Re: Digest for datarecoverycertification@googlegroups.com - 4 Messages in 1 Topic
19 views
Skip to first unread message
Davies G D O (AT)
May 16, 2012, 1:07:52 PM5/16/12
to <datarecoverycertification@googlegroups.com> <datarecoverycertification@googlegroups.com>
I am currently working out of the office until June 2nd - I will be replying to email periodically in this timeframe.
Thanks & Best Regards,
Gareth Davies
On 22 Apr 2012, at 15:13, <datarecovery...@googlegroups.com>
<datarecovery...@googlegroups.com> wrote:
Thanks & Best Regards,
Gareth Davies
On 22 Apr 2012, at 15:13, <datarecovery...@googlegroups.com>
<datarecovery...@googlegroups.com> wrote:
Today's Topic Summary
Group: http://groups.google.com/group/datarecoverycertification/topics
• RStudio question [4 Updates]
RStudio question
• Tim Farren <t...@farrentech.com> Apr 21 10:15AM -0400
•
• Maybe I have a misunderstanding of what is actually happening.
•
• The drive is not physically damaged. All sectors are readable. However, when I plug the drive into my computer, win7 informs me that the drive isn't formatted. I ran CHKDSK on it, and after CHKDSK finished, there was basically an empty partition. Only 1 or 2 files on the entire drive. Ftk imager showed the same result.
•
• I had run CHKDSK on a copy, so I started over with another copy of the original. This time, no CHKDSK, but instead I inspected it with R-Studio. I couldn't see any files or directories until I performed a full scan of the HD. After it fully scanned the drive, then I was presented with the directory tree.
•
• Question - what do suppose causes the set of symptoms described above?
•
• During recovery of the files, occasionally I would receive prompts to over write files that already exist on the destination, even though I'm sure the destination was blank. I just assumed that r-studio was doing this because of fragmentation, but I was just guessing. I don't understand why RStudio would find the same file more than once in the same directory and attempt to recover it multiple times. What causes that? I see it frequently during recoveries like this. It's definitely not uncommon.
•
• Thanks!
•
• Sent from my iPhone
•
• On Apr 21, 2012, at 8:06 AM, "Glynn LeBlanc" <glynn....@gmail.com<mailto:glynn....@gmail.com>> wrote:
•
• Tim
•
• Not sure what the "file Exists" error is in R-Studio, but.....fragmentation will not cause the file to be listed multiple times. Multiple listings of the file in different directories will cause that. If you obtain a MFT File record intact, then all the data runs will be included in the record and you will be able to obtain all the fragments of the file if it has not been deleted and the disk area where the file resided is not in use by another file. OR the disk area where the file resides is not damaged. OR the file has so many data runs (extremely fragmented) that the data runs exists as a non-resident attribute. Meaning the data runs are outside the MFT and you may not have them. In which case the file is not recoverable. This can happen on extremely large files that recieve a lot of updates like a database.
•
• The MFT itself can becomre fragmented and live all over the drive has been operating for along time and has lots of data. So you may not have the entire MFT. I am curious, what makes you think the MFT is damaged?
•
• To me the best way to determine if you have the file intact is to sample some of them.
•
• Hope this helps.
• Glynn LeBlanc, ACE, CFCE
• La Computer Forensic Services
• Gonzales LA
•
•
•
• On Fri, Apr 20, 2012 at 4:15 PM, Tim Farren <t...@farrentech.com<mailto:t...@farrentech.com>> wrote:
• If the mft is damaged and I do a full scan of the drive to find all files, what happens to the resulting files? Are they complete? Does fragmentation cause the files to be listed multiple times? I'm noticing a lot of "the file exists" errors when recovering data after my mft was damaged. Can anyone shed some light on this?
•
• Sent from my iPhone
•
• --
• You received this message because you are subscribed to the Google Groups "DataRecoveryCertification" group.
• To post to this group, send email to datarecovery...@googlegroups.com<mailto:datarecovery...@googlegroups.com>.
• To unsubscribe from this group, send email to datarecoverycertif...@googlegroups.com<mailto:datarecoverycertification%2Bunsu...@googlegroups.com>.
• For more options, visit this group at http://groups.google.com/group/datarecoverycertification?hl=en.
•
•
•
• --
• You received this message because you are subscribed to the Google Groups "DataRecoveryCertification" group.
• To post to this group, send email to datarecovery...@googlegroups.com<mailto:datarecovery...@googlegroups.com>.
• To unsubscribe from this group, send email to datarecoverycertif...@googlegroups.com<mailto:datarecoverycertif...@googlegroups.com>.
• For more options, visit this group at http://groups.google.com/group/datarecoverycertification?hl=en.
•
• Glynn LeBlanc <glynn....@gmail.com> Apr 21 09:47AM -0500
•
• I quite trying to exaplain how drives end up this way. I have seen a ton
• of them and who knows what causes it in each case. If I could answer that
• question each time and prevent it, I may be higher on the digital food
• chain. HA.
• Anyway, the question is why are we seeing multiple files being recovered
• from the same directory?
•
• One possible answer is the MFT itself was fragmented and as the disk was
• defragmented, it left duplicate remnants of the MFT records scattered all
• over the drive. In this case when there is no valid file tree, R-Studio
• looks for the record header FILE0 and then inspects the next 1024 bytes for
• the data related to a MFT Record. For a file that resides in a folder,
• when the record is recovered, the parent record number is part of that
• record, along with all the data runs, file name, dates and times, etc. If
• that parent record still exists, then R-Studio will link it to the parent
• folder and rebuild the directory tree. If more than one record exist, then
• you end up tyring to recover the same file twice. But in that case, both
• records should point to the same data area of the drive and the file should
• be identical. UNLESS???
•
• There is a difference in the two records due to a change being made to the
• file after the disk was defraged.
•
• That's just one possible explanation and I guess there could be more.
• Without seeing the drive and the records, I couldn't hazard a guess as to
• the specifics.
•
• Glynn LeBlanc, ACE, CFCE
• La Computer Forensic Services
• Gonzales LA
•
• *Glynn LeBlanc*, CFCE, ACE, ACMI
• Senior Instructor
• Office: 801.377.5410 x644
• Mobile: 225-268-0096
•
•
•
• Digital Forensics E-Discovery Legal Review Cyber Security
• Join our growing community on Twitter, LinkedIn <http://www.linkedin.com/>,
• EdiscoveryBlog <http://www.ediscoverylaw.com/> and
• Facebook<http://www.facebook.com/>
•
• PROTECTED; PERSONAL AND CONFIDENTIAL: This email message and all
• attachments are for the sole use of the intended recipient(s) and may
• contain confidential and privileged information. Any unauthorized review,
• use, disclosure or distribution is prohibited. If you are not the intended
• recipient, please contact the sender by reply email and destroy all copies
• of the original message. AccessData does not represent, warrant or
• guarantee that the integrity of this communication has been maintained nor
• that the communication is free of errors, virus or interference.
•
•
•
•
• wayne horner <waynea...@gmail.com> Apr 21 07:14PM -0700
•
• I have noticed that rstudio creates lots of multiple copies of files. I
• have spent a little time inspecting the various copies and they all point
• to the same real-estate. So they are the same contents.
• It might be that when you do a full scan that Rstudio finds multiple copies
• of the indexes. This creates multiple 'recovered' files with the same
• names. Rstudio should be smarter and eliminate the duplicates.
• I just tell it to skip files that exist.
•
•
• --
• Alandata Recovery
• "Data Recovery Specialist in VM, Raid, NAS, Linux, Tape and Hard Disk Data
• Recovery"
• www.ALANDATARECOVERY.com <http://www.alandatarecovery.com/>
•
•
•
• --
• Alandata Recovery
• "Data Recovery Specialist in Raid, NAS, Linux, Tape and Hard Disk Data
• Recovery"
• www.ALANDATARECOVERY.com
•
• Tim Farren <t...@farrentech.com> Apr 21 10:17PM -0400
•
• Lots of good info. Thanks everyone. Can anyone tell me what the key difference between a drive capable of showing a good directory of files, a drive that needs to be scanned to how the contents? Something happened to my drive while windows was running, and on the next reboot is when it told me the drive was "raw". This happened to 2 drives simultaneously that were mirrored, so this wasn't physical damage.
•
• Sent from my iPhone
•
• On Apr 21, 2012, at 8:15 PM, "wayne horner" <waynea...@gmail.com<mailto:waynea...@gmail.com>> wrote:
•
• I have noticed that rstudio creates lots of multiple copies of files. I have spent a little time inspecting the various copies and they all point to the same real-estate. So they are the same contents.
• It might be that when you do a full scan that Rstudio finds multiple copies of the indexes. This creates multiple 'recovered' files with the same names. Rstudio should be smarter and eliminate the duplicates.
• I just tell it to skip files that exist.
•
•
• --
• Alandata Recovery
• "Data Recovery Specialist in VM, Raid, NAS, Linux, Tape and Hard Disk Data Recovery"
• www.ALANDATARECOVERY.com<http://www.alandatarecovery.com/>
•
•
• On Fri, Apr 20, 2012 at 2:15 PM, Tim Farren <t...@farrentech.com<mailto:t...@farrentech.com>> wrote:
• If the mft is damaged and I do a full scan of the drive to find all files, what happens to the resulting files? Are they complete? Does fragmentation cause the files to be listed multiple times? I'm noticing a lot of "the file exists" errors when recovering data after my mft was damaged. Can anyone shed some light on this?
•
• Sent from my iPhone
•
• --
• You received this message because you are subscribed to the Google Groups "DataRecoveryCertification" group.
• To post to this group, send email to datarecovery...@googlegroups.com<mailto:datarecovery...@googlegroups.com>.
• To unsubscribe from this group, send email to datarecoverycertif...@googlegroups.com<mailto:datarecoverycertification%2Bunsu...@googlegroups.com>.
• For more options, visit this group at http://groups.google.com/group/datarecoverycertification?hl=en.
•
•
•
•
• --
• Alandata Recovery
• "Data Recovery Specialist in Raid, NAS, Linux, Tape and Hard Disk Data Recovery"
• www.ALANDATARECOVERY.com<http://www.ALANDATARECOVERY.com>
•
• --
• You received this message because you are subscribed to the Google Groups "DataRecoveryCertification" group.
• To post to this group, send email to datarecovery...@googlegroups.com<mailto:datarecovery...@googlegroups.com>.
• To unsubscribe from this group, send email to datarecoverycertif...@googlegroups.com<mailto:datarecoverycertif...@googlegroups.com>.
• For more options, visit this group at http://groups.google.com/group/datarecoverycertification?hl=en.
•
You received this message because you are subscribed to the Google Group datarecoverycertification.
You can post via email.
To unsubscribe from this group, send an empty message.
For more options, visit this group.
--
You received this message because you are subscribed to the Google Groups "DataRecoveryCertification" group.
To post to this group, send email to datarecovery...@googlegroups.com.
To unsubscribe from this group, send email to datarecoverycertif...@googlegroups.com.
For more options, visit this group at http://groups.google.com/group/datarecoverycertification?hl=en.
Group: http://groups.google.com/group/datarecoverycertification/topics
• RStudio question [4 Updates]
RStudio question
• Tim Farren <t...@farrentech.com> Apr 21 10:15AM -0400
•
• Maybe I have a misunderstanding of what is actually happening.
•
• The drive is not physically damaged. All sectors are readable. However, when I plug the drive into my computer, win7 informs me that the drive isn't formatted. I ran CHKDSK on it, and after CHKDSK finished, there was basically an empty partition. Only 1 or 2 files on the entire drive. Ftk imager showed the same result.
•
• I had run CHKDSK on a copy, so I started over with another copy of the original. This time, no CHKDSK, but instead I inspected it with R-Studio. I couldn't see any files or directories until I performed a full scan of the HD. After it fully scanned the drive, then I was presented with the directory tree.
•
• Question - what do suppose causes the set of symptoms described above?
•
• During recovery of the files, occasionally I would receive prompts to over write files that already exist on the destination, even though I'm sure the destination was blank. I just assumed that r-studio was doing this because of fragmentation, but I was just guessing. I don't understand why RStudio would find the same file more than once in the same directory and attempt to recover it multiple times. What causes that? I see it frequently during recoveries like this. It's definitely not uncommon.
•
• Thanks!
•
• Sent from my iPhone
•
• On Apr 21, 2012, at 8:06 AM, "Glynn LeBlanc" <glynn....@gmail.com<mailto:glynn....@gmail.com>> wrote:
•
• Tim
•
• Not sure what the "file Exists" error is in R-Studio, but.....fragmentation will not cause the file to be listed multiple times. Multiple listings of the file in different directories will cause that. If you obtain a MFT File record intact, then all the data runs will be included in the record and you will be able to obtain all the fragments of the file if it has not been deleted and the disk area where the file resided is not in use by another file. OR the disk area where the file resides is not damaged. OR the file has so many data runs (extremely fragmented) that the data runs exists as a non-resident attribute. Meaning the data runs are outside the MFT and you may not have them. In which case the file is not recoverable. This can happen on extremely large files that recieve a lot of updates like a database.
•
• The MFT itself can becomre fragmented and live all over the drive has been operating for along time and has lots of data. So you may not have the entire MFT. I am curious, what makes you think the MFT is damaged?
•
• To me the best way to determine if you have the file intact is to sample some of them.
•
• Hope this helps.
• Glynn LeBlanc, ACE, CFCE
• La Computer Forensic Services
• Gonzales LA
•
•
•
• On Fri, Apr 20, 2012 at 4:15 PM, Tim Farren <t...@farrentech.com<mailto:t...@farrentech.com>> wrote:
• If the mft is damaged and I do a full scan of the drive to find all files, what happens to the resulting files? Are they complete? Does fragmentation cause the files to be listed multiple times? I'm noticing a lot of "the file exists" errors when recovering data after my mft was damaged. Can anyone shed some light on this?
•
• Sent from my iPhone
•
• --
• You received this message because you are subscribed to the Google Groups "DataRecoveryCertification" group.
• To post to this group, send email to datarecovery...@googlegroups.com<mailto:datarecovery...@googlegroups.com>.
• To unsubscribe from this group, send email to datarecoverycertif...@googlegroups.com<mailto:datarecoverycertification%2Bunsu...@googlegroups.com>.
• For more options, visit this group at http://groups.google.com/group/datarecoverycertification?hl=en.
•
•
•
• --
• You received this message because you are subscribed to the Google Groups "DataRecoveryCertification" group.
• To post to this group, send email to datarecovery...@googlegroups.com<mailto:datarecovery...@googlegroups.com>.
• To unsubscribe from this group, send email to datarecoverycertif...@googlegroups.com<mailto:datarecoverycertif...@googlegroups.com>.
• For more options, visit this group at http://groups.google.com/group/datarecoverycertification?hl=en.
•
• Glynn LeBlanc <glynn....@gmail.com> Apr 21 09:47AM -0500
•
• I quite trying to exaplain how drives end up this way. I have seen a ton
• of them and who knows what causes it in each case. If I could answer that
• question each time and prevent it, I may be higher on the digital food
• chain. HA.
• Anyway, the question is why are we seeing multiple files being recovered
• from the same directory?
•
• One possible answer is the MFT itself was fragmented and as the disk was
• defragmented, it left duplicate remnants of the MFT records scattered all
• over the drive. In this case when there is no valid file tree, R-Studio
• looks for the record header FILE0 and then inspects the next 1024 bytes for
• the data related to a MFT Record. For a file that resides in a folder,
• when the record is recovered, the parent record number is part of that
• record, along with all the data runs, file name, dates and times, etc. If
• that parent record still exists, then R-Studio will link it to the parent
• folder and rebuild the directory tree. If more than one record exist, then
• you end up tyring to recover the same file twice. But in that case, both
• records should point to the same data area of the drive and the file should
• be identical. UNLESS???
•
• There is a difference in the two records due to a change being made to the
• file after the disk was defraged.
•
• That's just one possible explanation and I guess there could be more.
• Without seeing the drive and the records, I couldn't hazard a guess as to
• the specifics.
•
• Glynn LeBlanc, ACE, CFCE
• La Computer Forensic Services
• Gonzales LA
•
• *Glynn LeBlanc*, CFCE, ACE, ACMI
• Senior Instructor
• Office: 801.377.5410 x644
• Mobile: 225-268-0096
•
•
•
• Digital Forensics E-Discovery Legal Review Cyber Security
• Join our growing community on Twitter, LinkedIn <http://www.linkedin.com/>,
• EdiscoveryBlog <http://www.ediscoverylaw.com/> and
• Facebook<http://www.facebook.com/>
•
• PROTECTED; PERSONAL AND CONFIDENTIAL: This email message and all
• attachments are for the sole use of the intended recipient(s) and may
• contain confidential and privileged information. Any unauthorized review,
• use, disclosure or distribution is prohibited. If you are not the intended
• recipient, please contact the sender by reply email and destroy all copies
• of the original message. AccessData does not represent, warrant or
• guarantee that the integrity of this communication has been maintained nor
• that the communication is free of errors, virus or interference.
•
•
•
•
• wayne horner <waynea...@gmail.com> Apr 21 07:14PM -0700
•
• I have noticed that rstudio creates lots of multiple copies of files. I
• have spent a little time inspecting the various copies and they all point
• to the same real-estate. So they are the same contents.
• It might be that when you do a full scan that Rstudio finds multiple copies
• of the indexes. This creates multiple 'recovered' files with the same
• names. Rstudio should be smarter and eliminate the duplicates.
• I just tell it to skip files that exist.
•
•
• --
• Alandata Recovery
• "Data Recovery Specialist in VM, Raid, NAS, Linux, Tape and Hard Disk Data
• Recovery"
• www.ALANDATARECOVERY.com <http://www.alandatarecovery.com/>
•
•
•
• --
• Alandata Recovery
• "Data Recovery Specialist in Raid, NAS, Linux, Tape and Hard Disk Data
• Recovery"
• www.ALANDATARECOVERY.com
•
• Tim Farren <t...@farrentech.com> Apr 21 10:17PM -0400
•
• Lots of good info. Thanks everyone. Can anyone tell me what the key difference between a drive capable of showing a good directory of files, a drive that needs to be scanned to how the contents? Something happened to my drive while windows was running, and on the next reboot is when it told me the drive was "raw". This happened to 2 drives simultaneously that were mirrored, so this wasn't physical damage.
•
• Sent from my iPhone
•
• On Apr 21, 2012, at 8:15 PM, "wayne horner" <waynea...@gmail.com<mailto:waynea...@gmail.com>> wrote:
•
• I have noticed that rstudio creates lots of multiple copies of files. I have spent a little time inspecting the various copies and they all point to the same real-estate. So they are the same contents.
• It might be that when you do a full scan that Rstudio finds multiple copies of the indexes. This creates multiple 'recovered' files with the same names. Rstudio should be smarter and eliminate the duplicates.
• I just tell it to skip files that exist.
•
•
• --
• Alandata Recovery
• "Data Recovery Specialist in VM, Raid, NAS, Linux, Tape and Hard Disk Data Recovery"
• www.ALANDATARECOVERY.com<http://www.alandatarecovery.com/>
•
•
• On Fri, Apr 20, 2012 at 2:15 PM, Tim Farren <t...@farrentech.com<mailto:t...@farrentech.com>> wrote:
• If the mft is damaged and I do a full scan of the drive to find all files, what happens to the resulting files? Are they complete? Does fragmentation cause the files to be listed multiple times? I'm noticing a lot of "the file exists" errors when recovering data after my mft was damaged. Can anyone shed some light on this?
•
• Sent from my iPhone
•
• --
• You received this message because you are subscribed to the Google Groups "DataRecoveryCertification" group.
• To post to this group, send email to datarecovery...@googlegroups.com<mailto:datarecovery...@googlegroups.com>.
• To unsubscribe from this group, send email to datarecoverycertif...@googlegroups.com<mailto:datarecoverycertification%2Bunsu...@googlegroups.com>.
• For more options, visit this group at http://groups.google.com/group/datarecoverycertification?hl=en.
•
•
•
•
• --
• Alandata Recovery
• "Data Recovery Specialist in Raid, NAS, Linux, Tape and Hard Disk Data Recovery"
• www.ALANDATARECOVERY.com<http://www.ALANDATARECOVERY.com>
•
• --
• You received this message because you are subscribed to the Google Groups "DataRecoveryCertification" group.
• To post to this group, send email to datarecovery...@googlegroups.com<mailto:datarecovery...@googlegroups.com>.
• To unsubscribe from this group, send email to datarecoverycertif...@googlegroups.com<mailto:datarecoverycertif...@googlegroups.com>.
• For more options, visit this group at http://groups.google.com/group/datarecoverycertification?hl=en.
•
You received this message because you are subscribed to the Google Group datarecoverycertification.
You can post via email.
To unsubscribe from this group, send an empty message.
For more options, visit this group.
--
You received this message because you are subscribed to the Google Groups "DataRecoveryCertification" group.
To post to this group, send email to datarecovery...@googlegroups.com.
To unsubscribe from this group, send email to datarecoverycertif...@googlegroups.com.
For more options, visit this group at http://groups.google.com/group/datarecoverycertification?hl=en.
Reply all
Reply to author
Forward
0 new messages