Hi,
I have a case where I need to recover documents and e-mails from a formatted drive.
The the drive in the machine in question was formatted, OS re-install and reassign to another user. How do recover from the drive documents or email that were created by the previous user?
Chanses are 50-50, try with R-studio
You will find somethnig for shure but
is that be enough…
Techniques for structure recovery are different depending on the File System, so you should provide us with more info. Anyway, if you know the specific file types you are interested on, I think it is a good idea to search directly for the headers of those file types in the unallocated clusters of the re-formated volume. Good luck!
For NTFS it is often possible to detect old MFT entries. These can point to old files.
It does depend on how much data has been written since reformatting. One hope, is that the new operating system is the same as the previous one, and so occupied the same space, ie not overwritting the data.
It is NTFS and I need to carve out Lotus Notes NSF files.
The hard drive was formatted and OS installed. I need to find the nsf files for the previous user prior to the reformat.
do you know if it was a quick or full format ?
Not sure, can i tell from an e01 image?
Full formats on disks are not very common (they take too long).
NSF files tend to be rather long, and so there is a high chance they may be fragmented. For this reason you require software that will scan for any old MFTs. With a following wind, you may be lucky and find the one for the original NSF file.
A bit more of the same following wind and it maybe the area has not been overwritten. The MFT entry will contain the cluster locations of the original file.
If the MFT has been reused, then it will be a matter of trying to find the old file by scanning / carving, a NSF file starts 0x1a 0x00 0x00 0x00 etc, but fragmentation may be a major problem.
Good luck
Any good software to recommend to scan for old mft?
How to locate the original file on the old mft?
Any software that I can use to carve the NSF using the header 0x1a 0x00 0x00 0x00?
0x1a 0x00 0x00 0x00, is this the correct header for NSF file?
I am sure there are several packages, but I would hope my own one, CnW Recovery will help you. The demo should indicate if it is possible.
Use the 'Recover from file entries' and 'Scan all MFT entries'
The e01 handling is new and still being tested. The software will also accept a straight DD type file if there are e01 problems.