note The EASEUS file is 5% smaller than the .bin image created by DMDE. So either the EASEUS file is compressed, or the non-allocated space has been left out. If it is compressed, then it might contain all the original bytes after all.
Yes, both are likely possibilities, though normally a compressed image would have a higher compression rate, and the 5% should mean (in the case of a skipped-unallocated) that the disk was at the time almost full to the brim.
It is also possible that it is a "skipped-unallocated" with some form of header/metadata.
But in any of the three cases restoring the image is the most sensible thing to do. (when you will have available a suitable media).
jaclaz
okay, here they are, my first incursions )
I have run LogFileParser.exe, but it has asked me for the $LogFile, which I didn't have.
(I thought that maybe, LogFileParser would accept the image file directly as parameter, and would get the $LogFile automatically, but that is not so).
So, I have run Joakim's "NTFS File extractor" in order to extract the $LogFile.
I also took the opportunity, and extracted the $MFT at the same time.
This was easy, as explained in Joakim's wikis (all I have to do is to tell NTFSExtractor the index numbers of these two files in the MFT. Specifically, 0, and 2.).
Now the result
The $LogFile is 64 MB in size.
The $MFT is 373 MB.
(note the Log file of the NTFSFileExtractor -don't confuse it with the $LogFile- reports several records "with bad signature". I hope this is not serious).
Then I have gone back to LogFileParser.exe, BUT after selecting the $LogFile, it asks me for the $UsnJrnl file.
So, I assume I have to extract the $UsnJrnl file in the same manner as the $LogFile, using "NTFS File extractor" ???.
But the problem is that I don't know the index number of this $UsnJrnl file in the MFT. !!!
any help?
okay, update when LogFileParser asked me for the $UsnJrnl file, I hit the "Cancel" button, but the process started anyway, …. and all was going fine, with the completion percentage increasing, but at the end, an error message appeared
>>>
"AutoIt Error"
Line 16661
Error Subscript used with non-Array variable.
<<<
Anyway, the output files were generated.
LogFile.csv is 12.1 MB
LogFile_DataRuns.csv is 55KB.
LogFile_DataRunsResolved.csv is 1KB
LogFile_INDX.csv is 5KB
MFTrecords.bin is 13KB
ntfs.db is 13MB
I can open the LogFile.csv with Excel, but it gives me an error "File not loaded completely".
anyway, I can see 65536 records in the spreadsheet.
Was the $UsnJrnl file necessary?
going to bed now
I can open the LogFile.csv with Excel, but it gives me an error "File not loaded completely".
anyway, I can see 65536 records in the spreadsheet.
Generally this discussion is over my head, but if you use a newer version of Excel you'll get 1million rows - but this might still not be enough. You might have to open the CSV in something like TextPad and split it up into multiple CSVs so that each one is <1million rows.
Just been there, done that, with ntfswalk64
HTH
First off, it is assumed that $LogFile is extracted beforehand.
Can't say if the records with bad signatures are serious, without knowing more.
$UsnJrnl is optional, and you can click cancel and continue without using it. Actually, the only reason why you would use it is for mapping more file names into logfile records. It is large and may take a really long time to process, so maybe best just skipping it. Since the journal is optional it does not have a fixed ref, so it is necessary to inspect the $MFT in order to find it's ref.
From your description, it is apparent that something went wrong somewhere in the parsing. The 1 Kb file probably only contains the header. The 12.1 Mb and 55 Kb csv's are still a bit small I think. Did you even get at stage 4? I would be interested in having a look a the logfile, in order to see what causes the program to crash, and also hopefully identifying if there's anything relevant to find in it for the task.
Regarding Excel, I could easily import over 407.000 rows, so maybe it's because the program crashed and produced a badly formatted csv?
Hi there
My Excel version is old, from 2002.
I have repeated the process, and again, the progress bar climbs nicely up to 100%, then, it dissappears for a while, and finally the error message appears (AutoIt Error).
joakim, what do you mean by "stage 4"? After the error message, nothing else appears.
I would prefer not to give you the logfile, as this one will probably contain personal information. I hope you understand.
When I open the logfile.csv, with Excel, the data on the screen is a total mess.
There is a total mess with the columns labels.
And the records are not formatted (columns are not separated).
Okay, now I have just tried another spreadsheet software, CSVed, and the result is much better.
There are 90102 records and 43 columns.
Now what do i do?
I understand that sensitivity of data may be an issue. No problem.
I just makes it hard for me to figure out a bug in the program when I can't reproduce it. And for you, the bug causes no datarun reconstruction result to be generated.
I think chances of any luck with this is low. Still I think we can help each other out ). I'll send you a pm.
Hi joakim
I have replied to your pm.
I can open the LogFile.csv with Excel, but it gives me an error "File not loaded completely".
anyway, I can see 65536 records in the spreadsheet.Generally this discussion is over my head, but if you use a newer version of Excel you'll get 1million rows - but this might still not be enough. You might have to open the CSV in something like TextPad and split it up into multiple CSVs so that each one is <1million rows.
Just been there, done that, with ntfswalk64
HTH
but my $logfile is 64MB. And the decoded version, LogFile.csv file is 12.1 MB.
How big are yours? Maybe yours are bigger and that is why you get 1 million rows.
I have tried mft2csv and it has generated a MFTdump.csv file which is 359 MB in size.
There were no errors reported.
If I try to open it with Excel, it can only load 65536 rows. It says "File not loaded completely".
So, it happens the same as before with the logFile.csv. It seems a limitation of my Excel version.
If I try to open the MFTdump.csv with the program CSVed, it won't be loaded at all.
So it seems that these problems are caused simply by the big size of the files. Probably, nothing else.
If I try to open it with Excel, it can only load 65536 rows. It says "File not loaded completely".
So, it happens the same as before with the logFile.csv. It seems a limitation of my Excel version.
Same thinking applies, your CSV has too many rows for Excel to cope with. Open it in Textpad or similar which has row numbers, and split it into chunks that Excel can handle. It's purelya function of how many rows you have in your CSV versus the number of rows that the version of Excel (2000 or 2003 - not 2002) you're running can cope with.
Or maybe OpenOffice can cope with more rows? I don't know about this one but it might be worth a look
HTH