OK, this could be nothing at all or something interesting…
Was given a disk to recover what I can from it as it got a windows corrupt error, which meant the disk was perfectly fine, but windows would not boot, so as a precaution I said I would take everything off it they wanted, just incase something went wrong when repairing or replacing windows (bit of a nasty windows hive error)
Anyway…
I got the disk, got the pics off it as I just popped into the USB reader and I was away, however I was told there is a Masters on there and they didn't want to lose all the work that was put into it. However I could not find ANY Word docs, anywhere, so I tried FTK and nothing seems to have ever been deleted from it. Its an old enough PC (only 60GB disk) so there must be a few things. I also ran PhotoRec and it just kept coming up with Error Reading Sector for the whole disk?
Could it be as simple as there was nothing ever deleted on it (and maybe the Word doc was never there? - Apparently stored on C\ root) or could I be missing something obvious?
As a side note, here is the error they got
'STOP C0000218(REGISTRY FAILURE) THE REGISTRY CANNOT LOAD THE HIVE FILE'
Any ideas, please send em this way, I'm a little stumped! ?
Thanks.
I got the disk, got the pics off it as I just popped into the USB reader and I was away, however I was told there is a Masters on there and they didn't want to lose all the work that was put into it. However I could not find ANY Word docs, anywhere, so I tried FTK and nothing seems to have ever been deleted from it. Its an old enough PC (only 60GB disk) so there must be a few things. I also ran PhotoRec and it just kept coming up with Error Reading Sector for the whole disk?
What OS are you talking about?
Are you looking at a single drive or at a whole computer system? Assuming you are looking at the system drive, you should be able to see if there were any other disks in the system … unless, of course, those are in the missing hive. But if there were several drives, perhaps that's where the .doc file is.
What does chkdsk say (without /F)? The hive problem could be an indication that something more basic crashed, and took the hivefile along with it. Do you have any system event logs to check for info?
Hi,
Its XP (on NTFS)
Its a single drive I was given (straight out of a Dell laptop)
I've not run chkdsk. I have no logs or anything, I will check later to see.
I've just been told there is a folder call research under s users profile. If the user has their own profile with a password would this information be hidden from me from a basic view? I should be able to get deeper into it to see this folder and its contents, but it doesn't appear to be there from single explorer viewing of it!
I think I will check the logs and see if it says anything interesting.
Its an old enough PC (only 60GB disk) so there must be a few things.
It's time to stop, drop and roll so to speak. What you are describing suggests the possibility that you have a disk that is starting to go bad. Your well meaning software based recovery attempts could very well make things worse.
If the data is valuable, the best course of action is to discontinue your recovery work until you can consult with a proper data recovery outfit.
have you tried doing a raw search for files, i.e. a signature search for 0xD0CF1LE ?
And I feel dirty for suggesting this but have you tried "recover my files"?
The STOP message is a corrupt registry and most of the time doesnt mean anything other than that a actual registry file is corrupt.
But this would suggest that the file system is on the whole correct, its managed to a lot of the OS after all.
Although…
A long time ago in a data recovery company long gone, a collegue worked on a disk from a father who had brought in a floppy disk.
This disk contained the students final year report/thesis.
Well thats what the student claimed.
The disk was in a poor state and mostly unreadable, after some work it turned out that what could be read of the disk was blank.
So he opened the flap on the disk to see if any scratches were present on the disk.
The disk had been scribbled on in biro.
My collegue had an awkward conversation with the father.
I agree you could be right, its old enough to be about the bite the bullet, but it seems to run fine. Its not lagging or making any untoward noises when spinning.
I've just been told there is a folder call research under s users profile. If the user has their own profile with a password would this information be hidden from me from a basic view?
Why not? NTFS has the mechanism for hiding information – so it's not technically impossible. That's why you always have to take ownership of the drive if you are working on it 'live', and not with the credentials of the system administrator of the drive. But as you should be doing this on a sector copy (I really think), with some kind of forensic or recovery toolkit, then that shouldn't be a problem.
I should be able to get deeper into it to see this folder and its contents, but it doesn't appear to be there from single explorer viewing of it!
Explorer viewing … ok.
What does those messages from PhotoRec about 'Error Reading Sector' mean? Is it an indication that the disk is going marginal? Or is it an indication of some trivial configuration error? Or perhaps a bug in the program? How well do you know the program? Used it successfully before?
I'm not sure I would continue without knowing what they mean. (And as it sounds as if you have the drive hooked up toi another system, be sure to check your own system logs for indications of problems with that particular drive, for example from the time you ran PhotoRec.)
OK. Two really help full replies! ) I'll try and answer your questions best possible!
Firstly PhotoRec. Yes I have used this successfully before, so I'm pretty confident its not a problem with me (will prob eat words for say that!) or the s/w.
I've not tried a raw file search, but defo try that later (not had to disk very long to try the many various different options available to me)
I am working on it 'Live' and thinking about it now, that could be a major reason I am not seeing anything, I might take an image of it and work on it from there, I'd put money on it I'll see a lot more!!! I might just even try Helix and Autopsy, thats a lot more powerful and photorec.
I've not tried "Recover My Files", might try that before I try all the advance stuff, at least than I can say I've tried FTK, PhotoRec and R.M.F and thats a good basis of tools.
Thanks for all the replies. I'll be trying it later, so will keep you posted on my findings! (or lack of, if thats the case!) D
If you try a RAW image, then allow for the fact that NTFS disk may have compression. Typically JPEGs don't get compressed, but DOCs will. The signature of a compressed DOC will not be 0xD0 0xCF etc.
OK, update!
Spent most of last night and this morning trying to image the drive to no avail!
Its starting to squeak (ehuber, I think you hit the nail on the head)
I firstly tried Recover My Files, and nothing new (No Masters Thesis!)
I them threw in the Helix Live CD (which coincidentally would not work on my Acer, Vista desktop machine) but did work on the Dell lappy! Anyway, I tried viewing the drive through that, nothing hidden, so old data… starting to think there is no thesis on.
I then tried to image it, since it could be on its way out (doesn't squeak all the time, so do it before it starts again) But it kept failing. Tried FTK Imager, took a while to get started, then failed 30 mins in and error was just APPCRASH (I think, was about 1am!!!)
Tried again this morning with a Linux terminal and AIR and still kept failing.
I'm going to try again after this and see if I can get anything, but I really think that the Thesis is not on there.
Also, did a little google of HDD squeaking and somebody mentioned it could be very badly fragmented, which would make sense because its an old 60GB drive and probably never been cleaned, fragged, formatted, anything, just constantly used for years, upon years!