±Forensic Focus Partners

Become an advertising partner

±Your Account


Username
Password

Forgotten password/username?

Site Members:

New Today: 0 Overall: 36115
New Yesterday: 0 Visitors: 100

±Follow Forensic Focus

Forensic Focus Facebook PageForensic Focus on TwitterForensic Focus LinkedIn GroupForensic Focus YouTube Channel

RSS feeds: News Forums Articles

±Latest Articles

±Latest Videos

±Latest Jobs

What to do when all file system is erased

Computer forensics training and education issues. If you are looking for topic suggestions for your project, thesis or dissertation please post here rather than the general discussion forum.
Reply to topicReply to topic Printer Friendly Page
Forum FAQSearchView unanswered posts
 
  

Flobo
Newbie
 

What to do when all file system is erased

Post Posted: Feb 16, 05 23:04

Hi guys! I am new here. I have a small data recovery software site ( www.floborecovery.com . And I am quite experienced in data recovery.

I am devoloping a new technology that the data recovery issue when all file system information is erased(overwritten). As you know common software for file recovery from a damaged partition are using file system information(FAT,NTFS,Ext2,etc). the some, undelete software, are using the some thing.

When a virus erase all file system information, the recovery of the files are a big problem. One sollution is trying so called "raw recovery" that tried to identify by header signature, the file and recover it. But, this fails when the file is fragmented. As we know most users have above 70% fragmentation level. So, is not a complete sollution.

So, I am developing a new techmology that is able to recover filesno matter the file system and the fragmentation. I know it sound impossible but I succeded for .dbf files at the moment.

What do you think about this? How many times you encountered file system totally erased? What are the most important files from your point of view?
_________________
Data recovery as art. 
 
  

gmarshall139
Senior Member
 

Re: What to do when all file system is erased

Post Posted: Feb 17, 05 14:55

Data recovery is indeed an art. The most important file is the $MFT (NTFS) or FAT. You can recover anything else with it, given enough time. Nothing is impossible, but I would love to know how you plan to locate a file's extents without the $MFT.

Good luck on your ambitious project.[/list]
_________________
Greg Marshall, EnCE 
 
  

gmarshall139
Senior Member
 

Re: What to do when all file system is erased

Post Posted: Feb 17, 05 15:00

I forgot to answer your other question, I very rarely encounter a system whose entire file system has been deleted.

But the scanpst.exe function that everyone gets with windows may work this way. It does a very good job of parsing .pst file fragments from unallocated space. Those files are very fragmented typically, and I've used to pull out a lot of .pst file information.
_________________
Greg Marshall, EnCE 
 

Page 1 of 1