±Forensic Focus Partners

Become an advertising partner

±Your Account


Username
Password

Forgotten password/username?

Site Members:

New Today: 2 Overall: 36212
New Yesterday: 4 Visitors: 196

±Follow Forensic Focus

Forensic Focus Facebook PageForensic Focus on TwitterForensic Focus LinkedIn GroupForensic Focus YouTube Channel

RSS feeds: News Forums Articles

±Latest Articles

±Latest Videos

±Latest Jobs

Corrupt/Missing folder how to trace?

Computer forensics discussion. Please ensure that your post is not better suited to one of the forums below (if it is, please post it there instead!)
Reply to topicReply to topic Printer Friendly Page
Forum FAQSearchView unanswered posts
Page 1, 2  Next 
  

Sjors
Member
 

Corrupt/Missing folder how to trace?

Post Posted: Feb 11, 09 15:09

Someone asked me if I could retrieve a folder which suddenly seemed gone. It contains pictures which have a certain value to him and hasn't made any backup of it.

As i'm studying in this field he thought I would maybe able to retrieve them. Though I don't know the right tool (open source/free preffered) to find the data. I used some free recover tools (undelete and a demo of getdataback etc.) but didn't find anything.

He says the folder used to be in the folder documents and dissapeared from one day to another. I assume that if the data isn't overwrited there should be a few photo's that could be saved.  
 
  

jaclaz
Senior Member
 

Re: Corrupt/Missing folder how to trace?

Post Posted: Feb 11, 09 15:31

Try using TESTDISK (or in your case the PHOTOREC app coming with it):
www.cgsecurity.org/wiki/TestDisk
www.cgsecurity.org/wiki/PhotoRec

jaclaz  
 
  

Sjors
Member
 

Re: Corrupt/Missing folder how to trace?

Post Posted: Feb 12, 09 13:26

thanks, after all images are extracted they are just stored in maps without any information where (which path) they were recovered from. And a total of 56000 images were recovered and I have no idea which images where stored in the corrupt/missing folder so kinda impossible for me to see if the images I looked for were recovered.  
 
  

jaclaz
Senior Member
 

Re: Corrupt/Missing folder how to trace?

Post Posted: Feb 12, 09 14:21

- Sjors
thanks, after all images are extracted they are just stored in maps without any information where (which path) they were recovered from. And a total of 56000 images were recovered and I have no idea which images where stored in the corrupt/missing folder so kinda impossible for me to see if the images I looked for were recovered.

Well, what do you want from a freebie? BLOOD? Shocked

Of course if you recover images bypassing filesystem and reading RAW data, as photorec does, you lose any info about filenames they had and folders where they were stored.

It seems to me that you do not appreciate enough that you actually recovered SOME photos. Rolling Eyes

If the image have EXIF data, they can be re-indexed/re-named:
www.cgsecurity.org/wik...g_PhotoRec

Otherwise you can try using some CBIR "colour based" app, this one is Freeware:
Imagesorter
mmk1.f4.fhtw-berlin.de...ageSorter/

It all depends on the "certain value" attributed to the images.....
...if I had lost in a HD crash the only copy of a picture I love of my parents or gradmother/grandfather, I would search for it in hundreds of thousands of recovered photos, definitely better pastime than most current TV shows... Wink

jaclaz  
 
  

Sjors
Member
 

Re: Corrupt/Missing folder how to trace?

Post Posted: Feb 12, 09 14:46

- jaclaz
- Sjors
thanks, after all images are extracted they are just stored in maps without any information where (which path) they were recovered from. And a total of 56000 images were recovered and I have no idea which images where stored in the corrupt/missing folder so kinda impossible for me to see if the images I looked for were recovered.

Well, what do you want from a freebie? BLOOD? Shocked

Of course if you recover images bypassing filesystem and reading RAW data, as photorec does, you lose any info about filenames they had and folders where they were stored.

It seems to me that you do not appreciate enough that you actually recovered SOME photos. Rolling Eyes

If the image have EXIF data, they can be re-indexed/re-named:
www.cgsecurity.org/wik...g_PhotoRec

Otherwise you can try using some CBIR "colour based" app, this one is Freeware:
Imagesorter
mmk1.f4.fhtw-berlin.de...ageSorter/

It all depends on the "certain value" attributed to the images.....
...if I had lost in a HD crash the only copy of a picture I love of my parents or gradmother/grandfather, I would search for it in hundreds of thousands of recovered photos, definitely better pastime than most current TV shows... Wink

jaclaz


I do appreciate it very much, but what I meant to tell is I don't know if I actually recovered any of the missing images.

The harddrive is intact and can be used as primary or secundary drive and by that means contains alot of images which weren't lost and accessable.

But now I ripped all the images and can't say if any of them are the missing as I don't know where they were recovered from and maybe were the images from other folders. And because I don't know which images were lost it doesn't help if I look at them one by one (as I can't tell if those are the missing ones).

I hope you understand what I mean and once more I'm gratefully for your assistance and help. And I will try your other two options

Edit: Thanks for Photerec sorter is makes it alot easier to go through the images now Smile  
 
  

stumpy
Member
 

Re: Corrupt/Missing folder how to trace?

Post Posted: Feb 12, 09 16:12

Sjors

If you are OK with Linux you could try the Sleuthkit and Autopsy from
Sleuthkit. Without having your hard disk it is hard to know what happened. If the relevant folder was accidentally deleted, depending on file system and usage of the PC after deletion, the record relating to the deleted folder and contents may still be in the file system structure.

Personally I would try booting the machine with a forensic boot disk e.g Caine from CAINE and fire up autopsy. Go to the parent folder of the deleted folder and see if sleuthkit has found the parent folder and content records in the filesystem (such records are highlighted in red). You could then try manually copying those directories/files out or using the fundl script to try and recover them.  
 
  

mscotgrove
Senior Member
 

Re: Corrupt/Missing folder how to trace?

Post Posted: Feb 12, 09 16:23

You to first of all read the disk to discover locations of all existing known files. Then scan the unallocated space. This will pick up otherwise unknown files. A dedup will then elimate the same file twice.

If the misisng directory was deleted, then check for deleted files

If this disk has been corrupted, then scan the disk for old directory entries, either NTFS , MFT entries or FAT directory stubs.

If the disk hasn't been used since the problem, then files will
be found, but with any Raw read, you may have to cope with fragmented files.  
 

Page 1 of 2
Page 1, 2  Next