It sounds like you might be working on a live disk - if you are then you should stop and research taking an image copy - everything you do to a live disk reduces your chance of recovering your data.
Back at my desk rather than viewing on a phone - no need to send the .bin file.
This used to be easy in the days of floppies and my job when I started at Dr Solomons was recovering a load of fragmented supercalc files from a formatted floppy - 100% success - but floppies are small…..
edited to add - if the file is very fragmented and there were multiple MFT entries to hold the data attributes then a scan of the MFT looking for non base MFT entries which point back to the original may (long shot) find allocation information for the file.
update I have tried DMDE's Cluster Map function, but I don't understand the symbolism of the Cluster Map (sort of =====[]<>====).
Well, when you move (with the cursor arrows) on a cluster map, it tells you to which file it belongs to, if there is some "leftover" in the $MFT, you might find that a same cluster is indexed twice (and gets different file if approached "from left" or "from right").
Something like this
[====] or [] means a file that has a beginning and an end, when you click on it it will be highlighted in it's entirety, A | means a "small file", etc.
You have to play a bit with it (possibly on a small "test image") to get the hang of it.
Also you can parse the whole $MFT with the nice little tool by joakim, here
http//www.forensicfocus.com/Forums/viewtopic/t=8010/
jaclaz
okay, here it is the bin file with the MFT entry
http//
update I have tried DMDE's Cluster Map function, but I don't understand the symbolism of the Cluster Map (sort of =====[]<>====).
Well, when you move (with the cursor arrows) on a cluster map, it tells you to which file it belongs to, if there is some "leftover" in the $MFT, you might find that a same cluster is indexed twice (and gets different file if approached "from left" or "from right").
Something like this
[====] or [] means a file that has a beginning and an end, when you click on it it will be highlighted in it's entirety, A | means a "small file", etc.
You have to play a bit with it (possibly on a small "test image") to get the hang of it.Also you can parse the whole $MFT with the nice little tool by joakim, here
http//www.forensicfocus.com/Forums/viewtopic/t=8010/jaclaz
wow, DMDE's Cluster Mapping is cool.
I am looking now at a couple of clusters that I carved out, and these are marked as dots (..)
and there is no filename for them. They are truly orphan ).
Back at my desk rather than viewing on a phone - no need to send the .bin file.
This used to be easy in the days of floppies and my job when I started at Dr Solomons was recovering a load of fragmented supercalc files from a formatted floppy - 100% success - but floppies are small…..
edited to add - if the file is very fragmented and there were multiple MFT entries to hold the data attributes then a scan of the MFT looking for non base MFT entries which point back to the original may (long shot) find allocation information for the file.
sorry, I am a newbie. Do you mean "extended MFT entries" that correspond to the original MFT entry ? How can I find these extended entries?
Have you looked at the base entry? Is there any pointer?
Urgh, yes, I am using the "live drive". Can I create an image of the whole drive with DMDE?
yes you can
okay, I am creating a .bin image now. cool.
regarding joakim's software, I know that this software exists, but maybe it is too much for me, to dump the entire MTF.
Urgh, yes, I am using the "live drive". Can I create an image of the whole drive with DMDE?
Yes you can, but most probably a simpler tool like dsfo (part of the dsfok toolkit)
http//
Or a GUI tool like DatarescueDD
http//
will be more handy.
okay, I am creating a .bin image now. cool.
regarding joakim's software, I know that this software exists, but maybe it is too much for me, to dump the entire MTF.
Well, maybe, or maybe it could provide you with some "hints", since it costs nothing to try it …
jaclaz
thanks for the suggestions jaclaz. I will download these programs for my collection, although DMDE has imaged perfectly my disk. I had previously imaged the disk with EASEUS, with the byte by byte option, but it is not a perfect image. In fact, the non-indexed space on the original, is not included in the image file. Also, the image file contains additional info inserted by Easeus. At least on my Easeus version.
I am going to create a second image, and on this one, I am going to delete all the indexed files, as you have suggested before, jaclaz. this will reduce the search a lot. Also, I will discard those orphan fragments that don't begin in a cluster frontier, because most probably these are clusters from old edits, and that were overwritten partially by newer files.