed a caveat with SSDs... It's a problem for forensics investigators as well.
Apart from people that do want things to be unrecoverable, surely a better version of the TRIM function would be to setting a delay, i.e. The function starts after say 24 hours in the background.
I don't know exactly how it operates, but it may not be possible if it's indeed at a lower level than the operating system. The operating system could be aware of how much time went by since a given file was deleted, but the firmware most likely can't access that kind of data, it just knows which sectors are allocated and which are not. It would probably make the firmware much more complex to have it deal with that sort of things, which are beyond the scope of strict hardware operation. Data recovery is definitely an afterthought for the designers of storage devices !
Knowing what I do now, I would probably take out the storage device straight to professional help if it had really important files.
Well, it's tricky, because bona fide data recovery experts might be overkill for a simple case of an accidentally deleted folder, and the price tag might be steep for 10GB worth of pictures as in your experiment, while general purpose computer repair technicians, while way cheaper, can be just as likely as the average user to screw things up. (Quick example : a few years ago, I had copied a selection of pictures and videos on my mother's computer. One day, she had a nasty virus, had to call a technician. The dude removed the virus, then he saw that the system partition was almost full – probably because of large restore points or something similar, which would have been easy to pinpoint with something like WinDirStat, and to clean in a matter of seconds. The 1TB HDD had two 500GB partitions, the other was almost empty, so at least he could have moved that large folder with the pics and vids to that partition with no fuss and no loss – using the native Robocopy command line tool even the timestamps are preserved ; but he asked her if he could delete it altogether... She didn't even know it was there for her, she was barely a beginner with the computer, she said there was nothing important in there... and he did delete it that damn dimwit ! O_o And he got paid about 80€ if I remember correctly... I didn't lose anything, but I had spent quite some time to make that selection so I was still quite pissed.)
Re: Data Recovery on SSD - Where did I go wrong?
March 31st, 2018, 9:22
abolibibelot wrote:Trim function, from what I understand, operates at a lower level than the NTFS filesystem, it must be triggered by the SSD's firmware and most likely leaves no trace of which sectors were wiped within the filesystem, so Recuva can't be aware that those sectors were wiped, since they have not been overwritten by another file, they haven't been re-allocated. It will probably not be aware either if you manually wipe a file with an hexadecimal editor (with WinHex for instance : right-click then “Wipe securely”).
Aha, that makes sense.
If you don't know their exact location, and the software didn't make it explicit if they were deleted or not, I can't see how, now. But for instance, if you extract files with Photorec, you can choose to scan the “free space” only, and each extracted file is named after the number of its first sector (i.e. “f123456.jpg” > first sector of that file is nr. 123456), so even if files were extracted from the whole space, with WinHex you can open the volume, and go to that sector (Navigation > Go to sector) (if files were extracted from the whole device the sector number is “absolute” has to be corrected with the partition offset to obtain the sector number relative to a given partition), it will indicate if that sector belongs to an allocated file or is considered as “free space”.
In R-Studio, files found by signature search are located in a separate folder called “Extra found files” ; but in that folder there are files which have only be found as “raw” files (usually with a random number, or named after their characteristics, like their dimensions for picture files), and files which have also been identified as part of the regular folders, which appear with their native names and timestamps, with a blue arrow symbol, meaning that they are “hard-linked”, they are actually the same file appearing in both locations, if you right-click on such a file and left-click on “Links”, it displays the other location, and clicking on the name of the file directly leads to the other location. There's also a red cross symbol for files/folders which are recognized as having been deleted (they are no longer allocated but still have their metadata intact in the MFT).
I don't know the locations but I'll try some of the suggestions to see if I can figure it out.
It was a post from a Quora question so not a good reference but the guy sounded pretty convincing:From what I know, that pretty much a urban legend (after a single wipe nothing can be recovered, at least with software means, and even with the most advanced technology available I doubt that it's actually feasable to recreate usable files out of those hypothetical faint magnetic traces), but I'd be curious to read that post.
https://www.quora.com/My-PC-broke-and-I ... hard-drive
The answer from Chris Bartle and some of the replies to comments on his post were interesting. Though he doesn't seem to give any evidence when asked for it so may not be all true.
That's indeed a caveat with SSDs... It's a problem for forensics investigators as well.
Interesting read and problem. Kind of makes it easier for even the 'dumbest' criminals to be able to fully destruct data.
I don't know exactly how it operates, but it may not be possible if it's indeed at a lower level than the operating system. The operating system could be aware of how much time went by since a given file was deleted, but the firmware most likely can't access that kind of data, it just knows which sectors are allocated and which are not. It would probably make the firmware much more complex to have it deal with that sort of things, which are beyond the scope of strict hardware operation. Data recovery is definitely an afterthought for the designers of storage devices !
I googled a bit more and seems like it is like you say, dependent on firmware of SSD. I may do another test but this time not leaving my laptop for around 2hrs prior to attempting to recover to see if there is any opportunity to recover files before being trimmed.
Well, it's tricky, because bona fide data recovery experts might be overkill for a simple case of an accidentally deleted folder, and the price tag might be steep for 10GB worth of pictures as in your experiment, while general purpose computer repair technicians, while way cheaper, can be just as likely as the average user to screw things up. (Quick example : a few years ago, I had copied a selection of pictures and videos on my mother's computer. One day, she had a nasty virus, had to call a technician. The dude removed the virus, then he saw that the system partition was almost full – probably because of large restore points or something similar, which would have been easy to pinpoint with something like WinDirStat, and to clean in a matter of seconds. The 1TB HDD had two 500GB partitions, the other was almost empty, so at least he could have moved that large folder with the pics and vids to that partition with no fuss and no loss – using the native Robocopy command line tool even the timestamps are preserved ; but he asked her if he could delete it altogether... She didn't even know it was there for her, she was barely a beginner with the computer, she said there was nothing important in there... and he did delete it that damn dimwit ! O_o And he got paid about 80€ if I remember correctly... I didn't lose anything, but I had spent quite some time to make that selection so I was still quite pissed.)
That is true I guess. Whenever it comes to solving pc problems, I usually just use trial and error based on googling the problems, but obviously that is not a good strategy for data recovery so I'm glad I did this with test data.
I've been lucky enough not to need a pc technician bar when my charger/laptop stopped charging. I was very nervous he would fuck something up given that he had to open it up to find out if it was a charger or laptop problem but luckily it was just the charger.
I need to set a good system for backing pictures tbh but every time I start, i get overwhelmed by the amount of duplicates and random locations I've saved stuff before. and as I'm the only one backing up everything for my whole family, it quickly gets complicated.
My current set up is to backup everything to an external drive and have bought 1TB of cloud storage for over 2 years without having uploaded anything yet lol. Waiting to "sort it all out" before uploading. Might bite me if 'knock on wood' somehow I lose access to both PCs/laptops and external drive.
Cheers for all the explanations and help btw
Re: Data Recovery on SSD - Where did I go wrong?
March 31st, 2018, 13:19
I'm too lazy to read all this first post, let alone all the replies, but I'll just answer the title question:
The instant this was done Windows 10 sent a T.R.I.M. command to the SSD notifying it that those sectors are now available and ready to be prepared for new data. This is because SSDs can only write ones, they can't write zeros without clearing a whole block. Without T.R.I.M. SSDs would quickly slow down with usage.
After the SSD received the T.RI.M. command it began clearing those blocks during any idle times. Since this is all done at a hardware level, it's quite fast.
In all likelihood the files were permanently gone within just a few minutes of when you deleted them. Neither professional recovery nor DIY would have any chance unless the SSD was powered off immediately when it happened.
Then I deleted them ("perma deleted" as they were too large to go on recycle bin).
The instant this was done Windows 10 sent a T.R.I.M. command to the SSD notifying it that those sectors are now available and ready to be prepared for new data. This is because SSDs can only write ones, they can't write zeros without clearing a whole block. Without T.R.I.M. SSDs would quickly slow down with usage.
After the SSD received the T.RI.M. command it began clearing those blocks during any idle times. Since this is all done at a hardware level, it's quite fast.
In all likelihood the files were permanently gone within just a few minutes of when you deleted them. Neither professional recovery nor DIY would have any chance unless the SSD was powered off immediately when it happened.
Re: Data Recovery on SSD - Where did I go wrong?
March 31st, 2018, 16:09
Also, further more, a professional with proper advanced equipment, as oppose to an amateur, would be able to put the SSD in tech mode, which would disable TRIM, therefore allowing to clone the SSD and work off the clone to see what can be recovered. Of course, as mentioned before, if the SSD was not powered on much after the deletion took place.
Re: Data Recovery on SSD - Where did I go wrong?
April 2nd, 2018, 18:18
And no mention was made of compressed files. Try changing some specific bytes in a jjpg or doc file and you will see it stops working.
Powered by phpBB © phpBB Group.