Going into the situation I expected a hard drive containing a Windows XP directory structure, one user, missing a folder on the desktop. That guess wasn't very close. The drive was NTFS formatted, but that was the extent of my correct assumptions. The drive was possibly a second disk in a workstation being used as a backup drive. There were 2 folders on the drive. A third folder was deleted and needed to be restored along with all recoverable contents.
Since I was working off of a copy of the original disk, I simply popped the drive in the external enclosure and began perusing. The two applications I used are Recuva, and Restoration. Both applications work very well, but each has it's own nuisances. For instance, Recuva can only restore files to the original location on the disk. There was no option to restore files in a different location. So, I decided to try Restoration, which had that functionality. If there was a competition between the two applications, the score would be Restoration 1 and Recuva 0. However, Restoration has a more cumbersome restoration process. Recuva allows a user to select multiple files to restore, where Restoration does not. So, restoring a large number of files is not ideal with Restoration. The score is now Restoration 1 and Recuva 1.
One thing I found very interesting is the inablity of either application to find the actual name of the folder I am attempting to restore. I am able to recover data from the disk with both applications. Yet, since the originating folder was deleted, and possibly over written, both applications cannot pick up the originating folder name. When Recuva finds a file it displays the location to which it will be restored. Since the folder no longer exists, there is a '?' in it's place. What I assumed, was that everything on the disk that would be restored to the '?' location, was data that needed to be restored. There was close to 5 Gig total on the disk that could have been restored. Only 2 Gig was located in the indicated folder.
This was a great learning experience. In the process I found a fantastic article on file carving with a hex editor. I was hoping to use some file carving techniques on this project. Yet, the file types were unknown, leaving me to do some further investigating before restoring any data.
A couple items I would like to continue to explore:
- Whether or not the Folder Name can be discovered off of the disks' inodes.
- How to search for data when someone is really trying to hide it. (Guess that means I have to learn how the hiding process works first.)
No comments:
Post a Comment