A friend's front office computer went out in his dental office, so I offered to try to recover his dental images.
I ddrescue'd the drive, and after a few days, was able to create a big dd image.
I then mounted that dd image and then xxcopy'd all the jpg file over to a different folder, but unfortunately, the only ones I could find were all in the recycle bin.
I then ran Photorec against that dd image, but all the files have weird names. I'm now looking for a tool that helps me piece together the original file name, as their patient records heavily depend on having these original file names.
Any suggestions? Photorec is making folders "recov.1", "recov.2", etc folders and putting in everything there with names like fxyz1234.jpg. These are pictures of teeth (so they're obviously good), but now there is now way to match them with original file names.
Any suggestions would be greatly appreciated.
Roger@DIYdriverecovery.com
You are trying to get photorec to do something it wasn't designed for.
If you want original file names and paths, the only way to do so is to analyze the metadata structures (such as the MFT).
What tools do you have access too? Pretty much any forensic tool worth it's salt will read the metadata structures and give you a file system structure, which you can then export to your hearts content.
There are also some data recovery tools that only look at the metadata structures and carve out files based on that. I do not know of any open source/free ones.
That is, of course, assuming you got a good image of the disk, and all the metadata structures are present.
Otherwise, more details are needed. Such as what was wrong with the computer? Why did you need to use ddrescue, and so on.
You are doing data carving which finds files based on signature. It works without a file system, so for very corrupted, damaged disks it is a great tool.
For data recovery you want to make use of what there is left of the file system (probably NTFS or FAT32). It is the file system that saves the file names, and directory names. Data carving can only 'guess' at file names, but most packages only give a sequential name for the file.
It is improbable that the whole $MFT has gone.
You could try with DMDE
http//softdm.com/
to see if it can find (and access) what is left of it. (I am assuming NTFS).
Found files are found "with their names".
Usually you can then use the "cluster map" feature, which can sometimes help to recover more files.
The issue is of course that of fragmented files.
But talking of .jpg, it is a "rich" format and - like it is the case with images coming from digital cameras, they may contain useful info, in this case post-processing the output of Photorec is often useful, see
http//
jaclaz
There are many non-forensic tools for recovering pictures. E.g. http//
Oh boy - all of the above replies aside, the images you found were in the recycle bin.
You don't need to carve or anything like that, you need to understand recycle bin forensics. This will tell you where the JPG images were originally located.
I presume this is critical since the images are only associated with people by a folder name or original file name? And nothing in the image itself identifies who the patient is that the picture belongs to?
Oh boy - all of the above replies aside, the images you found were in the recycle bin.
The photos he found were in the recycle bin. He does not say if this was the complete set of photos, or just a few.
I suspect that the majority of photos were initially 'lost', hence trying a carving program.
Taking a disk image was correct - but after that it is data recovery rather than carving that is required.
Oh boy - all of the above replies aside, the images you found were in the recycle bin.
You don't need to carve or anything like that, you need to understand recycle bin forensics. This will tell you where the JPG images were originally located.
I presume this is critical since the images are only associated with people by a folder name or original file name? And nothing in the image itself identifies who the patient is that the picture belongs to?
OP stated
I then mounted that dd image and then xxcopy'd all the jpg file over to a different folder, but unfortunately, the only ones I could find were all in the recycle bin.
I then ran Photorec against that dd image, but all the files have weird names. I'm now looking for a tool that helps me piece together the original file name, as their patient records heavily depend on having these original file names.
As I read the above, "direct find" on the mounted image ONLY produced some images that were in Recycle Bin (and this was NOT the expected result).
Then "direct access"/"carving" through Photorec provided more images but (obviously) with "queer names".
Hence the suggestion of attempting a more "proper" data recovery process and/or check if there is any metadata in the already recovered by "carving" images.
jaclaz