Jump to content

Recovering Deleted Files


Recommended Posts

I have no idea what is "sector status" or why in it 90% of sectors are fine. 

What is needed is a clone or a "forensic sound" image of ALL the sectors involved, a sector level copy.

 

You need to understand some of the basics of cloning/imaging, and in order to do so you need to be informed on some basic disk/filesystem structures.

 

A disk (a new disk device, from factory) contains sectors, i.e. groups of bytes, usually 512 are indexed in an addressing structure called LBA (Large Block Address) that numbers them starting from 0 to the last sector.

When you access or retrieve sector 0 you are getting the first absolute sector of the whole device which usually holds the MBR (Master Boot Record)

The procedure of initializing a disk (under Windows NT systems) will write the MBR to first absolute sector or sector LBA0.

The MBR contains some bootable code and some space for a partition table.

The procedure of partitioning creates one or more entries in the partition table, basically where (at which LBA sector) the partition (or volume) begins and how big it is (these are the partition or volume extents).

The procedure of formatting creates a filesystem in the space allocated in the partition table.

A filesystem, generally speaking, consists in an addressing structure that lists the addresses where any given file or folder resides and where there is unused space where a new file can be written to.

When you write a file to a volume the filesystem structures are updated so that they reflect the metadata of the file or folder (name, extension, dates/times, etc.) the address (using a different unit of measure, the cluster, which represents one or more sectors) of the file and how big (how many clusters it occupies) it is (these are the file extents, in a perfectly defragmented volume every file occupies a number of contiguous clusters and each file has a single extent, when the volume becomes fragmented during use a file may be stored on several, even hundreds of extents).

When you initially format a volume this "index" is "blanked" i.e. all the space on the volume becomes marked as "unused" (allowing to write to that space new files).

The same happens if you re-format an existing volume, but the actual clusters (groups of sectors) are not touched (under XP and earlier).

So, files are still there exactly as before but you have lost (forever) their "address" (more correctly their file extents data).

There are a few cases (particularly on large volumes with many files) when a re-format only blanks the initial part of the "index" and as well some cases where a new blank index is created in a different position than the previous one.

In these cases, parts of this "index" and be recovered (this is what dmde can do) and consequently any file that is listed in the recovered parts of this index can usually be recovered, even if fragmented, with its filename and extension.

If the re-format has completely blanked the "previous index" this is not possible, and you need to attempt file based recovery (what Photorec can do).

Most files do have "patterns" (usually in the first few bytes or "header" or in the last few bytes or "footer") that allow to identify them as a given filetype and some file types also contain other metadata, that may include their filename and their size.

What Photorec (and similar software) do is to attempt to recognize a file type and then use the metadata it can find in it to recover the file.

For a contiguous file that contains this info it can succeed.

For a contiguous file that contains not this info it may also succeed (losing filename and giving a "tentative" extension).

For a non-contiguous file the software needs to make a number of guesses, and very rarely a fragmented file can be recovered at all, most of the times you get only some fragments of it.

 

The first step is to make an EXACT copy of the original (that is a "forensic sound" image or clone).

Usually an image of the whole disk is made, but in the case of a re-formatted volume (provided that in the "accident" the size of the partition has not been changed) making an image or clone of just the volume is OK.

Such an image is the 1:1, byte by byte, sector by sector copy of the partition/volume extents (see above).

As an example if the partition began on sector LBA 63 and was (say, for the sake of the example, you cannot make such a small partition/volume) 37 sectors in size, the image of that partition would be made out of sectors 63-99 and be 37x512=18944 bytes in size.

The copy is performed by a software tool that can get direct disk access such as the mentioned ones.

A few (like dd and similar) need to be given the exact start sector address and size, some are "smart enough" to get the extent from the parittion table (such as the mentioned DMDE or PartitionSaving).

In your case, given that the partition/volume that was accidentally re-formatted was around 1 Tb in size, the resulting image will be also 1 Tb in size, and you need a device with enough capacity to host it which means, if you are going to make an image, a disk bigger than the size of the image to allow for the (NTFS) filesystem structure of the volume where you will write the image or an identical (or bigger) hard disk if you are going to clone the whole hard disk (from sector 0 up to the last sector of the disk).

Example #1, in case of an image, if your partition was 1 Tb in size, you will need at least a 1.5 Tb disk on which you will create a partition that, once formatted, will have more than 1 Tb of free space.

Example #2, in case of a clone, if the disk hosting the partition is 2 Tb in size you will need a 2 Tb disk as target (or a bigger one)

 

I hope now this is a bit more clear.

 

jaclaz

Link to comment
Share on other sites


Actually I got a lot of files on the hard drive after I formatted it. Like 50 GB or so including the Windows XP on it. Will this decrease the chance of restoring the file and also, when I got files on that hard drive again, what should I do in this case now when the hard drive is not empty anymore?

Edited by Opticork
Link to comment
Share on other sites

Actually I got a lot of files on the hard drive after I formatted it. Like 50 GB or so including the Windows XP on it. Will this decrease the chance of restoring the file and also, when I got files on that hard drive again, what should I do in this case now when the hard drive is not empty anymore?

 

I cannot understand the "got", do you mean that you copied to the re-formatted volume 50 Gb worth of files and actually re-installed an XP on it? :w00t:

 

Each single byte that has been written to the volume after the formatting has overwritten (irrecoverably) the byte that was there before, would you think that this increases probability of recovery? :dubbio:

 

jaclaz

Link to comment
Share on other sites

 

Actually I got a lot of files on the hard drive after I formatted it. Like 50 GB or so including the Windows XP on it. Will this decrease the chance of restoring the file and also, when I got files on that hard drive again, what should I do in this case now when the hard drive is not empty anymore?

 

I cannot understand the "got", do you mean that you copied to the re-formatted volume 50 Gb worth of files and actually re-installed an XP on it? :w00t:

 

Each single byte that has been written to the volume after the formatting has overwritten (irrecoverably) the byte that was there before, would you think that this increases probability of recovery? :dubbio:

 

jaclaz

 

 

I mean that after formatting the hard drive, I've installed Windows on it, then the drivers and then some programs. Will this screw my deleted files up?

 

EDIT: Forgot to mention that the PC was actually formatted two times yesterday, not only once. I have firstly started accidentally the first one, which wasn't *quick*, but unfortunately the second one minutes after the first one was. Will this affect the deleted file?

 

I am asking because, if the first time wasn't quick and the PC formatted the files, they should be alright and there shouldn't be anything for the second format to deleted. (the second format that was *quick*).

 

Is there any chance that the files are still somewhere, there in the hard drive or they got completely overwritten or corrupted?

Edited by Opticork
Link to comment
Share on other sites

Is there any chance that the files are still somewhere, ther, in the hard drive, or they got completely overwritten or corrupted?

Sure! However that chance, while not exactly equal to zero, is way smaller than the chance of your winning three different lotteries in the same day with the same numbers and, then, being fulminated by lightning, before cashing in any of those three prizes.

Link to comment
Share on other sites

Rule#1 - "OMG! I started a Format! I SHALL NOW IMMEDIATLY TURN OFF POWER!"

Rule#2 - "Hmmm, must find a spare unused HDD and install OS with original disconnected disabling SysRestore/Indexing."

Rule#3 - "Okee-doke, now I can create some sort of Active PE, like Winbuilder."

Rule#4 - "Now I reconnect Original, boot to PE CD/DVD and recover as best I can, maybe copy files to spare."

 

You may (more than likely) be totes gorked on retrieving anything. :(

Link to comment
Share on other sites

Let's talk of physics. :w00t:

 

Two different solids (or even liquids if not compressible) cannot be at the same time in the same place.

 

Same happens to bytes (and sectors), whatever you copied or installed to that volume has to go somewhere, and this somewhere is the same place where something else was before.

 

This is called to overwrite, i.e. to write a new value in the same place where a previous value was written, effectively making what was written before in that same place lost forever.

 

So, anything that was overwritten is lost forever and cannot be retrieved through any means.

 

The more you overwrite, the less amount of non-overwritten sectors you will have left and thus the less amount of data you can recover.

 

Now, 50 Gb surely lost on a (possibly full up to the brim :unsure:) 1 Tb volume represent anyway a rather small percentage, roughly 1/20 or 5%, but of course, if the volume contained 50 Gb of files, it was perfectly defragmented and you just wrote to it (after having formatted it twice :w00t:) 50 Gb of data it is more likely that the percentage of irrecoverable data is in the 90 to 99.99% range.


Sure! However that chance, while not exactly equal to zero, is way smaller than the chance of your winning three different lotteries in the same day with the same numbers and, then, being fulminated by lightning, before cashing in any of those three prizes.

 

... if you are a postilion by trade:

https://en.wikipedia.org/wiki/My_postillion_has_been_struck_by_lightning

probabilities of the latter do increase noticeably, JFYI.

 

jaclaz

Edited by jaclaz
Link to comment
Share on other sites

Well, I have found the Sims 2 Saves folder, however in it there was just five completely randomized files, all with the same names. (random names, file types and etc.) Does that mean that the save files are somewhere out of this folder or completely wiped out? (By the way, that folder was on the desktop)

 

About the KernelEx and SP5, they were completely overwritten and there is not even a word left from it's scripts.

 

As it's already obvious that the KernelEx & SP5 development will be on-hold for around a month, is there any way that at least the Sims 2 files are stored somewhere in the hard drive?

Link to comment
Share on other sites

I don't think that you will ever be able to recover specifically the " Sims 2 Saves folder" what you report is exactly the effect of the overwriting I mentioned in the previous post :(.

 

The fact that you estimate that the KernelEx+ & SP5 project can be rewritten form scratch up to the level it was until yesterday in just one month (if I get this right :unsure:) represents however very good news :).

 

jaclaz

Link to comment
Share on other sites

1) I mean that after formatting the hard drive, I've installed Windows on it, then the drivers and then some programs. Will this screw my deleted files up?

 

2) EDIT: Forgot to mention that the PC was actually formatted two times yesterday, not only once. I have firstly started accidentally the first one, which wasn't *quick*, but unfortunately the second one minutes after the first one was. Will this affect the deleted file?

 

3) Is there any chance that the files are still somewhere, there in the hard drive or they got completely overwritten or corrupted?

My Response: Wow!!!!!! No one can accidentally do this! Especially someone who is actually developing software ... you are actually developing software?!?!?!

Link to comment
Share on other sites

 

1) I mean that after formatting the hard drive, I've installed Windows on it, then the drivers and then some programs. Will this screw my deleted files up?

 

2) EDIT: Forgot to mention that the PC was actually formatted two times yesterday, not only once. I have firstly started accidentally the first one, which wasn't *quick*, but unfortunately the second one minutes after the first one was. Will this affect the deleted file?

 

3) Is there any chance that the files are still somewhere, there in the hard drive or they got completely overwritten or corrupted?

My Response: Wow!!!!!! No one can accidentally do this! Especially someone who is actually developing software ... you are actually developing software?!?!?!

 

 

Gh0st brings up a good question.

 

All in all this is a very bizarre situation.

 

We have a software developer that is working on XP KernelEx and XP SP5.  Those two tasks are way, way, way beyond what I would be able to do so this developer must be very, very smart.  The developer has an unfortunate situation occur which causes his HDD to format itself.  He has no idea how this happens, unless he is trying to not blame his cousin or something.  He also explains that this format was not a quick format, but how does he know that it wasn't a quick format?  Unless he was just referring to the amount of time the format seem to take?  (I forget whether the quick format is the default one or not.)  Anyway, once that format completed, apparently he felt that didn't do enough damage so he formatted the HDD a second time, this time ensuring that it was a quick format, and has since then expressed concern that the quick format might have done the worst of the damage, even though jaclaz has explained that the quick format, on its own, would do the least amount of damage.  Then he installed XP onto the HDD, installed drivers, updates for XP, applications, 50 GB of miscellaneous files onto the drive, elc and then started to try and recover the files that had been on the drive before this unfortunate situation occurred.  He has apparently downloaded various file recovery utilities and probably installed them onto that same HDD and maybe continued to use that drive to browse the internet etc.  Jaclaz, harkaz, and others have stressed that he needed to make a bit-for-bit copy, or clone, of his drive and try his recovery efforts on the copy and leave the original drive alone, but he says that he wants to try a few other software recovery methods first.  He had backups of his development work, but those backups also broke somehow.  Since much of the latest progress on KernelEX and SP5 seems to have happened over the last week or two, I'm not sure when these backups broke and how long he did development work without replacing his broken backups.  How someone as smart as he is and so knowledgeable about the technical intricacies of computers didn't understand that almost everything he did after the mysterious initial format occurred was making his goal of recovering his files less and less possible seems improbable.

 

I don't know which recovery software he has tried and I have no idea how he managed to find even the remnants which he says he found as quickly as he said he found them if everything he says occurred actually occurred.  I have used recovery software in the past and the searching process took a great deal of time, and that was without two formats, installing on OS, etc on top of it.  That was several years ago with a much less powerful system than what I assume he has, but still.  I really do not want to disparage the reputation of Opticork in any way and I had very high hopes for his work on KernelEX and SP5 which seemed to be progressing surprisingly quickly, but this situation has me wondering.  I hope I am wrong and I have somehow misunderstood this situation.

 

Here's hoping for the best, a miracle recovery of his cousin's Sims 2 files, and a quick resumption of the KernelEX and SP5 projects. :)

 

Cheers and Regards

Edited by bphlpt
Link to comment
Share on other sites

Fortunately I have a great news. After letting the computer scan one more night, it found the KernelEx project, so only SP5 will be on hold, but the KernelEx project development will continue.

 

1PaNk3i.png

 

However, the beta versions of this project will be delayed to 07.03.2016 (March 07, 2016).

 

Anyways, there should always be something bad, as I wasn't able to recover Service Pack 5 or my Cousins Saves, Games and whatever god can think of, Service Pack 5 development will be canceled for now and will be continued in the near future.

 

 

 

1) I mean that after formatting the hard drive, I've installed Windows on it, then the drivers and then some programs. Will this screw my deleted files up?
 
2) EDIT: Forgot to mention that the PC was actually formatted two times yesterday, not only once. I have firstly started accidentally the first one, which wasn't *quick*, but unfortunately the second one minutes after the first one was. Will this affect the deleted file?
 
3) Is there any chance that the files are still somewhere, there in the hard drive or they got completely overwritten or corrupted?


My Response: Wow!!!!!! No one can accidentally do this! Especially someone who is actually developing software ... you are actually developing software?!?!?!

 

 

Gh0st brings up a good question.

 

All in all this is a very bizarre situation.

 

We have a software developer that is working on XP KernelEx and XP SP5.  Those two tasks are way, way, way beyond what I would be able to do so this developer must be very, very smart.  The developer has an unfortunate situation occur which causes his HDD to format itself.  He has no idea how this happens, unless he is trying to not blame his cousin or something.  He also explains that this format was not a quick format, but how does he know that it wasn't a quick format?  Unless he was just referring to the amount of time the format seem to take?  (I forget whether the quick format is the default one or not.)  Anyway, once that format completed, apparently he felt that didn't do enough damage so he formatted the HDD a second time, this time ensuring that it was a quick format, and has since then expressed concern that the quick format might have done the worst of the damage, even though jaclaz has explained that the quick format, on its own, would do the least amount of damage.  Then he installed XP onto the HDD, installed drivers, updates for XP, applications, 50 GB of miscellaneous files onto the drive, elc and then started to try and recover the files that had been on the drive before this unfortunate situation occurred.  He has apparently downloaded various file recovery utilities and probably installed them onto that same HDD and maybe continued to use that drive to browse the internet etc.  Jaclaz, harkaz, and others have stressed that he needed to make a bit-for-bit copy, or clone, of his drive and try his recovery efforts on the copy and leave the original drive alone, but he says that he wants to try a few other software recovery methods first.  He had backups of his development work, but those backups also broke somehow.  Since much of the latest progress on KernelEX and SP5 seems to have happened over the last week or two, I'm not sure when these backups broke and how long he did development work without replacing his broken backups.  How someone as smart as he is and so knowledgeable about the technical intricacies of computers didn't understand that almost everything he did after the mysterious initial format occurred was making his goal of recovering his files less and less possible seems improbable.

 

I don't know which recovery software he has tried and I have no idea how he managed to find even the remnants which he says he found as quickly as he said he found them if everything he says occurred actually occurred.  I have used recovery software in the past and the searching process took a great deal of time, and that was without two formats, installing on OS, etc on top of it.  That was several years ago with a much less powerful system than what I assume he has, but still.  I really do not want to disparage the reputation of Opticork in any way and I had very high hopes for his work on KernelEX and SP5 which seemed to be progressing surprisingly quickly, but this situation has me wondering.  I hope I am wrong and I have somehow misunderstood this situation.

 

Here's hoping for the best, a miracle recovery of his cousin's Sims 2 files, and a quick resumption of the KernelEX and SP5 projects. :)

 

Cheers and Regards

 

 

Well, I kinda do as he's the one that did the first format and I know that it wasn't quick as I came to the room a little bit later and the second was from me, because Windows XP's setup didn't allowed me to install it until I format it once again, so I can access data recovery program. It wasn't the smartest thing that anyone can do, but fortunately at least the KernelEx project was saved from the File's Cemetery...

 

The only thing we can hope now, is that the kernel32.dll isn't corrupted as it will take me much time to fix it.

 

EDIT: I've decided that I'll also start Recuva for one night if it eventually comes up with something good, but well the chances are very small.

Edited by Opticork
Link to comment
Share on other sites

Can you post some images of the entire directory structure, so that we can assess the damage to the project?

I see the kernelex dir size is 0 KB(!) so I'd like to see exactly what has been recovered.

Link to comment
Share on other sites

Guest
This topic is now closed to further replies.
  • Recently Browsing   0 members

    • No registered users viewing this page.
×
×
  • Create New...