Jump to content

Recovering Deleted Files


Recommended Posts

Yesterday I have accidentally formatted my hard drive and I lost some files that I really wish to recover. (This also contains KernelEx + Unofficial SP5 for Windows XP, so be quick before the files get corrupted!)

 

My cousin was playing Sims 2 on that PC and he really, really, REALLY want's them back. After browsing the net for a data recovery program I have found one, but after the searching ended the programs found 14,000,000 (12 TB) of deleted data and I found the folder there ("The Sims 2 save backup"), but the problem is that the when I opened the recovered folder there was just two files, but the original one had around 15 files in it.

 

That's how the original one should look like:

 

uei0UAO.png

 

But the recovered one has only 2 non sense named files in the both Sims 2 save backup & KernelEx.

 

What should I do? Are the files lost for ever? or there's another way to recover them?

 

All kinds of help will be greatly appreciated! (That includes: Software Recommendation, Tips, Tricks and etc.)

Edited by Opticork
Link to comment
Share on other sites


... so be quick before the files get corrupted!.

You mean that you are still using that hard disk accidentally formatted volume? :w00t:

The first thing to do in this cases is to STOP fiddling with the device immediately, make a forensic sound image of it, and only later think about attempting to recover files.

Which OS? XP?

Which filesystem, NTFS?

How big is the formatted volume in size?

How EXACTLY was the format initiated?

As a rule of thumb if that is XP you were lucky that the format command is not entirely destructive on XP (on Vista and later, unless it was a "quick" format it would be completely destructive), an in-place format on XP instead might leave enough data to perform some (partially) file system level recovery and some file recovery.

The tool of choice in these cases would be:

1) DMDE that should be able to recover some data at file system level http://dmde.com/

2) PHOTOREC that should be able to recover a large part of the files at file level:

http://www.cgsecurity.org/wiki/PhotoRec

The difference between file system level recovery and "plain" file recovery is that usually the first - for the data that i can find - can recover file metadata (i.e. name and extension) besides having the capability (again for the partial data found) to recover fragmented files, the second can at the most recover contiguous files, often losing the original name and extension.

Recovering data from a formatted volume is a time-taking, difficult/complex and often not successful :( activity, tools like Photorec that attempt to recover files are exceptionally good, but the output needs to be verified single file by single file, as each resulting file is more than a recovered file, something that the program perceives as a file, each single file format (.bmp, .jpg, .doc, etc.) may have some internal metadata that may increase the probabilities of a valid recovery but there are no certainties.

The biggest enemy of file based recovery is disk fragmentation, usually on a perfectly and completely defragmented volume formatted "on place" everything (or nearly everything) can be recovered, but on a fragmented volume it is nearly impossible to recover anythign of value or the amount of time needed for the recovery is so big that it simply isn't worth it.

DMDE (or other filesystem oriented data recovery program) on the other hand may be able in this case to recover only a small amount of files, but those fewer files are usually in good condition.

You will need some (a lot of) patience to perform a filesystem based data recovery and you will need to get familiar with some filesystem innards and to the way the program works.

jaclaz

Edited by jaclaz
Link to comment
Share on other sites

you have made me sad :no: :no: :no:

It's not as bad as it seems, as you (Dibya) made me even sadder. :w00t:

 

The site of the (Commercial) tool you recommended contains some notable pearls of wisdom:

 

As this tool when Installing software in addition to the operating system may overwrite shared system files such as dynamic link libraries (.dll files) and executable files (.exe files)", for MS Windows.

If Windows is unable to run applications due to a .dll error, this .dll may be missing or you may have registry error. Such errors can heavily influence the performance of your PC.

Use Diskgetor data recovery software recover your format dll files fast and easily!

Recover formatted files data , Iphone data , Music data , Video data , Flash data from format files , IPhone, hard drive, partition sa card

You can preview the scanned files. The picture , Word , Excel files can be preview data before recovering.

 

jaclaz

Edited by jaclaz
Link to comment
Share on other sites

 

... so be quick before the files get corrupted!.

You mean that you are still using that hard disk accidentally formatted volume? :w00t:

The first thing to do in this cases is to STOP fiddling with the device immediately, make a forensic sound image of it, and only later think about attempting to recover files.

Which OS? XP?

Which filesystem, NTFS?

How big is the formatted volume in size?

How EXACTLY was the format initiated?

As a rule of thumb if that is XP you were lucky that the format command is not entirely destructive on XP (on Vista and later, unless it was a "quick" format it would be completely destructive), an in-place format on XP instead might leave enough data to perform some (partially) file system level recovery and some file recovery.

The tool of choice in these cases would be:

1) DMDE that should be able to recover some data at file system level http://dmde.com/

2) PHOTOREC that should be able to recover a large part of the files at file level:

http://www.cgsecurity.org/wiki/PhotoRec

The difference between file system level recovery and "plain" file recovery is that usually the first - for the data that i can find - can recover file metadata (i.e. name and extension) besides having the capability (again for the partial data found) to recover fragmented files, the second can at the most recover contiguous files, often losing the original name and extension.

Recovering data from a formatted volume is a time-taking, difficult/complex and often not successful :( activity, tools like Photorec that attempt to recover files are exceptionally good, but the output needs to be verified single file by single file, as each resulting file is more than a recovered file, something that the program perceives as a file, each single file format (.bmp, .jpg, .doc, etc.) may have some internal metadata that may increase the probabilities of a valid recovery but there are no certainties.

The biggest enemy of file based recovery is disk fragmentation, usually on a perfectly and completely defragmented volume formatted "on place" everything (or nearly everything) can be recovered, but on a fragmented volume it is nearly impossible to recover anythign of value or the amount of time needed for the recovery is so big that it simply isn't worth it.

DMDE (or other filesystem oriented data recovery program) on the other hand may be able in this case to recover only a small amount of files, but those fewer files are usually in good condition.

You will need some (a lot of) patience to perform a filesystem based data recovery and you will need to get familiar with some filesystem innards and to the way the program works.

jaclaz

 

 

1. Windows XP SP2 64-bit

2. NTFS

3. 1 TB

4. I don't really know...

 

But the bigger problem is that the KernelEx for Windows XP and the SP5 for Windows XP are stored in that cemetery and I should be extra careful with doing such a scans, because that hard drive is already 6 years old and I may not survive even one more scan. If the hard drive dies, those project die with it.

 

I have already performed 2 scans with two different programs and none of them showed "The Sims 2 save backup", "KernelEx" or "USP5", but it did show some folders from the time when the computer was bought...

 

What should I do? Should I try other softwares or try collecting every single peace of the puzzle (the files that are not in folders) ?

Link to comment
Share on other sites

Buy a 1 TB+ external drive and perform a sector-by-sector clone of the HDD to the external drive.

You must analyse the external drive then.

There are advanced solutions for forensic analysis but I'm not ready to give more info ATM.

Search for tools suitable for forensic analysis not merely 'recovery'.

 

I was surprised to learn you haven't kept any backups. But we could help you bring back the project alive, if you share the methods used to build it. The project should be archived online (Cloud) so that it's not lost/accidentally modified.

Link to comment
Share on other sites

Buy a 1 TB+ external drive and perform a sector-by-sector clone of the HDD to the external drive.

You must analyse the external drive then.

There are advanced solutions for forensic analysis but I'm not ready to give more info ATM.

Search for tools suitable for forensic analysis not merely 'recovery'.

 

I was surprised to learn you haven't kept any backups. But we could help you bring back the project alive, if you share the methods used to build it. The project should be archived online (Cloud) so that it's not lost/accidentally modified.

 

I actually had backups, until they also broke...  :}

Link to comment
Share on other sites

https://mh-nexus.de/en/hxd/

 

HxD is a carefully designed and fast hex editor which, additionally to raw disk editing and modifying of main memory (RAM), handles files of any size..

 

When you're done creating the clone with tools you will find online, you can use this to search for parts you'd like.

When all automated solutions fail, it's time for manual work.

Link to comment
Share on other sites

Yep, the idea is that making a "forensic sound" image there is only one "copy pass" from the original device, then the "scans" are performed on the clone.

Usually TWO such images are created, so that one can be (if needed) modified in order to attempt recovering the data, and the "original" is never touched (and can hopefully be re-imaged).

From what you wrote there is no reason to believe that the actual device (hardware) is failing, but the "forensic image" will allow to preserve the data while allowing (if needed) to modify parts of the image.

The #4 question about "how exactly" the format was initiated is more relevant for later than XP OS's (where if a "quick" format was not specified the data would be wiped and thus become totally unrecoverable by *any* means), still it would be interesting because while the Windows XP built-in format command has some "fixed" addresses for very relevant filesystem structures, if the format was performed from another OS or by a Third Party tool, same structures may have been written at different addresses (thus not overwriting previous ones) whilst if the volume was originally formatted by the XP format.com and later re-formatted with the same tool previous structures woudl be cleanly overwritten, with no possibility to recover, if not - maybe - partially.

 

jaclaz

Link to comment
Share on other sites

Then, is there any way that I can restore my system to the way it was before the format?

 

Or maybe, restore only one already existing folder in the new version of Windows to the folder versions of the old Windows before the format?

 

Or maybe a free software that will again recover deleted files, that won't take long and will 90% surely find my files?

 

I really need that folders out of the File's Cemetery. Please, anything. I accept all kinds of ways, it doesn't matter how hard it would be anymore, I just need it to work!

Edited by Opticork
Link to comment
Share on other sites

Then, is there any way that I can restore my system to the way it was before the format?

 

Or maybe, restore only one already existing folder in the new version of Windows to the folder versions of the old Windows before the format?

 

Or maybe a free software that will again recover deleted files, that won't take long and will 90% surely find my files?

 

I really need that folders out of the File's Cemetery. Please, anything. I accept all kinds of ways, it doesn't matter how hard it would be anymore, I just need it to work!

There is NO WAY on earth that anyone (not just you) can restore the system to the way it was before the format  :no:

Maybe it will be possible to recover some files, and there is NO WAY to know in advance how many or which of the files that were on the volume can be recovered.

 

Try re-reading, this time slowly, what was posted earlier.

As a numbered list:

1) make a dd-like, "forensic sound", or "sector-by-sector" image of your disk (please confirm that you have a suitable device to contain this image and that you know how, and which tools to use to make such an image).

2) better if you can afford to make two such clone images (one clone from the original and then a second copy of the first image)

3) Get dmde (link given above) and try accessing the image, after having read very carefully the documentation.

4) IF (hopefully) some traces of the previous filesystem can be found, then the files that will be listed will most probably be recoverable with their name and extension and will be valid.

5) Then, once you will have recovered through dmde all recoverable files, and after having verified that the recovered files are valid, you may want to try Photorec (link also given above) that will likely manage to recover a large number of files, with no guarantee whatsoever to have them with the right path/name and extension, and not even with any guarantee of the actual files to be valid (you will need to check them one by one).

6) another, even more troublesome/complex step, if the results of the above will be not satisfactorily enough, would be to do a further pass of both dmde and photorec, after having mapped everything you already recovered on the image and zeroing the corresponding space.

7) a further step will be to reanalyze the image manually.

 

If you need assistance for items #1 up to #3 just ask.

For steps #4 and #5 you will probably need some assistance, and as well we can assist you, once you will have get the hang of the use of those programs.

For item #6 I can as well give you some instructions/hints, but it starts to be something for which you will need hours, possibly days of practice.

Item #7 is well beyond the common knowledge of even advanced users, you will likely need weeks, possibly months of training and practice.

 

If there is the need to go past step #5 it is usually not worth it, while you can repeat steps #4 and #5 many times, using different programs from the ones I suggested, though you will then need to procure the licenses for some Commercial programs.

 

jaclaz

Edited by jaclaz
Link to comment
Share on other sites

 

Then, is there any way that I can restore my system to the way it was before the format?

 

Or maybe, restore only one already existing folder in the new version of Windows to the folder versions of the old Windows before the format?

 

Or maybe a free software that will again recover deleted files, that won't take long and will 90% surely find my files?

 

I really need that folders out of the File's Cemetery. Please, anything. I accept all kinds of ways, it doesn't matter how hard it would be anymore, I just need it to work!

There is NO WAY on earth that anyone (not just you) can restore the system to the way it was before the format  :no:

Maybe it will be possible to recover some files, and there is NO WAY to know in advance how many or which of the files that were on the volume can be recovered.

 

Try re-reading, this time slowly, what was posted earlier.

As a numbered list:

1) make a dd-like, "forensic sound", or "sector-by-sector" image of your disk (please confirm that you have a suitable device to contain this image and that you know how, and which tools to use to make such an image).

2) better if you can afford to make two such clone images (one clone from the original and then a second copy of the first image)

3) Get dmde (link given above) and try accessing the image, after having read very carefully the documentation.

4) IF (hopefully) some traces of the previous filesystem can be found, then the files that will be listed will most probably be recoverable with their name and extension and will be valid.

5) Then, once you will have recovered through dmde all recoverable files, and after having verified that the recovered files are valid, you may want to try Photorec (link also given above) that will likely manage to recover a large number of files, with no guarantee whatsoever to have them with the right path/name and extension, and not even with any guarantee of the actual files to be valid (you will need to check them one by one).

6) another, even more troublesome/complex step, if the results of the above will be not satisfactorily enough, would be to do a further pass of both dmde and photorec, after having mapped everything you already recovered on the image and zeroing the corresponding space.

7) a further step will be to reanalyze the image manually.

 

If you need assistance for items #1 up to #3 just ask.

For steps #4 and #5 you will probably need some assistance, and as well we can assist you, once you will have get the hang of the use of those programs.

For item #6 I can as well give you some instructions/hints, but it starts to be something for which you will need hours, possibly days of practice.

Item #7 is well beyond the common knowledge of even advanced users, you will likely need weeks, possibly months of training and practice.

 

If there is the need to go past step #5 it is usually not worth it, while you can repeat steps #4 and #5 many times, using different programs from the ones I suggested, though you will then need to procure the licenses for some Commercial programs.

 

jaclaz

 

 

 

1) I really don't know how to do that... Can you suggest a software for it?

 

2) Same as 1)

 

3) Before doing it, I wanna try few other softwares.

 

4)  :wacko:

 

5) I have already tried Photorec, but it does only found files that are currently in my Hard Drive (non deleted ones). Any help?

Link to comment
Share on other sites

I guess we are at a standstill. :(

You said you formatted a volume.

There are NO deleted files in this case, and there are NO new files on the formatted volume unless you after having formatted it also copied to it files.

The correct procedure has been given to you, whatever steps diverging from said procedure, particularly doing *anything* before step #1 is very likely to reduce (dramatically) any chance to recover any file.

 

To make a clone image you can use dd booting from a Linux or something similar from Windows, like dsfo/dsfi or clonedisk or even the mentioned dmde has a provision for this, but you need to have handy a device (hard disk big enough) to host the image (or to make a direct clone of the whole harddisk)

 

Some of these tools are mentioned here:

http://reboot.pro/topic/19730-dmde-basic-disk-imaging-test-and-results/

http://www.msfn.org/board/topic/100299-disk-imaging-software/

 

All in all I would suggest you to use:

http://www.partition-saving.com/

because it is very well documented and can be used from different OS's.

 

jaclaz

Link to comment
Share on other sites

I guess we are at a standstill. :(

You said you formatted a volume.

There are NO deleted files in this case, and there are NO new files on the formatted volume unless you after having formatted it also copied to it files.

The correct procedure has been given to you, whatever steps diverging from said procedure, particularly doing *anything* before step #1 is very likely to reduce (dramatically) any chance to recover any file.

 

To make a clone image you can use dd booting from a Linux or something similar from Windows, like dsfo/dsfi or clonedisk or even the mentioned dmde has a provision for this, but you need to have handy a device (hard disk big enough) to host the image (or to make a direct clone of the whole harddisk)

 

Some of these tools are mentioned here:

http://reboot.pro/topic/19730-dmde-basic-disk-imaging-test-and-results/

http://www.msfn.org/board/topic/100299-disk-imaging-software/

 

All in all I would suggest you to use:

http://www.partition-saving.com/

because it is very well documented and can be used from different OS's.

 

jaclaz

 

Do you mean a image of the sectors status? As I already did one and around 90% of all sectors were fine.

 

Sorry for this stupid questions, but I don't have a clue about "Data Recovering".

Edited by Opticork
Link to comment
Share on other sites

Guest
This topic is now closed to further replies.
  • Recently Browsing   0 members

    • No registered users viewing this page.
×
×
  • Create New...