Gentle Beings,
I am currently looking at a harddrive for a friend of a friend. It seems before it was given to me someone else had a go at recovering the data and by the looks of it naffed it up.
I'm viewing it in Encase V4 at the moment because it is the only version that will detect anything on the HDD! (which seems wrong to me). It seems there is a newly formatted partition for 78GB out of the possible 150GB. I found what is most likely the second partition and recovered a NTFS partition. But all I get is unallocated clusters, but there is definately information in the sectors.
When I attempt to run recover folders it says the boot block on the new partition I created is corrupt. Very Annoying, it works on the first partition however.
Is there anything that can be done in Encase or another forensic tool to solve this?. I have attempted to look for the backup boot sector but could not find it.
Any help on this matter is greatly appreciated,
Thanks and regards,
Kevin
Kevin,
are you trying to recover it to a bootable state or just grab files? If its the latter of the two, I'd suggest making another DD image and hitting it with scalpel or foremost in linux.
Ctendell,
Thanks for the speedy reply, it's actually just the original HDD. And you're right, it is the later, we literally just want to grab the files, well a specific collection of files, but we can weed that out later in the analysis.
Thanks for the tips, i'll take a look at those as soon as I can,
Appreciated,
KH
Find the backup VBR ( Last sector on volume )
In EnCase add the disk w/o reading file system and go to the backup VBR in disk view. Then select "Add Partition" in V6.13 there is the "Backup boot sector option" taht should work.
I've also had success with GetData back.
If you are doing Forensics, use Forensic Apps.
If you are doing Data Recovery, use Data Recovery apps.
wink
TESTDISK
http//
TestDisk can
Fix partition table, recover deleted partition
Recover FAT32 boot sector from its backup
Rebuild FAT12/FAT16/FAT32 boot sector
Fix FAT tables
Rebuild NTFS boot sector
Recover NTFS boot sector from its backup
Fix MFT using MFT mirror
Locate ext2/ext3 Backup SuperBlock
Undelete files from FAT, NTFS and ext2 filesystem
Copy files from deleted FAT, NTFS and ext2/ext3 partitions.
In case of failure, you can always try using PHOTOREC
http//
to salvage RAW data.
As a side note, if you recover a bunch of nameless photos/pictures, this app is very, very nice to find the ones you wnat/need
http//
jaclaz
You should check boot sequence. There is a problem in some boot files. Or you can boot it using booting cd available in market. Once you get booting cd, just boot your system using it and after that first step to do is run recovery option from window and recover your system to the date when your system was running good.