Correction: Of course, the file does still exist, however is no longer has the protection it has by having its address held in the FAT (reserved space), it is not in a "no-mans-land" of potentially free space to be overwritten.
should read: Of course, the file does still exist, however it no longer has the protection it had by having its address held in the FAT (reserved space), it is now in a "no-mans-land" of potentially free space to be overwritten. 2009/12/20 Richard Forth <richard.fo...@gmail.com> > Well there are a few forensics experts on here who could tell you better > than I could, and will probably put me right, but as I understand the > process, the "data" should still be there "somewhere" on the disk, the > problem is finding it again and hoping nothing has been overwritten, you > see, although you used a live cd, you ran fdisk which is a utility that > creates and deletes filesystems on physical disks and that is what you have > done, it doesn't really matter that you used a live cd. > > when you ran: > > 'mkfs.ext3 /dev/sda2' instead of 'mkfs.ext3 /dev/sdb2' and accidentally > wiped her > NTFS Windows partition (boot/documents etc.) > > You replaced NTFS with EXT3 on the disk /dev/sda2 - thus wiping off all of > the data. > > To explain roughly how this works - and a couple of dodgy attempts at > analogies: > > Basically there is a File Allocation Table (yes even though this stands for > FAT, an NTFS partition will also have a File Allocation Table of sorts, it > probably has a specific name but to simplify, I'll use the term FAT) in > which the physical address of each file on the disk is stored, when you > access a file, the FAT is checked, and then the spindle arm head looks in > the sector specified, and badabing, you get your document on screen. > > When a file is deleted, it remains on the disk, but the physical address / > reference to it on the FAT is deleted, thus, the computer thinks that that > part of the disk is avaliable as "free space". > > Thus it is possible for forensics tools to recover "deleted" files, (think > Garry Glitter case and you'd be on the money). > > When a volume is formatted, unless it is a very low-level whole disk > format, it basically wipes the FAT and replaces it with a fresh one, its > like taking away your phone book and giving you a brand new (empty) one. > > How do you know where any of your contacts are anymore? And unlike the > phonebook scenario I mentioned, its not simply a case of "remembering the > numbers", because the numbers dont exist any more, its like the very act of > removing the old phonebook and replacing it with a clean one somehow told > the exchange or phone company all these numbers are free to be re-issued. > (The physical people (ie data) will still be there, but the addresses > (numbers) have been put into a pool to be re-issued.). > > Now suppose we take this scenario one extreme step further and say ok lets > say your best mate's number got re-issued to someone else, the way this > works in the computer world is the number still points to the old house > (your mates house) BUT the twist is that the new people get to move into > your mates house and kill everyone who already exists in the house. > > In this way, you could still have physically gone round to your mates house > to speak to him even though his number had been re-issued however in the > re-issuing process, his house (physical address) is now being occupied by > new people (data). > > The trick in computer forensics is NOT to allow the numbers to be re-issued > > The point I was making is once the FAT is EMPTY it is *impossible* to > query it to get the old files back because, according the the FAT, the disk > space is free and availiable for new files. > > Of course, the file does still exist, however is no longer has the > protection it has by having its address held in the FAT (reserved space), it > is not in a "no-mans-land" of potentially free space to be overwritten. > > Once a new file has been written to the disk, post file erasure / new FAT, > there is a chance it could have overwritten your "deleted" files (the File > Allocation Table has no record of that area of the disk being "in use". > > Another way of thinking about it is imagine you are building a town with > robots, and all of the robots know where all of the existing houses are > because they each have an exact copy of the town plan which is updated > regularly when new houses are built. > > They cannot "see" anything, they just know which bits they are allowed to > build on and which parts they arent. Suppose some freak accident happened > and the master plan got erased and all the robots suddenly lost their copy > of the town plan, the robots think that the whole town is one big flat field > again and can build anywhere. It is possible at this point for a real human > to step in, shut down all the robots and rebuild the town plan by physically > driving around the town and checking for houses that are already built and / > or occupied. You can think of the this town plan like the File Allocation > Table (the houses are files). > > It would then be possible to "recover" the lost data and turn the robots > back on and give them the rebuilt town plan data and they could carry on and > the existing houses would be unaffected. > > Now suppose no humans ever intervened, the robots would suddently start > knocking down houses and clearing the occupied sites reeady for construction > even though the houses are occupied - remember the robots don't "see" the > houses and recognise them as being occupied as they are working to a town > plan that got wiped so they just see all the land as being "availiable" > again. > > This is basically how a disk works, the FAT is the town plan, the splindle > and read/write head is the robots, and the data is the houses. > > ( I hope this makes sense ) > > So ultimately, when things like that happen, you need to prevent the OS > from writing any more data to the disk, and you may need to run some > forensic scanners on the disc to check every cluster on the media for any > files that can be recovered and recover them, a good one for windows files > is "Restoration.exe" which is freeware but very good. you can get it by > doing a google search for it. > > Although Restoration does not recognise EXT3 filesystems!!! > > I don't know any forensic tools for linux I am afraid. > > Your scenario is slighly more complex because you have overwritten NTFS > with ext3 so this adds further complication, but as you can see from my > attempt at analogy, its complicated recovering deleted files from a disk > that has been formatted. If not impossible. > > Actually, no it is possible but at a cost of thousands if you use a > commercial data recovery company. But even then you may not get all of your > data back (as per above) > > Regards > Richard > > > > > > 2009/12/19 Stewart Robertson <stewar...@aliencamel.com> > > I got a new toy (plugcomputer) that can boot from SD cards. My wife's >> laptop has got an SD card reader built in so I borrowed it and booted >> from an Ubuntu LiveCD reassuring her nothing could possibly go wrong. >> >> Anyway, to cut a long story short I used fdisk and ran 'mkfs.ext3 >> /dev/sda2' instead of 'mkfs.ext3 /dev/sdb2' and accidentally wiped her >> NTFS Windows partition (boot/documents etc.). She has no backup and I'm >> so not getting any Christmas presents if I don't get it sorted. >> >> I've had a good read on forums but am looking for specific information >> about my personal situation. I was using a LiveCD, I didn't install >> anything on the formatted partition because I realised straight after >> and on reboot the machine says Operating System Not Found so in theory >> other than damage caused by the formatting process everything should >> still be there. >> >> What would be the best thing for me to do in this situation? Is it >> possible to restore the partition to NTFS and continue as if nothing has >> happened? What exactly does fdisk do when you format to ext3? >> >> Any advice gratefully received. >> >> Stewart >> >> _______________________________________________ >> Peterboro mailing list >> Peterboro@mailman.lug.org.uk >> https://mailman.lug.org.uk/mailman/listinfo/peterboro >> > >
_______________________________________________ Peterboro mailing list Peterboro@mailman.lug.org.uk https://mailman.lug.org.uk/mailman/listinfo/peterboro
