Hi friends,
yesterday i was trying to recover deleted data from a laptop, and it's not the first time i do this kind of operation.
But something goes wrong this time.. many recovered file are unreadable… for example in many office file (.doc or .xls) i saw pieces of API call or process list…
I've found in windows\prefetch that some day ago a disk defragmentation was performed… ok, maybe that operation could be scheduled by the OS…
Well, i desire to better understand the impact of disk defragmentation (in this case NTFS partition) on data recovery or forensics activity, can you help me?
http//
tell us "The defragmenter finds a contiguous area on each volume large enough to hold all the listed files and directories that reside on that volume and then moves them in their entirety into that area so that they are stored one after the other."
Ok..however..this movement update MFT, isn't it?
How this operation affect an operation of data recovery?
Thanks
—
Pierluca
defragging a drive can cause a huge problem with data recovery. The disk layout can be dramatically modified as a result of the defragmenting process. It will overwrite unallocated clusters when it moves files around to create a better disk layout and yes, the MFT entries will be modified - cluster numbers will change.