Recovering deleted ...
 
Notifications
Clear all

Recovering deleted folders

5 Posts
4 Users
0 Likes
553 Views
(@cart34)
Posts: 11
Active Member
Topic starter
 

I have a 160gb hard drive that contained one 50Gb NTFS partition. The hard partition was deleted and then re imaged with the same type and size of the original partition(50gb NTFS) The hard drive contained a folder with important documents. What are the chances for recovery? i imaged the hard drive with FTK Imager creating a dd image. I am currently processing the image in FTK AD LAB.version 4.1. I am data carving for word documents, jpegs, .pst and .pdf files.

Any suggestions would be great

Thanks

 
Posted : 19/09/2014 7:37 am
(@mscotgrove)
Posts: 938
Prominent Member
 

There are many data recovery programs that will help you (some god, so less good).

I would scan the disk to find all existing MFT entries. If you are lucky, the disk will have the same base locations for the file system. If you are not lucky you will have to determine the original volume start, and base recoveries on that value. You will then need to determine which files are from the new installation and those from the old. If you find your files this way, you will have the correct file names, dates etc.

If the above fails, you will require data carving, but this will not give the original file names, (my program tries to generate some file names, and dates, based on meta data, but this is an educated guess).

It is possible that the files you require have been overwritten. You may find MFTs for the file you want, but the discover that it has been overwritten.

Carving for PST files will probably fail because the files are large, and so often fragmented.

 
Posted : 19/09/2014 1:37 pm
jaclaz
(@jaclaz)
Posts: 5133
Illustrious Member
 

I have a 160gb hard drive that contained one 50Gb NTFS partition. The hard partition was deleted and then re imaged with the same type and size of the original partition(50gb NTFS)

It depends on the specific tool that was used to take the image before and how exactly it was re-applied.
If you used a "dd-like" imaging tool the chances are 0 (zero) as every single sector will have been rewritten.

If you used a file oriented tool you have some chances, depending on a number of factors these chances can be very small or very high.

As an example, if the image was taken a lot of time ago when the partition had (say) 40% free space and the one you deleted had only 10% free space, there are good chances to find *something*, but if the image was already "nearly full" your chances get smaller and smaller.

jaclaz

 
Posted : 19/09/2014 3:30 pm
hvisti
(@hvisti)
Posts: 10
Active Member
 

Hi,

It depends. Not a very helpful start.

If you have done a "soft" format to the drive, all data should be there as it only creates file system structures.

File carving might be ok if the files are easily recognised, but it generally produces a lot of rubbish and distinguishing the real thing might be difficult.

Your data is with a strong certainty there. The question is, are the MFT entries. They should be, as format only overwrites the initial MFT entry set. If you can locate those, you have pointers to file data structures

As a self-appointed NTFS guru havind done quite a lot of programming on NTFS structures, I would try finding the relevant MFT entries by and if your FTK method fails. Explaining what to do would be too complex a thing in a forum post. However, you could analyse if this method has a change of success, by looking the file system image with a hex editor. All MFT entries are 1024 bytes long and start with string FILE. They also always start at a sector boundary.

In that 1024 bytes long block there are several attributes. One of them is $FILE_NAME and another is $DATA. The key attribute at this stage is $FILE_NAME, which contains the file name in unicode. Start browsing through all MFT entries you can find. There are many system files and irrelevant items, but if you can locate the entries for your missing files, you can then use their $DATA to find the file contents and reassemble it. Just keep in mind the names are in unicode, so an ASCII string search would not reveal them in your hex editor as they show as
.f.i.l.e.n.a.m.e
due to encoding.

If you need to revert to this and you can locate the MFT entries, contact me and I can give you some pointers and information from my lectures how to do this.

Hannu

 
Posted : 19/09/2014 3:42 pm
jaclaz
(@jaclaz)
Posts: 5133
Illustrious Member
 

If you have done a "soft" format to the drive, all data should be there as it only creates file system structures.

Not really-really, it depends on the OS used and on the format command used (if any).

As an example, up to XP, yes.
From Vista onwards, unless the "quick format" option was chosen or the /q switch specified on command line, the volume will have been wiped.

And of course no matter the above if what was later written to the volume was a "dd-like" image, the chances remain 0.

Your data is with a strong certainty there.

Maybe yes, maybe no, there is no way to say without EXACT, DETAILED information.

The OP, BTW, never talked of formatting or re-formatting the partition.

jaclaz

 
Posted : 19/09/2014 5:04 pm
Share: