Hey guys,
I have a HD that has a few hundred MB of data on it. The partition table has been wiped. The disk doesnt have to be imaged forensically sound, just want to try and retrieve the data from it.
When I plug it into Win XP it shows up as having no space. When I use encase to view it I can see the hex values of the data.
I know the data is there I just cant get at it.
Any ideas?
P.S. The restore options dont have to be forensically safe
I'd rehearse this on a non-critical drive first if you know what wiped the partition table in the first place. If you have a reasonable idea of what the partition table looked like before the wipe, yu might be able to recover the data by simply running fdisk and rebuilding the partition table. This assumes 1) the bulk of the volume was devoted to the same file system; 2) you can reasonably guess what that file system was; 3) there have been no formats, etc of the drive.
Are you confident it was just the partition table? How was it wiped?
Before running anything else, try
Cheers DD,
Its just a drive that a mate had and something happened to it, I've no idea - he came to me to try and recover his photos and some other data.
Its the My Book 320GB with integrated firewire.
No idea how it was wiped but presume it was FAT 32 formatted.
I tried using fdisk under Helix and cfdisk as well, and it now recognises the drive in Windows (previously it wanted to formatted the drive) so thats a start.
As I say, its not a forensically sound experiment, even thou I am using forensic tools.
AW, I'll check that out and see how we go, thanks for the tip!
If you can image it and open the image in EnCase (I guess this could also work in preview mode), locate the Volume Boot Record (usually absolute sector 63) in Disk mode in the Table Pane. Right click on this sector and choose "Create Partition" (or something like this, I can't remember the exact wording at the moment). EnCase will do the rest. If successful, the partition will appear along with all the directories and files. If you do this in preview mode, it will be lost when you shut down.
Ronan
Following AWTLPI's great suggestion of using the Testdisk package, it can be a bit daunting for some. So if its only photo's or files you're after, maybe use the companion software Photorec. It recovers files by finding header and footer info, and is excellent for data carving. "Photo" is a bit of a misnomer, as it has a list of many dozens of files it can carve, but its specialty is photo's and image type media.
checkout
(
(
Kern
Kern,
Cheers for that … gonna play with both of these and see what comes up. Great tip about PhotoRec, really does have a vast number of recoverable file types.
Ronan
You might also give R-Studio a shot http//
This package work great for general data recovery. Not really a forensic tool as it does not concern itself with robust auditing or recovery of meta data (file times, associated FS info, etc.). But for just "finding files" on a borked FS, it's actually very good.
There's a demo that will let you see how much you can recover before you purchase, and the price is pretty reasonable (IMHO). I have a licensed copy that I use for non-forensic recovery at home.
Turns out that test disk is the business.
I used the photo recovery tool and it found all the files on the HD, defo recommend it.
Ronan
One thought, before jumping to carving through the entire drive to dump files, try to rebuild the partition table first.
Make a copy of the drive in question. Work on this copy.
Use a partition rebuilder tool, such as gpart or rescuept. See if either of these can build a usable partition table.
If they cannot, and you know nothing about the drive, look at the first bit of the drive in a raw data viewer. Move beyond the first 512 bytes, and look for file system signatures. Once you've identified the correct FS TYPE, you can pull the size of the file system from the meta data, and then identify if there was just this one file system for the physical disk, or if there is another or others.
BTW, this process shouldn't take long. If you know FS meta data and what to look for, you'd spend maybe 10-15 minutes here. Then you'd either have a working partition table or you'd start carving.
Just a thought.
farmerdude