Hey everyone,
So this is the case A good friend of mine had some problems with his laptop because he wasn't able to boot Windows anymore. He told me that he tried everything to get it to work. In the end he said that he restored Windows but all his files were gone.
So I decided to take a look at his laptop and I saw that he set the laptop back to its factory settings.
I wonder if there's any way to get his valuable files back. Because in theory all files on the drive are overwritten right? (
Thanks very much. wink
The files probably still exist.
Going back to factory setting just reloads the system files, and clears down the main MFT. Fortunately, the reloading will overwrite the files in the original location, and so not much data will be overwritten.
The biggest danger is when users start restoring files and and old applications as these can overwrite data.
To recover the files, I normally scan the drive for all old MFT entries. ie, the whole disk is scanned for any 1024 byte FILE0 (or FILE*) entry that is then tested to see if it is a valid MFT. File can then be recovered. If files are still missing, it is a case of a Raw scan and carving based on file signatures.
I would expect to get between 50 and 95% of the user files back
For a FAT disk (unusual these days) a similar procedure can be used, but recovery rate is lower due to any file fragmentation details being lost.
First of all, thanks for the quick reply, really appreciate it.
To be really honest with you, I'm a starter and student in the 'forensic world'. So I bet I'm about to ask some questions from a real low level. If so, I'm sorry about that.
You mentioned to perform a scan, can this be performed with a hexeditor like WinHex? Also, what happens if I load the image of the hdd with OpenSource tools like Sleuthkit or Foremost? Will they be able to recognize/recover some of the files?
To be really honest with you, I'm a starter and student in the 'forensic world'.
This has very little to do with "pure forensics" and much more with "Data recovery" (that allow for a far "wider" choice of tools wink ).
Something that you may want to try
Freebie
ScroungeNTFS ( I presume the drive partition is/was NTFS formatted)
http//
Commercial
File Scavenger
http//
And then, of course "pure RAW" data recovery, PHOTOREC
http//
General advice (if needed)
http//
http//
jaclaz
The less you "look" at the hard drive by booting it in Windows, the more files you may be able to recover. You should remove the drive from the laptop and slave it using a USB-type connection to another machine running an operating system. This will cause minimal damage to the drive.
This is not a "forensic" task, but more of a data recovery task.
As Jaclaz suggested - search for software that will UNDELETE files or find deleted files - preferably one that will let you save the recovered file to another hard drive (and not the drive you are trying to recover data from) and try your luck that way.
Good Luck, dude!
-=ART=-
The files are not deleted, just not part of the file system. ie they will be in an MFT that is not part of the $MFT file.
NEVER try and recover files to the 'problem' drive. You can overwrite valuable data and loose it forever.
Just a quick update guys, I removed the disk from the laptop and attached it with a writeblocker to my computer.
I ran ScroungeNTFS with the following command scrounge-ntfs -l /dev/sdb.
This way I can check if the old MFT still exists, unfortunately it only recognizes 1 MFT, and thats the one the disk's currently using.
Output
Start Sector End Sector Cluster Size MFT Offset
==================================================================
Drive /dev/sdb
2048 24901632 8 6291456
24903680 308996096 8 6291456
333899776 154494976 8 6291456
As you can see 3 partitions are still intact. The first one is the recovery partition, the second partition is the overwritten C drive. The third partition a data partition that didnt get touched by the reset to factory settings. (Atleast, this is what I think, because there 3 partitions currently on the disk.)
Anyone got a clue what to do ?
Thanks very much.
EDIT
This is what FDISK outputs me
Disk /dev/sdb 250.0 GB, 250059350016 bytes
255 heads, 63 sectors/track, 30401 cylinders
Units = cylinders of 16065 * 512 = 8225280 bytes
Disk identifier 0xaf26c261
Device Boot Start End Blocks Id System
/dev/sdb1 1 1551 12450816 27 Unknown
/dev/sdb2 * 1551 20785 154498048 7 HPFS/NTFS
/dev/sdb3 20785 30402 77247488 7 HPFS/NTFS
What you are showing is what is visible on the disk.
The MFTs I mentioned are no longer part of the file system and so have to be searched for with a recovery program.
The chances are that the partitions will be in the same location as tye original disk, but this is not a 100% guarantee
MAN page
http//
Sure, the -l is just to have an idea of which parameter to give to the -m, -c and start/end.
BUT you don't want to give the -m parameter in your case and use "RAW" search instead.
Under windows it would be something like
scrounge-ntfs.exe -d 1 -o D\Somewhere\ 24903680 308996096
you don't need the -c 8 as a cluster of 8 sectors is default.
jaclaz
ForensicIT_Dude,
If your friend has reformatted the drive then it is likely that Windows has created a new $MFT over the top of the old one which will wipe a number of the old records (though some may be recoverable if the $MFT expanded under the old NTFS schema). Without an in-depth analysis these records are beyond the reach of standard tools.
The data from the original files is probably still on disk but it is unlikely that there are any structures still pointing to them. In effect they are in unallocated space.
This being the case, scrounge-ntfs is unlikely to work as it requires an active $MFT to work from and as I have pointed out the current one is unlikely to contain any legacy information. I think you would be much better served using file carving tools like scalpel, foremost or photorec.
Paul