iSkysoft Messed up the drive

Dear team, my neighbor asked me to look at their drive to see if I can recover any data.

Apparently, he accidentally format the drive (external Seagate) but on top, he downloaded a software called "iskysoft data recovery" and let it run for 30 minutes before turning of the PC.

So now when I plug the drive in FTK I don't see anything under the root folder but I see many same size data under the unallocated space. See the attached screenshot. Screenshot

Anyone maybe can enlight and provide some ideas on how to restore the data?

FTK imager is NOT a data recovery program.

You should use a data recovery program, instead.

Since the volume was formatted there are two possibilities (assuming the OS is Windows post-XP)
1) the format was initiated as "full format". i.e. WITHOUT the /q switch (or checking the "Quick" checkbox in the GUI)
2) the format was initiated as "quick format"

IF #1 (and the format process took some time, i.e. more than ten minutes) there is NO data to be recovered, as the volume has been wiped.

IF #2 (and the format was almost instantaneous or anyway only a few minutes), the data is still there BUT filesystem structures have been overwritten and as such you can most probably only recover files by carving (you will be able to recover most "common format" files, only if they were contiguous on filesystem, losing path and filenames).

IF #2, try checking the volume in DMDE
https://dmde.com/
and/or running on it Photorec
https://www.cgsecurity.org/wiki/PhotoRec

jaclaz

Hi Jaclaz, yes I understand FTK is not to recover (I am an EnCE) but just to look the source. I think he did a quick format.

Did you look the snapshot I uploaded? You can see the same size files, which for me it looks as the job of this software he run.

I might give it a go and try the same software before carving the data.$

Any other suggestions anyone might have?

It seems to me the best way to test your hypothesis that iSkysoft is to blame and to see if it creates the artefacts you have spotted would be to test it on another drive…

Hi Jaclaz, yes I understand FTK is not to recover (I am an EnCE) but just to look the source. I think he did a quick format.

Did you look the snapshot I uploaded? You can see the same size files, which for me it looks as the job of this software he run.

I might give it a go and try the same software before carving the data.$

Any other suggestions anyone might have?

It seems to me the best way to test your hypothesis that iSkysoft is to blame and to see if it creates the artefacts you have spotted would be to test it on another drive…

With all due respect to both ) , it seems to me like the scope (final goal) is to try and recover (if possible) any file, it doesn't really matter what the iSkysoft program did (or did not do), for all we know the "pseudo-files" that FTK sees could well be an artifact of FTK itself or *whatever else*, the whole point is if anything can be recovered.

If the volume has been (hopefully "quick") formatted, surely you won't see anything in root (independently from what the iSkysoft software may (or may not) have done).

jaclaz

As a first step I would certainly run testdisk on a binary image of this drive.

As a first step I would certainly run testdisk on a binary image of this drive.

testdisk won't do anything in this case, the partition/volume is just fine.

Quick reminder
testdisk is useful for partitions, it deals with (and can often correct) partition tables and bootsectors, i.e. it is aimed to volume or filesystem recovery
photorec is useful for file based recovery

Here we have a perfectly fine partition/volume that has been (hopefully "quick") formatted.

jaclaz

[quote="jaclaz"

If the volume has been (hopefully "quick") formatted, surely you won't see anything in root (independently from what the iSkysoft software may (or may not) have done).

jaclaz

Thanks for the advice, for sure it was a quick format. Not sure if you have seen the snapshot I uploaded but everything seems to be now resting in the unallocated space.

Do you have any suggestions for

1. Partition recovery, I know how to do this using Encase but I dont have a dongle at home. Is there an alternative open source I could use?

2. Open source carving software?

Thanks in advance!

The "quick" formatting overwrites most (if not all) filesystem indexing structures, the partition doesn't change at all, and there is no "partition recovery" possible as the partition (and volume "inside" it) are still there, exactly where they were before, BUT with their "indexing structures" overwritten.

I already suggested you two possible softwares, Photorec is Open Source, DMDE is Commercial but a "Free" edition (with some minor limitation) is available, and the costs for a license is small enough.

Again, what you see in FTK as a number of possible files in "unallocated space" is likely to be an artifact of FTK, on a freshly formatted volume (even if only "quick" formatted) the WHOLE volume contents belong to unallocated space, simply because the "allocation tables" (they are called so in FAT filesystem, actually on NTFS the filesystem structures are different and more complex, but the basic idea is the same) have been overwritten.

My suggestion is to try first DMDE (it may find - maybe - some remnants of the filesystem structures) but very likely you will only have available "file recovery by carving" (which basically means that only contiguous files will be recovered "properly", losing their paths/filenames).

Then, run anyway Photorec, since the algorithms to identify files by carving them are different, it is entirely possible that it can recover something that DMDE missed.

jaclaz