Join Us!

HELP NEEDED and cer...
 
Notifications
Clear all

HELP NEEDED and certainly appreciated  

Page 1 / 2
  RSS
tlucz-huba
(@tlucz-huba)
New Member

Hello,

I am new to this forum and also to a computer forensic problematic .

I am asking for help anyone. I have created a problem to myself. I have 2 harddrives. 80GB each.

HDD #1
———-
2 partitions:
C: –> Windows XP pro SP2 installed (around 25 GB)
E: –> (Software, Movies, Pictures etc., around 50 GB of data)

HDD #2:
———-
Slave, D: , around 75GB

I used PowerQuest Partition Magic 8.0 to resize C: (from 25 to 10GB)
Then I resized E: from 50 to 65 GB

Before I did that I have CLEANED and DEFRAGMENTED all drives

Now that didn`t seem to be "good enough", So I have decided I will transfer all data from E: to my new D: drive

I have noticed that even after I transfered all data, there was still like 6GB of used space on the E: drive.

I went to FOLDER OPTIONS and set the view for "show hidden files and folders". I still haven`t see anything on the drive - no folders, no files, nothing…

So I FORMATED the E: drive to "free up" that space.

I thing that`s where I screwed up. Now I have a dificulty with some data that i have transfered to D:

Some video, MP3 and jpeg files are "corrupted". i don`t care about movies and songs, but pictures are very important to me. Even though i have backed up most of it, I still have around 50-60 VERY important pictures I HAVE to recover or My girlfriend is gonna kill me. The pics are very special to her.

It seems that the pics have exactly the same size as they had on E: drive. But I can`t see them. Whenever I do, it opens the picture, but there is message "no preview available" in the middle of the blank screen.

I thing that somehow I have corrupted or destroyed the indexes that file system was using for these pics. But I can be wrong of course. I am almost certain that it had something to do with FORMATING of that 6GB "useless" space on E: drive after I transfered all data from there.

Can anyone HELP how to recover those pics PLEASE? If so, can you please provide an "idiot proof" tutorial, link to a book or tool, As I am a beginner.

I will appreciate any kind of help.

I know that some of you will probably say I should read a bunch of books, but I am afraid I don`t have that much time, even though I am finding computer forensic interesting.

Quote
Posted : 08/01/2005 7:56 am
gmarshall139
(@gmarshall139)
Active Member

private message sent

ReplyQuote
Posted : 08/01/2005 1:29 pm
GeVeZe
(@geveze)
New Member

i have the same problem

scandisk of windows deleted some files they are like index files

have same no preview error
and no preview also movies which i have in archive…

ReplyQuote
Posted : 16/01/2005 11:44 pm
gmarshall139
(@gmarshall139)
Active Member

Sounds like the $mft entry was deleted, the data is still there. You need an application that will let you search for the data in the unallocated clusters. Try Winhex.

ReplyQuote
Posted : 17/01/2005 1:40 pm
GeVeZe
(@geveze)
New Member

at Access menu
there is a menu lik $MFT(101MB) —-> recover

when i choose another partition its saved on that partiton

can you explain how should i recover? and where will i put that recovered file?

this $mft consist of only one file?

ReplyQuote
Posted : 17/01/2005 7:32 pm
gmarshall139
(@gmarshall139)
Active Member

The $mft is one file, it is the table of contents so to speak for an NTFS file system. I wouldn't advise that you mess with it unless you are working off an image. That's not where the data is anyway, that's just where the file name and data location is stored. The data is in your unallocated clusters. You need an application that will allow you to search for and carve out the data in the unallocated space. Try norton utilities, it may allow you to do it a little easier. Otherwise you'll need to look at the drive with a hex editor, determine the header for the data you are looking for, and try to carve it out. That is unless you have a forensic application you can use, or know someone that does.

ReplyQuote
Posted : 17/01/2005 7:43 pm
GeVeZe
(@geveze)
New Member

i used active undelete for data recovery
but the pictures and movies are still cannot open

recovered files also cannot open

after i recover from winhex this $MFT
then i put it using a tool like active undelete?

ReplyQuote
Posted : 17/01/2005 8:04 pm
gmarshall139
(@gmarshall139)
Active Member

forget about the $mft, you don't need to do anything with it.

if you can recover the files copy them out to another folder and try to view them.

ReplyQuote
Posted : 17/01/2005 8:12 pm
GeVeZe
(@geveze)
New Member

manualy i can recover only 1percent of drive

i cannot understand one thing

i will recover the $MFt which is 101MB on my drive
this is ok

but then i will put on allocated drive of that drive

its is the same thing!!?

i am taking one file and putting same file to same place?!!!

ReplyQuote
Posted : 17/01/2005 8:21 pm
gmarshall139
(@gmarshall139)
Active Member

I'm not sure I completely understand your problem. Originally you stated that scan disk deleted a few files. Now it sounds as if you are saying that the entire partition is gone. There's more to rebuilding a partition than just recovering the $mft file. There are products out there that can help you recover partitions.

If the data is at all important I would suggest that you get someone who is qualified to do it for you. It is a very simple process to rebuild a partition if you have the proper tools and knowledge. The chances of you overwriting something and making the partition recovery impossible are fairly high, especially if you are working on the original.

ReplyQuote
Posted : 18/01/2005 2:22 am
GeVeZe
(@geveze)
New Member

no partition is ok

only 40 Gb of 186GB is deleted and i recovered them with a active undelete

but also aprox 100GB of data has cannot open. I see the data is there. It takes 700MB disk space but still cannot open.

i see MFT recored and i remember scandisk is deleted some numeric files like MFT records. I guess i understand problem well

forget about mpg and jpg files but some txt files MUST to open

as you said i download winhex and cracked it. then using -right click recover- taked a copy of $MFT to a healty partition.

after this?

ReplyQuote
Posted : 18/01/2005 5:30 am
gmarshall139
(@gmarshall139)
Active Member

If the partition is ok, and you have at least part of your data available, then you must have a functional $mft file. As I said before, you have apparently lost part of your $mft. What you are recovering is only part of the MFT. Putting it in another partition will not do any good. Your text files, if they are very small (under 1kb) would be resident data, they would exist entirely within the master file table.

I wouldn't advise you to try to put the recovered $mft back on the original partition. You may overwrite your healthy mft and loose everything. If you can make a copy then try it on that. I would suggest that you search for and try to recover the files that are important to you.

ReplyQuote
Posted : 18/01/2005 1:32 pm
GeVeZe
(@geveze)
New Member

there is no way to take a image of disk
because its 200GB

only 20GB of data accessible. so taked copy.

how can i merge deleted $mft files into $mft. 200GB has only one partiton.

i remember scandisk is deleted files like 786444,786445 ………

now i see some of my files deleted and moved to found.000 (files aprox 43GB).
meybe deleted $mft's is can there???

ReplyQuote
Posted : 18/01/2005 6:25 pm
gmarshall139
(@gmarshall139)
Active Member

Unless your very familiar with the mft I don't think you can merge them back together, I'm not aware of any product that will do that either. Even if you were it would be very difficult. As the $mft file grows it becomes fragmented. Embedded within the $MFT is the location on the disk of the continuing extents for the MFT file. It may well be this portion of the MFT file that was damaged, so now it doesn't know where to look for the remainder. You would have to get into the good portion of the MFT file with a hex editor and change or add the pointers to the sector that the recovered mft extent now resides on. It is way beyond what I can describe here. And understand I am only speaking about what is theoretically possible, I have never personally attempted it. You may try searching the microsoft knowledge base. It has probably come up before. Because of all this I restate my suggestion that you focus on recovering the files themselves that are important, rather than rebuilding the mft.

ReplyQuote
Posted : 18/01/2005 7:40 pm
collar
(@collar)
New Member

Hi,

I suppose you can trey really powerful data recovery tools to restore without corrupting data. Among them are [email protected] undelete and Uneraser (for DOS). These are awesome soft indeed, as i've ised it before, they never failed or corrupted restored data. That is your real chance, give it a try.

http//www.active-undelete.com/

http//www.uneraser.com/

ReplyQuote
Posted : 02/12/2005 4:15 am
Page 1 / 2
Share: