Hi all, I have just done a recovery job on an Intellex Machine running windows 2000 containing video footage. The hard drives had been wiped by an individual who is suspected of a few things. Had no bother getting back and restoring the data, however the owner of the business asked me to try and identify when the drive was formatted and the time. I would appreciate any help with this or advice on some handy program that may help me with this.
Thanks in anticipation
David
however the owner of the business asked me to try and identify when the drive was formatted and the time.
Has been the disk re-partitioned after having being wiped? 😯
Or if you prefer do you have a "drive" (in the sense of whatever gets a drive letter in Windows) at all? (or partition or volume)
Which filesystem?
Has the Volume a label?
Which OS are you running?
If a Windows NT based system, a tool like DMDE
http//softdm.com/
or NTFSwalker/FATWalker
http//
Would give you the date and time the Label was made (FAT) or the date the main metadata files, typically the $MFT and $MFTmirr have been created.
jaclaz
Thanks for your reply Jaclaz. The Intellex software resides on a win 2000 install. The drive was fat 32 and appeared to have been re formatted as same, no label or partition created. thanks again I will check out your suggestions, have to be easier than multiplying hex Dec and other such mind bending solutions! David.
Thanks for your reply Jaclaz. The Intellex software resides on a win 2000 install. The drive was fat 32 and appeared to have been re formatted as same, no label or partition created. thanks again I will check out your suggestions, have to be easier than multiplying hex Dec and other such mind bending solutions! David.
Well, if the volume was actually wiped and during the Format no label was assigned to the Volume, and the volume is FAT32, then you have nothing to read.
I guess you should better define "wipe", however, under 2K a format won't actually wipe the data, which is then normally recoverable.
I am not at all familiar with Intellex, but FAT32 would be a very UNcommon filesystem to store video data 😯 , and these tools tend to actually assign a label to a volume they use.
jaclaz
I have recovered the files' they show up as avi and are 20mb in size, all these were then placed in directories as they would have been before the incident. They will now re play using Intellex player. This part of job gives us footage of interest and even shows individual interfering with equipment. however the business owner wanted date and time of 'format' so as to add additional weight to his confrontation. I feel that the employee just did the simple act of right click and format on the drives in question. They both showed up as clean new drives with no visible data on them when I saw them first. I was mistaken earlier when I said no vol label, there is of course a 4 or 5 digit number! My forays into the world of data recovery are usually confined to home users loosing their data, this job was for me a much more serious business. I enjoy this kind of work, but this job for a number of reasons has. convinced me that its a good idea to get some in depth training when at this level. Thanks again for taking the time to reply. David.
I was mistaken earlier when I said no vol label, there is of course a 4 or 5 digit number!
Good.
A volume label on FAT 12/16/32 occupies an entry in (root) directory and since it is re-created when formatting it may indicate (if the label was given at the same time of the formatting) the exact date/time the formatting took place.
At least, if the label was not given within the format command, it marks a date/time when the label command was given, neededly after the formatting took place.
If you simply right click and choose "format", the previous label is kept (I mean the value/string) but the entry in the filesystem is re-created, giving a "useful" date/time.
jaclaz