"......corrupted.......she never de-fragments....."
There are 3 point to rember:
1) if you are reading the disc bit for bit and starting at one sector/cluster
then indeed as you moved from one cluster to the next you would find part of
one file then part of another and perhaps another part of the first file then
part of a 3rd and so on but that is not corruption.
2) I don't know much about NTFS, I believe that the files are stored as linked
lists so that the end of one part of one file points to the beginning of the
other and so if the software you are using to recover the files are flowing the
files instead of the clusters then any ".....corruption....." you see is more
likely down to the formatting process then "not de-fragmenting"
3) Also file formats meny file's are stored in a format that is not easy to
read and often stuff that looks like "......corruption....." is part of the
data formatting.
How ever you are trying to recover data the most important think to learn is
the file stuctour of the data files you are trying to recover.
This sort of thing was much easer to do in the days of DOS using a program like
PCTOOLS (I loved that program and have not come agrose any thing quite the same)
As for what you include at the bottom of this e-mail it's a byte for byte
reading of part of the partision with much no human readable info. If inded
you where looking for any given pice of information you could pipe this though
"strings" or "grep" bit it's a very laber intincive task the other way one
could use is to note the addresses that human readbal text appeass and read
them in to a text file: e.g.
In the block of data at the bottom of this e-mail you have readable data from
00001ae to 00001f2 if you read these bytes into a text file you would get
"Remove disks or other media Disk error press any key to restart" (This
is ovsley part of MSDOS 5) Yes weindows still relays on DOS) and is part of the
DOS system
But if you would carray on reading the disc like this you would find more of
the data you have lost.
Sorry but I don't know the commands to use but "dd" seems like the think to
use. psudo code for the above:
sudo dd if=/dev/sda (start byte - number of bytes) > text.file
Hopefully some one can confarm this and convert it from psudo code to real code
I hope this helps
Steve
On 23 Dec 2009, at 17:05, Stewart Robertson wrote:
>> Once you have the image. it would be useful if at some stage you
>> could install "sleuthkit":
>>
>> sudo apt-get install sleuthkit
>>
>> and then post the results of running:
>>
>> mmls image.raw
>
> ubu...@ubuntu:~$ sudo mmls /dev/sda
> DOS Partition Table
> Offset Sector: 0
> Units are in 512-byte sectors
>
> Slot Start End Length Description
> 00: ----- 0000000000 0000000000 0000000001 Primary Table (#0)
> 01: ----- 0000000001 0000000062 0000000062 Unallocated
> 02: 00:00 0000000063 0008193149 0008193087 Win95 FAT32 Hidden
> (0x1B)
> 03: 00:01 0008193150 0148842224 0140649075 Win95 FAT32 (0x0C)
> 04: 00:02 0148842225 0234436544 0085594320 Win95 Extended
> (0x0F)
> 05: ----- 0148842225 0148842225 0000000001 Extended Table
> (#1)
> 06: ----- 0148842226 0148842287 0000000062 Unallocated
> 07: 01:00 0148842288 0234436544 0085594257 Win95 FAT32 (0x0B)
> 08: ----- 0234436545 0488397167 0253960623 Unallocated
>
> I'd love to be able to say that means something to me but
> unfortunately I can't.
>
> The partition I sacrificed was about 72GB if that helps.
>
> I ran GetDataBack and recovered some documents but not loads compared
> to what was on there. There were a lot more files retrieved but were
> corrupted - I'm assuming that's because she never de-fragments her
> drive.
>
> I've imaged the drive and sacrificed my custom Arch install on a
> 'play' machine by using the image to recreate the whole laptop drive
> on to it (before I had just created separate partitions).
>
> I've also run:
>
> dd if=/dev/sda bs=512 skip=63 count=1 | xxd
>
> I saw a lot of random stuff with the occasional recognised word (I've
> put a copy at the bottom in case anyone else is interested). While
> looking around the drive I noticed that some of the outputs were all
> zeros (except the numbers down the side) so I assume that means that's
> an empty part of the drive.
>
> It was mentioned that I should 'pipe a few sectors through stings'.
> I've had a quick search but am not particularly sure what that means
> - can you give any further clues?
>
> Finally, can you point me in the right direction for 'carving out a
> file in a readable format'.
>
> Cheers,
>
> Stewart
>
>
>
> ubu...@ubuntu:~$ sudo dd if=/dev/sda bs=512 skip=63 count=1 | xxd
> 1+0 records in
> 1+0 records out
> 512 bytes (512 B) copied, 0.000237401 s, 2.2 MB/s
> 0000000: eb58 904d 5344 4f53 352e 3000 0208 2400 .X.MSDOS5.0...$.
> 0000010: 0200 0000 00f8 0000 3f00 ff00 3f00 0000 ........?...?...
> 0000020: 3804 7d00 321f 0000 0000 0000 0200 0000 8.}.2...........
> 0000030: 0100 0600 0000 0000 0000 0000 0000 0000 ................
> 0000040: 8000 2962 6881 444e 4f20 4e41 4d45 2020 ..)bh.DNO NAME
> 0000050: 2020 4641 5433 3220 2020 33c9 8ed1 bcf4 FAT32 3.....
> 0000060: 7b8e c18e d9bd 007c 884e 028a 5640 b408 {......|.n...@..
> 0000070: cd13 7305 b9ff ff8a f166 0fb6 c640 660f ..s......f...@f.
> 0000080: b6d1 80e2 3ff7 e286 cdc0 ed06 4166 0fb7 ....?.......Af..
> 0000090: c966 f7e1 6689 46f8 837e 1600 7538 837e .f..f.F..~..u8.~
> 00000a0: 2a00 7732 668b 461c 6683 c00c bb00 80b9 *.w2f.F.f.......
> 00000b0: 0100 e82b 00e9 4803 a0fa 7db4 7d8b f0ac ...+..H...}.}...
> 00000c0: 84c0 7417 3cff 7409 b40e bb07 00cd 10eb ..t.<.t.........
> 00000d0: eea0 fb7d ebe5 a0f9 7deb e098 cd16 cd19 ...}....}.......
> 00000e0: 6660 663b 46f8 0f82 4a00 666a 0066 5006 f`f;F...J.fj.fP.
> 00000f0: 5366 6810 0001 0080 7e02 000f 8520 00b4 Sfh.....~.... ..
> 0000100: 41bb aa55 8a56 40cd 130f 821c 0081 fb55 a.....@........u
> 0000110: aa0f 8514 00f6 c101 0f84 0d00 fe46 02b4 .............F..
> 0000120: 428a 5640 8bf4 cd13 b0f9 6658 6658 6658 b...@......fxfxfx
> 0000130: 6658 eb2a 6633 d266 0fb7 4e18 66f7 f1fe fX.*f3.f..N.f...
> 0000140: c28a ca66 8bd0 66c1 ea10 f776 1a86 d68a ...f..f....v....
> 0000150: 5640 8ae8 c0e4 060a ccb8 0102 cd13 6661 v...@............fa
> 0000160: 0f82 54ff 81c3 0002 6640 490f 8571 ffc3 ..t......@i..q..
> 0000170: 4e54 4c44 5220 2020 2020 2000 0000 0000 NTLDR .....
> 0000180: 0000 0000 0000 0000 0000 0000 0000 0000 ................
> 0000190: 0000 0000 0000 0000 0000 0000 0000 0000 ................
> 00001a0: 0000 0000 0000 0000 0000 0000 0d0a 5265 ..............Re
> 00001b0: 6d6f 7665 2064 6973 6b73 206f 7220 6f74 move disks or ot
> 00001c0: 6865 7220 6d65 6469 612e ff0d 0a44 6973 her media....Dis
> 00001d0: 6b20 6572 726f 72ff 0d0a 5072 6573 7320 k error...Press
> 00001e0: 616e 7920 6b65 7920 746f 2072 6573 7461 any key to resta
> 00001f0: 7274 0d0a 0000 0000 00ac cbd8 0000 55aa rt............U.
>
> _______________________________________________
> Peterboro mailing list
> Peterboro@mailman.lug.org.uk
> https://mailman.lug.org.uk/mailman/listinfo/peterboro
>
_______________________________________________
Peterboro mailing list
Peterboro@mailman.lug.org.uk
https://mailman.lug.org.uk/mailman/listinfo/peterboro
