Determining timesta...
 
Notifications
Clear all

Determining timestamp of filesystem change  

  RSS
tom.vargas
(@tom-vargas)
New Member

Hi,
We had a machine that originally had
Windows 7 and Ubuntu as dual boot, which we had provided to external users/consultants.

Sometime later,
(i) the windows 7 was formatted and changed to Ubuntu/(ext4 file system) (later version than existing ubuntu on dual boot)
(ii) after some time/work done on that partition, the ubuntu was formatted and centOS/(ext4 file system) put on it.

So, right now, it has centOS and Ubuntu in dual boot setup.

(1) Can we determine which exact date windows7 was changed to ubuntu?
(2) Would any data recovery be possible from the original windows 7 setup at this point?
I mean, good (amount of work)/(files being generated) in both ubuntu and centOS over the past several months has been done.

Answer to question 1 would help us limit the amount of data we seek to recover, so from our additional operational notes, we would be more certain as to what exact data we want to recover.

Thanks

Quote
Posted : 01/03/2019 7:46 am
pbobby
(@pbobby)
Active Member

1. Determine the date of install of Ubuntu - at least based on your scenario.

2. It depends - recommend your best bet is to carve for MFT records. For each intact record you can parse out the data runs for the file therein. (You will have to adjust for start of volume). Do all this on the raw partition that contains Ubuntu. It's a lotta work.

ReplyQuote
Posted : 06/03/2019 2:41 pm
tom.vargas
(@tom-vargas)
New Member

Hi,
Sorry that I didn't totally understand what you mentioned.
The point you mentioned in your (2), "MFT records etc..", is it to determine the date of ubuntu install you refer to in your (1)?
Or is it to do data recovery?

Thanks

ReplyQuote
Posted : 11/03/2019 4:18 am
jaclaz
(@jaclaz)
Community Legend

Hi,
Sorry that I didn't totally understand what you mentioned.
The point you mentioned in your (2), "MFT records etc..", is it to determine the date of ubuntu install you refer to in your (1)?
Or is it to do data recovery?

Thanks

I don't know.

The idea #2 by pbobby (which IMHO is making a lot of optimistic assumptions) is that IF
1) the NTFS volume where Windows 7 was installed was only "quick" formatted
2) that the (presumably ext3/4) filesystem used by the Ubuntu install did not entirely overwrite the $MFT
3) that the several months activity of the Ubuntu did not entirely overwrite the $MFT
4) that when the partition was re-formatted it was again a non-wipe format
5) that the (presumably ext3/4) filesystem used by the CentOS install did not entirely overwrite the $MFT
6) that the later activity of the Ubuntu and CentOS dual boot did not entirely overwrite the $MFT

then, maybe, you will be able to carve some $MFT records and from them, maybe , you will be able to gather the actual position of *some* files, then, IF the file was not (entirely or partially) overwritten/wiped by any of the later activity, then you will have some files to recover from the original Windows 7 setup.

So, yes, it is only about the possibility of recovering something.

About the point #1, if it is EXT2/3/4 dumpe2fs should do (file system creation time) but if the volume was re-formatted at the time the CentOS was installed[1] it is likely that the file system creation time will reflect that time
http//landoflinux.com/linux_dumpe2fs_command.html

jaclaz

[1] this is not clear in your initial report, if we are taking of a same (only) partition/volume, it was re-formatted from NTFS to ext2/3/4 at the time of the Ubuntu install, but then why should have it been re-formatted at the time the CentOS was installed, and if it was actually re-formatted, then the Ubuntu must have been re-installed just before or soon after the CentOS was installed …

ReplyQuote
Posted : 11/03/2019 11:37 am
Share: