Basically ive been going through various tools the past week trying to find a tool that can recover deleted files while keeping recursive file structures.
I work for a school district and a teacher had a student delete a massive amount of his organized paperwork folders. I can recover them but its impossible to sort that many files. When i use Autopsy, the folder structures are intact but Autopsy only allows extracting single files at a time. I have used ~ 5 different ways and the closest i have gotten was to use DFF with the SANS linux distribution. but it seems to get errors using the extract feature constantly and it stops the extract. Any ideas? THINK OF THE CHILDREN!!! haha jk lol
I think a lot of the tools will scan the disk sector by sector looking for file signatures. In this case there will be no directory structure available.
I think a lot of the tools will scan the disk sector by sector looking for file signatures. In this case there will be no directory structure available.
If that is the case why is Autopsy and DFF coming up with folder structures
The better tools look through both the master file table and the raw disk, using signatures (carving). Where the directory entries in the MFT haven't been overwritten some, or all, of the directory structure can be reconstructed.
It was just an explanation of why _some_ of the tools might not deal with directories, and why some of the files you recovery might have no known folder.
How big is the disk image and is any of the data confidential? We are always interested in looking at real life test cases. Be happy to have play with a copy of the image if you can get one to us.
Eeh its not my information so i am not going to give it out, sorry. But i appreciate the response. I guess my situation is kind of unique (much like any forensic situation). But i just know the files were not overwritten because this kid deleted alot of system files to make the system unbootable. So we ripped a copy of his HD and reimaged the pc to get him back to work. Now i have deleted but completely intact directories of files that i would love to extract only a couple folders instead of a 50gig partition and go through everything.
Have you tried something really simple like FTK Imager?
Have you tried something really simple like FTK Imager?
Thinking the same thing. Might not boot but still might mount.
'Biased answer'
My CnWRecovery software will optionally scan all MFT entries and recover any files found (there is an option to include deleted files). When a parent directory node is missing, a dummy directory entry is inserted, which can often generate a valid tree structure underneath it. As Passmark said, it is always a possibility that the required directory entry has been overwritten.
For selecting just the correct folders, there is a file filter option that allows files to be selected with many parameters including file type, date and directory location.
The software will also work in similar ways for FAT and MAC disks.
Another option to reduce file searching is to make use of NSRL hash tables to eliminate any standard files.
Data carving should always be considered the last option as file names, fragmentation etc are all lost.