hello
i have a drive that someone accidently wrote on its partion table and its first partion, encase automaticlly read the partitions and defined them.
the seconed partiotion is ok and i can see all the files
but the file tree of the first partition is empty(there are no folders or files in it)
i run the recover folder function and when it finished it said that 26000 had been recovered but didint add the recoverd folder under the partition
does someone have any idea what i should do to see those files?
FAT partitions will have a backup of the Volume Boot Record (VBR) stored in the reserved sectors at the beginning of the volume.
NTFS partitions store their backup VBR in the last sector of the volume, if any of these are intact, you can right click on the sector in EnCase whilst in disk view and select add partition using the appropriate attributes; NTFS/FAT, volume etc. With any luck you should restore the backup VBR and EnCase will display the folders & files.
Its not clear from your post if the first partition is being mounted ok by EnCase or you are seeing unallocated areas, if the partition table is intact for the first partition, it is likely that your backup will have nothing new in it for you and you may have to look at restoring either the FAT2 table or the backup $mft.
but the file tree of the first partition is empty(there are no folders or files in it)
i run the recover folder function and when it finished it said that 26000 had been recovered but didint add the recoverd folder under the partitiondoes someone have any idea what i should do to see those files?
Is 26000 anywhere near the figure you are looking for? (I get 140000 hits from a working and completely unerased boot volume.)
They are there, under 'Recovered Folders' under the volume, aren't they? (Or did you 'Cancel' out from the dialog box when the search was over? If you did, you discarded the lot, and there won't be a 'Recovered folders' folder … If so, nothing else to do but do it again. Guidance seem to like to do that kind of thing now and then to keep their users on their toes …)
After a successful search, you find 'Recovered Folders' in the volume tree. That's from where you have to work – EnCase will not allow you to move recovered folders and files anywhere inside the case.
But EnCase isn't a data recovery tool – it doesn't allow you to modify or manipulate a disk image; only to investigate it. (I'm assuming you're not entirely unfamiliar with Encase, so I don't need to explain the remaining details.)
(Did you ask the same question in the EnCase forum? The answer posted there is correct. If you 'Cancel'-ed the job, though, I can understand your confusion.)
thanks for your replays,
neddy
the first partition is being mount ok and i am seeing only unallicated area, i tried the buckup vbr and its the same as you said, how do i try and restore the buckup $mft?
the mft mirror can be used to restore the $mft in Encase by selecting the USE MFT2 option when adding a user defined partition.
I have not had to do this myself as of yet so let me know if it works!
Do some Googling for MFT Mirror/backup etc, there are some videos out there that explain it I think.