Someone asked me if I could retrieve a folder which suddenly seemed gone. It contains pictures which have a certain value to him and hasn't made any backup of it.

As i'm studying in this field he thought I would maybe able to retrieve them. Though I don't know the right tool (open source/free preffered) to find the data. I used some free recover tools (undelete and a demo of getdataback etc.) but didn't find anything.

He says the folder used to be in the folder documents and dissapeared from one day to another. I assume that if the data isn't overwrited there should be a few photo's that could be saved.

Try using TESTDISK (or in your case the PHOTOREC app coming with it):
www.cgsecurity.org/wiki/TestDisk
www.cgsecurity.org/wiki/PhotoRec

jaclaz

thanks, after all images are extracted they are just stored in maps without any information where (which path) they were recovered from. And a total of 56000 images were recovered and I have no idea which images where stored in the corrupt/missing folder so kinda impossible for me to see if the images I looked for were recovered.

Sjors wrote:

thanks, after all images are extracted they are just stored in maps without any information where (which path) they were recovered from. And a total of 56000 images were recovered and I have no idea which images where stored in the corrupt/missing folder so kinda impossible for me to see if the images I looked for were recovered.

Well, what do you want from a freebie? BLOOD?

Of course if you recover images bypassing filesystem and reading RAW data, as photorec does, you lose any info about filenames they had and folders where they were stored.

It seems to me that you do not appreciate enough that you actually recovered SOME photos.

If the image have EXIF data, they can be re-indexed/re-named:
www.cgsecurity.org/wik...g_PhotoRec

Otherwise you can try using some CBIR "colour based" app, this one is Freeware:
Imagesorter
mmk1.f4.fhtw-berlin.de...ageSorter/

It all depends on the "certain value" attributed to the images.....
...if I had lost in a HD crash the only copy of a picture I love of my parents or gradmother/grandfather, I would search for it in hundreds of thousands of recovered photos, definitely better pastime than most current TV shows...

jaclaz

jaclaz wrote:

Sjors wrote: thanks, after all images are extracted they are just stored in maps without any information where (which path) they were recovered from. And a total of 56000 images were recovered and I have no idea which images where stored in the corrupt/missing folder so kinda impossible for me to see if the images I looked for were recovered. Well, what do you want from a freebie? BLOOD? Of course if you recover images bypassing filesystem and reading RAW data, as photorec does, you lose any info about filenames they had and folders where they were stored. It seems to me that you do not appreciate enough that you actually recovered SOME photos. If the image have EXIF data, they can be re-indexed/re-named: www.cgsecurity.org/wik...g_PhotoRec Otherwise you can try using some CBIR "colour based" app, this one is Freeware: Imagesorter mmk1.f4.fhtw-berlin.de...ageSorter/ It all depends on the "certain value" attributed to the images..... ...if I had lost in a HD crash the only copy of a picture I love of my parents or gradmother/grandfather, I would search for it in hundreds of thousands of recovered photos, definitely better pastime than most current TV shows... jaclaz

I do appreciate it very much, but what I meant to tell is I don't know if I actually recovered any of the missing images.

The harddrive is intact and can be used as primary or secundary drive and by that means contains alot of images which weren't lost and accessable.

But now I ripped all the images and can't say if any of them are the missing as I don't know where they were recovered from and maybe were the images from other folders. And because I don't know which images were lost it doesn't help if I look at them one by one (as I can't tell if those are the missing ones).

I hope you understand what I mean and once more I'm gratefully for your assistance and help. And I will try your other two options

Edit: Thanks for Photerec sorter is makes it alot easier to go through the images now

Sjors

If you are OK with Linux you could try the Sleuthkit and Autopsy from
Sleuthkit. Without having your hard disk it is hard to know what happened. If the relevant folder was accidentally deleted, depending on file system and usage of the PC after deletion, the record relating to the deleted folder and contents may still be in the file system structure.

Personally I would try booting the machine with a forensic boot disk e.g Caine from CAINE and fire up autopsy. Go to the parent folder of the deleted folder and see if sleuthkit has found the parent folder and content records in the filesystem (such records are highlighted in red). You could then try manually copying those directories/files out or using the fundl script to try and recover them.

You to first of all read the disk to discover locations of all existing known files. Then scan the unallocated space. This will pick up otherwise unknown files. A dedup will then elimate the same file twice.

If the misisng directory was deleted, then check for deleted files

If this disk has been corrupted, then scan the disk for old directory entries, either NTFS , MFT entries or FAT directory stubs.

If the disk hasn't been used since the problem, then files will
be found, but with any Raw read, you may have to cope with fragmented files.

You can also use FTK Imager (It is free) to look at the drive.

LarryDaniel wrote:

You can also use FTK Imager (It is free) to look at the drive.

I used it but it didn't show me the missing folder

@ Stumpy thanks for the info I will try with linux