±Your Account
Membership:
New Today: 0
New Yesterday: 4
Overall: 24360
Visitors: 53
±Latest Articles
· Catching the ghost: how to discover ephemeral evidence with Live RAM analysis
· Geo-tagging & Photo Tracking On iOS
· KS – an open source bash script for indexing data
· Mobile Device Geotags & Armed Forces
· Categorization of embedded system forensic collection methodologies
· Interpretation of NTFS Timestamps
· What are ‘gdocs’? Google Drive Data – part 2
· What are ‘gdocs’? Google Drive Data
· Bad Sector Recovery
· Forensic Artifact: Malware Analysis in Windows 8
· Geo-tagging & Photo Tracking On iOS
· KS – an open source bash script for indexing data
· Mobile Device Geotags & Armed Forces
· Categorization of embedded system forensic collection methodologies
· Interpretation of NTFS Timestamps
· What are ‘gdocs’? Google Drive Data – part 2
· What are ‘gdocs’? Google Drive Data
· Bad Sector Recovery
· Forensic Artifact: Malware Analysis in Windows 8
±Follow Us
±Latest Jobs
Back to top
Skip to content
Skip to menu
Back to top
Back to main
Skip to menu
Go to page Previous 1, 2
Sure, after a "new quick" format (or "old normal") you can usually recover 100% or nearly 100% of data (you may have issues with fragmented files).
Basically a new format (with the same filesystem, such as FAT32 on FAT32) overwrites only some parts of the bootsector and the FAT tables, the actual data is still entirely there.
No.
Sometimes - no offence intended
- I wonder if before operating (at a "certain level") a PC/OS, the proper instructions have been given and understood.
If you open a disk with a hex editor, go to the MBR and write *anything* over the last two bytes, the disk will become "needing to be initialized".
If you open a disk with a hex editor, go to the MBR and write *anything* over the partition table entry, the volume will become "RAW".
If you open a volume with a hex editor, go to the PBR and write *anything* to the last two bytes or in several other places connected with the BPB, the volume will become "RAW".
Of course apart the very little modifications made, at the most two sectors, all the other sectors are exactly as they were before.
If anything is changed in the MBR or the PBR, you can normally use a "partition level" recovery, the volume (and all it's contents is practically unmodified and it can be recovered 100%.
If anything is changed in the MBR or the PBR AND in the FAT tables or the $MFT you can try "filesystem level" recovery, with somewhat (depending on the extension of the changes) lower percentage of success.
If also the FAT tables or $MFT have been overwritten/wiped extensively or totally, your only chance is "file level" recovery with an expected result of 100% or nearly 100% for contiguous files and a much lower rate for heavily fragmented files.
With sticks, however, I have seen more than one case where the "becoming RAW" was an issue within the controller (or the actual flash/whatever) and after having become "RAW", independently from whether data recovery was successfull or not (in hwole or part) a simple re-format was not enough to have the stick working, and the use of the Manufacturer Tool was needed.
In some of these cases the only "way out" to recover the data is to by-pass the controller and read data directly from the flash, through "specialized" hardware and software.
Same happens with conventional disks, but un these cases usually there are other issues (like the disk being "busy" or not detected at all.
The rule of the thumb is - if you find that a volume becomes RAW and you value the data on it - to power down/disconnect the device as soon as you can and ask for help/support BEFORE doing ANYTHING to it.
You might like this thread:
www.forensicfocus.com/...pic/t=5150
@Adam10541
Well, you are not the first one to fall in this nicely laid trap, been there, done that
, JFYI:
www.msfn.org/board/top...-question/
jaclaz
_________________
- In theory there is no difference between theory and practice, but in practice there is. -
Data recovery software for formatted USB stick
Re: Data recovery software for formatted USB stick
Posted: Thu Jul 05, 2012 2:38 am
Jaclaz you've just shown me how far I've let my basic knowledge slip to not be aware of that!!!
Just tested and confirmed on a Win7 machine, I never thought I'd see the day that Windows would implement something thorough like that
Just tested and confirmed on a Win7 machine, I never thought I'd see the day that Windows would implement something thorough like that
-
Adam10541 - Senior Member
Re: Data recovery software for formatted USB stick
Posted: Thu Jul 05, 2012 5:10 am
- XCell
It was done under Win 7.
If the format hadn't taken place, and the memory stick was still RAW, would there have been any chance of data recovery?
Sure, after a "new quick" format (or "old normal") you can usually recover 100% or nearly 100% of data (you may have issues with fragmented files).
Basically a new format (with the same filesystem, such as FAT32 on FAT32) overwrites only some parts of the bootsector and the FAT tables, the actual data is still entirely there.
- XCell
Again, the hex data showed nothing was saved on the stick, but could that be because the software couldn't find it due to the RAW system?
No.
Sometimes - no offence intended
- I wonder if before operating (at a "certain level") a PC/OS, the proper instructions have been given and understood.If you open a disk with a hex editor, go to the MBR and write *anything* over the last two bytes, the disk will become "needing to be initialized".
If you open a disk with a hex editor, go to the MBR and write *anything* over the partition table entry, the volume will become "RAW".
If you open a volume with a hex editor, go to the PBR and write *anything* to the last two bytes or in several other places connected with the BPB, the volume will become "RAW".
Of course apart the very little modifications made, at the most two sectors, all the other sectors are exactly as they were before.
If anything is changed in the MBR or the PBR, you can normally use a "partition level" recovery, the volume (and all it's contents is practically unmodified and it can be recovered 100%.
If anything is changed in the MBR or the PBR AND in the FAT tables or the $MFT you can try "filesystem level" recovery, with somewhat (depending on the extension of the changes) lower percentage of success.
If also the FAT tables or $MFT have been overwritten/wiped extensively or totally, your only chance is "file level" recovery with an expected result of 100% or nearly 100% for contiguous files and a much lower rate for heavily fragmented files.
With sticks, however, I have seen more than one case where the "becoming RAW" was an issue within the controller (or the actual flash/whatever) and after having become "RAW", independently from whether data recovery was successfull or not (in hwole or part) a simple re-format was not enough to have the stick working, and the use of the Manufacturer Tool was needed.
In some of these cases the only "way out" to recover the data is to by-pass the controller and read data directly from the flash, through "specialized" hardware and software.
Same happens with conventional disks, but un these cases usually there are other issues (like the disk being "busy" or not detected at all.
The rule of the thumb is - if you find that a volume becomes RAW and you value the data on it - to power down/disconnect the device as soon as you can and ask for help/support BEFORE doing ANYTHING to it.
You might like this thread:
www.forensicfocus.com/...pic/t=5150
@Adam10541
Well, you are not the first one to fall in this nicely laid trap, been there, done that
, JFYI:www.msfn.org/board/top...-question/
jaclaz
_________________
- In theory there is no difference between theory and practice, but in practice there is. -
-
jaclaz - Senior Member