±Forensic Focus Partners

Become an advertising partner

±Your Account


Username
Password

Forgotten password/username?

Site Members:

New Today: 0 Overall: 36775
New Yesterday: 0 Visitors: 125

±Follow Forensic Focus

Forensic Focus Facebook PageForensic Focus on TwitterForensic Focus LinkedIn GroupForensic Focus YouTube Channel

RSS feeds: News Forums Articles

±Latest Articles

±Latest Videos

±Latest Jobs

HELP NEEDED and certainly appreciated

Computer forensics discussion. Please ensure that your post is not better suited to one of the forums below (if it is, please post it there instead!)
Reply to topicReply to topic Printer Friendly Page
Forum FAQSearchView unanswered posts
Page 1, 2, 3  Next 
  

tlucz-huba
Newbie
 

HELP NEEDED and certainly appreciated

Post Posted: Jan 08, 05 08:56

Hello,

I am new to this forum and also to a computer forensic problematic .

I am asking for help anyone. I have created a problem to myself. I have 2 harddrives. 80GB each.

HDD #1
----------
2 partitions:
C: --> Windows XP pro SP2 installed (around 25 GB)
E: --> (Software, Movies, Pictures etc., around 50 GB of data)

HDD #2:
----------
Slave, D: , around 75GB


I used PowerQuest Partition Magic 8.0 to resize C: (from 25 to 10GB)
Then I resized E: from 50 to 65 GB

Before I did that I have CLEANED and DEFRAGMENTED all drives

Now that didn`t seem to be "good enough", So I have decided I will transfer all data from E: to my new D: drive

I have noticed that even after I transfered all data, there was still like 6GB of used space on the E: drive.

I went to FOLDER OPTIONS and set the view for "show hidden files and folders". I still haven`t see anything on the drive - no folders, no files, nothing...

So I FORMATED the E: drive to "free up" that space.

I thing that`s where I screwed up. Now I have a dificulty with some data that i have transfered to D:

Some video, MP3 and jpeg files are "corrupted". i don`t care about movies and songs, but pictures are very important to me. Even though i have backed up most of it, I still have around 50-60 VERY important pictures I HAVE to recover or My girlfriend is gonna kill me. The pics are very special to her.

It seems that the pics have exactly the same size as they had on E: drive. But I can`t see them. Whenever I do, it opens the picture, but there is message "no preview available" in the middle of the blank screen.

I thing that somehow I have corrupted or destroyed the indexes that file system was using for these pics. But I can be wrong of course. I am almost certain that it had something to do with FORMATING of that 6GB "useless" space on E: drive after I transfered all data from there.

Can anyone HELP how to recover those pics PLEASE? If so, can you please provide an "idiot proof" tutorial, link to a book or tool, As I am a beginner.

I will appreciate any kind of help.

I know that some of you will probably say I should read a bunch of books, but I am afraid I don`t have that much time, even though I am finding computer forensic interesting.  
 
  

gmarshall139
Senior Member
 

Re: HELP NEEDED and certainly appreciated

Post Posted: Jan 08, 05 14:29

private message sent
_________________
Greg Marshall, EnCE 
 
  

GeVeZe
Newbie
 

Re: HELP NEEDED and certainly appreciated

Post Posted: Jan 17, 05 00:44

i have the same problem

scandisk of windows deleted some files they are like index files

have same no preview error
and no preview also movies which i have in archive...  
 
  

gmarshall139
Senior Member
 

Re: HELP NEEDED and certainly appreciated

Post Posted: Jan 17, 05 14:40

Sounds like the $mft entry was deleted, the data is still there. You need an application that will let you search for the data in the unallocated clusters. Try Winhex.
_________________
Greg Marshall, EnCE 
 
  

GeVeZe
Newbie
 

Re: HELP NEEDED and certainly appreciated

Post Posted: Jan 17, 05 20:32

at Access menu
there is a menu lik $MFT(101MB) ----> recover

when i choose another partition its saved on that partiton

can you explain how should i recover? and where will i put that recovered file?

this $mft consist of only one file?  
 
  

gmarshall139
Senior Member
 

Re: HELP NEEDED and certainly appreciated

Post Posted: Jan 17, 05 20:43

The $mft is one file, it is the table of contents so to speak for an NTFS file system. I wouldn't advise that you mess with it unless you are working off an image. That's not where the data is anyway, that's just where the file name and data location is stored. The data is in your unallocated clusters. You need an application that will allow you to search for and carve out the data in the unallocated space. Try norton utilities, it may allow you to do it a little easier. Otherwise you'll need to look at the drive with a hex editor, determine the header for the data you are looking for, and try to carve it out. That is unless you have a forensic application you can use, or know someone that does.
_________________
Greg Marshall, EnCE 
 
  

GeVeZe
Newbie
 

Re: HELP NEEDED and certainly appreciated

Post Posted: Jan 17, 05 21:04

i used active undelete for data recovery
but the pictures and movies are still cannot open

recovered files also cannot open

after i recover from winhex this $MFT
then i put it using a tool like active undelete?  
 

Page 1 of 3
Page 1, 2, 3  Next