Thanks for the analogy Richard.
Thankfully I was using a Live CD so in theory no robots managed to get
to the town and start re-building while thinking it was available space
which is why I have my fingers and toes crossed. I am however
beginning to accept that the phonebook is long gone.
I purchased a 1TB external HD and mounted it while using System Rescue
CD but it would only mount read only because it was formatted as NTFS.
I connected it up to Linux Mint and used GParted to format it as FAT 32
then remounted it on the laptop.
I want to create an image of the drive in case I cause further damage
so have been using dd but it keeps falling over at 4.3GB and reporting
'File too large'.
Various searches suggest that dd can be used to image whole drives but
some places suggest there is a file size limit for FAT32. If I
reformat the external as ext3 it should handle the larger file size but
can I then use it to store any files found by photorec before
transferring them back on to Windows (i.e. can Windows mount an ext3
formatted drive and access files on it)?
Stewart
Richard Forth wrote:
Well there are a few forensics experts on here who could
tell you better than I could, and will probably put me right, but as I
understand the process, the "data" should still be there "somewhere" on
the disk, the problem is finding it again and hoping nothing has been
overwritten, you see, although you used a live cd, you ran fdisk which
is a utility that
creates and deletes filesystems on physical disks and that is what you
have done, it doesn't really matter that you used a live cd.
when you ran:
'mkfs.ext3
/dev/sda2' instead of 'mkfs.ext3 /dev/sdb2' and accidentally wiped her
NTFS Windows partition (boot/documents etc.)
You replaced NTFS with EXT3 on the disk /dev/sda2 - thus wiping off all
of the data.
To explain roughly how this works - and a couple of dodgy attempts at
analogies:
Basically there is a File Allocation Table (yes even though this stands
for FAT, an NTFS partition will also have a File Allocation Table of
sorts, it probably has a specific name but to simplify, I'll use the
term FAT) in which the physical address of each file on the disk is
stored, when you access a file, the FAT is checked, and then the
spindle arm head looks in the sector specified, and badabing, you get
your document on screen.
When a file is deleted, it remains on the disk, but the physical
address / reference to it on the FAT is deleted, thus, the computer
thinks that that part of the disk is avaliable as "free space".
Thus it is possible for forensics tools to recover "deleted" files,
(think Garry Glitter case and you'd be on the money).
When a volume is formatted, unless it is a very low-level whole disk
format, it basically wipes the FAT and replaces it with a fresh one,
its like taking away your phone book and giving you a brand new (empty)
one.
How do you know where any of your contacts are anymore? And unlike the
phonebook scenario I mentioned, its not simply a case of "remembering
the numbers", because the numbers dont exist any more, its like the
very act of removing the old phonebook and replacing it with a clean
one somehow told the exchange or phone company all these numbers are
free to be re-issued. (The physical people (ie data) will still be
there, but the addresses (numbers) have been put into a pool to be
re-issued.).
Now suppose we take this scenario one extreme step further and say ok
lets say your best mate's number got re-issued to someone else, the way
this works in the computer world is the number still points to the old
house (your mates house) BUT the twist is that the new people get to
move into your mates house and kill everyone who already exists in the
house.
In this way, you could still have physically gone round to your mates
house to speak to him even though his number had been re-issued however
in the re-issuing process, his house (physical address) is now being
occupied by new people (data).
The trick in computer forensics is NOT to allow the numbers to be
re-issued
The point I was making is once the FAT is EMPTY it is impossible
to query it to get the old files back because, according the the FAT,
the disk space is free and availiable for new files.
Of course, the file does still exist, however is no longer has the
protection it has by having its address held in the FAT (reserved
space), it is not in a "no-mans-land" of potentially free space to be
overwritten.
Once a new file has been written to the disk, post file erasure / new
FAT, there is a chance it could have overwritten your "deleted" files
(the File Allocation Table has no record of that area of the disk being
"in use".
Another way of thinking about it is imagine you are building a town
with robots, and all of the robots know where all of the existing
houses are because they each have an exact copy of the town plan which
is updated regularly when new houses are built.
They cannot "see" anything, they just know which bits they are allowed
to build on and which parts they arent. Suppose some freak accident
happened and the master plan got erased and all the robots suddenly
lost their copy of the town plan, the robots think that the whole town
is one big flat field again and can build anywhere. It is possible at
this point for a real human to step in, shut down all the robots and
rebuild the town plan by physically driving around the town and
checking for houses that are already built and / or occupied. You can
think of the this town plan like the File Allocation Table (the houses
are files).
It would then be possible to "recover" the lost data and turn the
robots back on and give them the rebuilt town plan data and they could
carry on and the existing houses would be unaffected.
Now suppose no humans ever intervened, the robots would suddently start
knocking down houses and clearing the occupied sites reeady for
construction even though the houses are occupied - remember the robots
don't "see" the houses and recognise them as being occupied as they are
working to a town plan that got wiped so they just see all the land as
being "availiable" again.
This is basically how a disk works, the FAT is the town plan, the
splindle and read/write head is the robots, and the data is the houses.
( I hope this makes sense )
So ultimately, when things like that happen, you need to prevent the OS
from writing any more data to the disk, and you may need to run some
forensic scanners on the disc to check every cluster on the media for
any files that can be recovered and recover them, a good one for
windows files is "Restoration.exe" which is freeware but very good. you
can get it by doing a google search for it.
Although Restoration does not recognise EXT3 filesystems!!!
I don't know any forensic tools for linux I am afraid.
Your scenario is slighly more complex because you have overwritten NTFS
with ext3 so this adds further complication, but as you can see from my
attempt at analogy, its complicated recovering deleted files from a
disk that has been formatted. If not impossible.
Actually, no it is possible but at a cost of thousands if you use a
commercial data recovery company. But even then you may not get all of
your data back (as per above)
Regards
Richard
|
