I have a CruiserMini 512MB that might or might not have had a file overwritten (I haven't been able to check yet.) I just want to know if it is at all possible to retrieve that data or not.
I have successfully recovered deleted files from flash drives. I use both open source tools, (Helix, Sleuth Kit, etc.), and ILook Investigator. I used three different flash drives to test various methods of imaging w/ dd, using information from Barry Grundy's document, "A Beginner's Guide to Linux for LE and Forensic Exmainers" from the Helix CD.
http//
I have also recoverd deleted data from suspect flash drives as well. The process will be the same as a standard HDD.
You can also do it by using EnCase, but you have to make the acquisition in DOS mode.
the free ftk imager can recognize deleted files on flash/thumb drives as well
http//
You don't necessarily need to make the acquisition in DOS. The Windows XP SP2 registry hack works well. I’ve tried and tested it and never managed to write to any USB removable media using it.
You can invest in a Tableu USB hardware write blocker if you like, that also works quite well.
The Sandisk CruiserMini 512MB will have a FAT32 file system, so just like any device with this file system, deleted files are often recoverable (depending on the amount of use its had since deletion).
Andy
The Sandisk CruiserMini 512MB will have a FAT32 file system, so just like any device with this file system, deleted files are often recoverable (depending on the amount of use its had since deletion).
Andy
Actually mine is reading at a FAT16. I am running a scan on it at work today. *Ive been busy and lost my drive in my car for a week so I haven't been able to check it out* I will update when i get it all sorted out. I am using Access Data FTW 1.61 Trial version.
Whether the file system on a particular thumb drive is FAT32 or FAT16 is pretty much irrelevant. Image the device with FTK Imager, dd, ProDiscover/IR, whatever…you'll be able to see the deleted files.
H
I know its irrelevant -p
I ran the FTK and I can see what I want to extract but it is saying there is no data in it (. Will the imager help that?
UPDATE!!!
Sadly I was unable to retrieve the data. From what it looks like the file just got overwritten when I lost the data.
So sadly the data I fear is unrecoverable.
Lain,
Any chance the computer you used when creating (or editing) that lost document might still contain parts or much of the document in the swapfile or in a temp file? Or is that overkill? I got the impression from your post the document was pretty valuable and might be worth the time, if you have the PC and it was pretty recent.
Steve