I thought I would email a thank you and final update.
Here's a general summary of what I did:
[*]Borrowed wife's laptop to use the in built card reader and typed one
letter wrong with a formatting command that wiped her primary drive.
[*]Went out the next day and bought an extremely large backup drive and
an expensive pair of hair straighteners.
[*]Used dd to image her whole drive then recreate it on a test machine
(initially I played with single partitions but seeing as I had a test
machine decided it was easier to work with).
[*]Experimented with TestDisk but was unable to 'fix' the problem which
based on reading is probably something to do with how the process of
formatting as ext 3 sets the drive up.
[*]Used PhotoRec to recover all files but got a whole load of useless
files as well (DLL's etc) and a lot of the documents were corrupted and
I had quite a job sorting through everything.
[*]Used GetDataBack on Hiren's boot CD to recover some useful files.
Initially tried using the NTFS version because that's what the drive
was originally but it didn't find anything so used the FAT/EXT version.
[*]Did lots of washing up and cup of tea making.
[*]Learnt a lot, fast, about data recovery.
The place that she works at contract out IT support who said it will
cost £130 to rebuild the machine which seems a little steep considering
I could stick the install disks in myself.
I think she has forgiven me but she certainly won't be letting me go
anywhere near her computer ever again. However, the irony is that I
regularly back up all machines that I use and because I was never
allowed near it I left back up to her. I have now purchased a large
memory stick for her to keep a copy of important files on.
Ending on a slightly more positive note, her My Documents was
synchronised with her work server as part of the log in process so she
was able to access them from another machine. She couldn't find the
contents of her Desktop but they were the only files I was actually
able to recover intact (using GetDataBack).
Apart from the major inconvenience of having no work laptop for a while
(and possibly having to foot the bill for a rebuild) I seem to have
come through relatively unscathed.
Phew.
Stu - thank you in particular for your technical advice/insight - do
you run a business specialising in data recovery or is it just a hobby?
I had a play as per your suggestions below and have learnt a lot but my
wife started easing the heat off which meant such a labour intensive
approach no longer seemed as necessary.
I'm going to file the information ready for next time...
Cheers,
Stewart
Stuart Bird wrote:
Hi
Stewart
The "mmls" output resolves as follows (if my math is correct):
DOS Partition Table
Offset Sector: 0
Units are in 512-byte sectors
Slot Start End Length Description
00: ----- 0000000000 0000000000 0000000001 Primary Table (#0)
<-----------> Primary Partition Table
01: ----- 0000000001 0000000062 0000000062 Unallocated
<------------------> Unallocated clusters (Very small - Probably
empty)
02: 00:00 0000000063 0008193149 0008193087 Win95 FAT32 Hidden
(0x1B) <----> Approx 4 GiB (Manufacturers Recovery Partition)
03: 00:01 0008193150 0148842224 0140649075 Win95 FAT32 (0x0C)
<-----------> Approx 67 GiB Data Partition
04: 00:02 0148842225 0234436544 0085594320 Win95 Extended (0x0F)
<--------> Approx 40 GiB Extended Partition
05: ----- 0148842225 0148842225 0000000001 Extended Table(#1)
<-----------> Extended Partition Table
06: ----- 0148842226 0148842287 0000000062 Unallocated
<------------------> Unallocated Clusters (Very small - Probably
empty)
07: 01:00 0148842288 0234436544 0085594257 Win95 FAT32 (0x0B)
<-----------> Approx 40 GiB Data Partition
08: ----- 0234436545 0488397167 0253960623 Unallocated
<------------------> Approx 121 GiB Unallocated Clusters
I must say that I am a little confused by all the references to FAT32
as I understood that you started with an NTFS formatted drive and used
"fdisk" to format as ext3? Have I got this right? I've not got your
original posts so perhaps you can refresh my memory at some stage.
The output above shows what appears to be a standard manufacturer disk
configuration which contains an OEM recovery partition (02:), one
primary partition (03:) and an extended partition containing one
further data partition (07:). The relatively large "Unallocated
Clusters" area is not unusual.
The obvious place to start is to run some carving tools across the two
data partitions (03: and 07:). There are three popular ones which I
would suggest you read up on:
PhotoRec;
Foremost;
Scalpel.
For completeness I would suggest running all three tools across each of
the two data partitions and then sift the results. You can do this
either from your restored drive or from a the forensic image (image.raw
I think we referred to it as). You can also split out the partitons
using "dcfldd" if you want to using the byte counts from the "mmls"
output. Like so:
dcfldd if=image.raw
of=partition_03.raw bs=512 skip=0008193150 count=0140649075
conv=noerror,sync,notrunc
This command will start the copy from the starting sector of
partition 03: for a length of 0140649075 bytes (67 (ish) GiB). You can
then run your carving tools on the resulting image file, which has the
obvious benefit of being smaller than the whole drive. Just repeat with
the relative offsets for the other partitions/s.
Dependant on your results, you can try the same procedure on the
"Unallocated Clusters" area as a mopping up operation.
When I mentioned "piping sectors through strings" I was really talking
in terms of using the method as a scoping tool in an attempt to see if
any human readable data still existed on the disk. It is often worth
calculating the offsets for say a GiB of of data and then piping that
data through strings to see what appears. Documents such as "rtf, doc
and txt" will really stand out if they are present. As a last resort
you can write the output to a text file and then copy and paste the
plain text into a new document. As someone pointed out, very labour
intensive but then it depends on how important your documents are to
you!
I hope this gets you a bit further along.
Regards
Stu
|
_______________________________________________
Peterboro mailing list
Peterboro@mailman.lug.org.uk
https://mailman.lug.org.uk/mailman/listinfo/peterboro
