#1 STUNNA

One of my clients decided to upgrade to Windows 10 and started getting a "black screen" when booting they then went into the system recovery partition and tried a format and reinstall back to Windows 7. Somehow something went wrong and it didn't work so now they get an Operating System not Found error.

So I pulled the drive and ran some disk diagnostic tools on it the only thing I've found so far is Crystal Disk Info says the SMART count for reallocated sectors is a little high so I'm replacing the drive because it's a 4 years old.

Last night I ran a Recuva deep scan on their drive to recover any documents I could. I got up this morning and saw it had found 300+ "Excellent Condition" documents which means none of the data has been overwritten. I copied those to my drive and tried to open them however a lot of the "excellent quality" files won't open because they're corrupt. Many display an error saying the file is corrupt and the ones that will still open after acknowledging the problem show up with gibberish characters.

Some have names like $R4KCZ7F, $IGRHDDJ, and then there's ones labeled [000001], [000002], [000003], etc, then some have normal legible names but still won't open due to corruption.

Now some files do open without problem and that's great but I'm wondering what caused these files to get named like this (aren't files with '$' in them temp files?) and is there something I can do like editing the header or what not to get them working again? They mostly have normal file sizes they're not all 1KB, and the have various modified dates. Is this caused by bad sectors?

Am I supposed to just ignore these weirdly named files?

Help me Stogie, you're my only hope...

stogie1020

$R (and their companion $I) files are entries in the Recycle Bin. The Recycler renames the files this way. The entry MAY remain as recoverable info long after the actual file is gone, although for recently deleted items, they are often intact.

If you are trying to recover this data yourself, take a look at Photorec:

PhotoRec - Digital Picture and File Recovery

It's command line driven and a little complicated, but you should be able to figure it out.

stogie1020

Here is a quick write up on the Recycle Bin:

Recycle Bin Forensics in Windows 7 and Vista

stogie1020

At the end of the day, run PhotoRec (it is a header/footer based file carving tool with tons of file types) and if you can't recover what you need, find a recent backup... You made a backup before the upgrade, riiiiiight?

#1 STUNNA

Thanks. I'm using Recuva from Piriform I'll take a look at Photorec. The clients fully expected to lose all their data so if I can get any back they'd be grateful but they're not expecting it.

Any clue on why files get named [000123] and the like? I've seen that a few times when using getdatabackNTFS as well.

Do you think that if I used Photorec instead of Recuva the files that it restored wouldn't be corrupt like some of the files I got back using Recuva were?

OH and no they didn't back up when doing the restore to 7 they said they got some error message that they didn't have enough space. IDK, sounds like they did something wrong but who knows I wasn't there I just got the text after it all happened.

stogie1020

I believe the sequentially named files are named as such by the Recuva tool as it recovers when it cannot locate an actual file name.

Recuva is "nice" and if you delete something from a memory card and immediately use Recuva, it will probably work, but many pros and forensics people use PhotoRec for carving. I.E. "all the cool kids are doing it"...

stogie1020

Give me a call if you need more info, I think you have my cell... If not PM me.

#1 STUNNA

Thanks! I may give you a call but I'm doing a scan now with photorec. I picked all the file formats I wanted and told it to scan the whole drive. We'll see how it goes.

I was just given two other drives by another client to see if I can recover data from them too, but they're not critical either. So another chance to try out this software.

stogie1020

Cool, good luck. There are a few website that explain all the command line switches and options...

Whiskers

Is this an official thread?

stogie1020

thoiboi

File recovery is one of the most asked for services by my clients.. I didn't have good software before . Good info in here! I've used getDataBack before and got the same weird file names.. Thanks for the recommendation gents!

#1 STUNNA

Ok so this program is finding tons of shit (I shouldn't have selected PNGs) but all files have a fXXXXXXXX or tXXXXXXXX where the Xs are random numbers. No actual names. Is that because I chose to scan the whole drive instead of choosing a partition? And I'm still getting corrupt files

stogie1020

What do you do for a living?

stogie1020

Stunna, you are going to get THOUSANDS of results and many of them will not be openable. The software is looking for the header of a file type (why the hell would you pick PNG???) and then carving either (a) until it finds the footer or (b) a set number of bytes. What is in between is purely chance...

If your success rate is 10%, I would be surprised. Welcome to data recovery.

thoiboi

IT Consulting currently but as a side gig, I've been doing repair for friends/family for years now. Data recovery, installations, networking, etc. etc..

stogie1020

< -- Forensics/e-discovery guy

stogie1020

What was your outcome? Good? Bad? Ugly?

thoiboi

Ahhh one of these...


jk..

#1 STUNNA

I cancelled the process after a few hours, none of the files I tried to open were usable except the pngs. It wasn't mission critical or for a court case so I'm sticking with what Recuva found, since it actually found file name for the files.

Again they weren't expecting to get anything back and they weren't going to for all the labor to comb through a bunch of gibberish files.

stogie1020

What I generally do with PhotoRec is open one of the recovery folders and sort by file type. I first open any file that the OS recognizes. Then, and only of needed, do I start looking inside the carved files...

Also, be aware that with the newer MSOffice file types (.***x), the content is stored in a compressed format (like winzip files) and so even opening the recovered carved data for a docx, xlsx, pptx file, you will not probably be able to read the plain text content of the document like you could with the old doc, xls, ppt files...

stogie1020

Thoiboi!

#1 STUNNA

Ok now I've got another one. Our client decided to fire an employee BEFORE he gave back his work laptop. So of course the files were deleted.

I pulled the drive and ran Recuva. It found 189 "excellent condition" files and due to issues accessing my work PC from home (that's another story) I can't really tell how well they are but the one "excellent condition" pdf file I opened was corrupted, and I expect most of the others to be as well.

Now this is our most important client and I'm pretty sure they want their data back, my boss wanted an update tonight on the scans progress so he can tell them first thing in the morning.

I'll try a Photorec scan tomorrow.

I was under the impression if none of the files sectors have been overwritten and the drive wasn't bad that it should be simple to recover the files and they'd all work. Why are so many corrupted, what causes it if everything should be in good shape, what's going wrong?

If we took this drive to a data recovery specialist and paid them $500 what would they do to get the data back and get it working that I'm not? I guess I'm under the impression that they can do that, can they?

Stogie you mentioned low recovery rates for files, is that normal if none of the sectors have been overwritten?

I may call you tomorrow, if that's ok

#1 STUNNA

Update: Of the 189 files, 122 were 1kb hidden Office temp files that have the ~$ at the beginning of the file. Of the 67 left over, 53 were readable and 14 were not due to a variety of reasons.

So much better than I expected. We told them to check the guys email as well since he probably sent or received these files from/to someone and would be there as attachments.

I'll see if they want those 14 documents or not.

stogie1020

Daniel,

1. if this is for your most valued client, most data recovery places charge a $75-100 evaluation fee (non refundable) and if they can get the files back, they charge whatever, but of they can't they only charge the eval fee.

2. You should REALLY look into using FTKImager (free) to make a Physical image of the drive (allocated and unallocated) before attempting anything. You can mount the image and photoRec or Recuva on it later, but the image is encapsulated and you are not working on the live drive, so if you need to send to data recovery, or of the owner decides to take the "deleter" to court, evidence has been preserved. PLEASE consider this, as I have seen many good legal cases go down the tubes due to well intentioned IT folks who "just took a look".

nfnsquared

Stogie, what software do you think the FBI is using to recover data off of Clinton's email server?

stogie1020

X-Ways, FTK, EnCase, etc...

At least that's what has been the software of choice in the FBI CART labs I have been in...

Bread and butter forensic software, commercially available.

Now, if they have some proprietary stuff to sense the magnetic shadows of the ferrous substrate of wiped drives, that would be pretty cool...

When the magnetic "bits" get turned on or off, it really is like turning a tiny magnet. The magnet exists in a magnetic substrate layer, which, if the bit sits in either position (on/off) for a long time, can show remnants of the position for a period of time after the bit has been changed (ie through wiping, overwriting). Previously, one could use an electron microscope to view the substrate shadows and TRY to extrapolate data. This was ten years ago, so I am sure there are new technologies I don't know about that have advanced this. My TS clearance expired a loooooong time ago.

stogie1020

Also, anyone inteested can download a free, basic forensic toolkit called Autopsy:

The Sleuth Kit (TSK) & Autopsy: Open Source Digital Forensics Tools.

You will need to have some way to create a dd/raw/E01 image of a drive, but you can use FTK imager (free) or download a boot CD like Helix or Paladin and boot the suspect machine into that OS and image form there to other media. Then bring that image into Autopsy for exam.

doopstr

There is no way that they are going to get the data off of that cloth. That dust is totally scrambled.

#1 STUNNA

Stogie, what do you recommend to recover data from a failing hard drive?

I've been using getdatabackNTFS and Recuva...

stogie1020

Anything that works...

Recuva, PhotoRec, etc...

Generally, if it's failing and not recognized by Windows, I send it out for recovery. I cannot be the one to spin the drive up and have the heads park on the platter. Not going to do it.

nfnsquared

Curious, is FTK any better than using Acronis or EaseUS (I have both) to make an image?

stogie1020

FTK can make an image of the physical device, so you will be able to copy the unallocated, boot-sector (will still have to set as active on a restore), HPA, recovery partitions, etc. In a logical image, all you get are allocated files. If that's all you need, use anything you prefer. If, however, you need access to unallocated for any reason, you need a physical image that maintains the integrity of the drive data.

Additionally, FTKImager will MD5/SHA1 each file upon ingestion and then verify the duplicated file against the collected hash for verification of an exact and true copy(one of the key reasons tools like it are used in the legal realm instead of Acronis et al).

Also, and I am not terribly familiar with Acronis or EaseUS, FTKimager will allow for custom images with variables including path, extension, size, etc. SO, if all you needed to copy were ALL .doc and .docx files from anywhere on the drive, you could point FTKImager at the root of the logical drive and apply the filter and it will make an image of all files that match your criteria.

Being able to do a physical device image is huge for me (although I generally use Encase or some hardware duplicator) to make my full disk images. FTK is the go to tool for network data shares, etc...

nfnsquared

OK, thanks. I'll have to double-check, but pretty sure Acronis does all of that. Not sure about EaseUS.

stogie1020

Last I checked (years ago) Acronis did not copy file slack (end of file data to end of allocated sector/cluster) or unallocated space.

nfnsquared

Yeah, good point. I know it doesn't copy unallocated and pretty sure it doesn't copy slack. Indeed, a physical image is different than logical image...

stogie1020

Additionally, check to see if it is using CRC (Cyclical Redundancy Check) to verify each file or MD5/SHA1. CRC is fine for a general copy/paste operation like RoboCopy or TeraCopy (I heart teracopy) but for absolute assurance the files is an exact copy, you would want MD5 or SHA1 hash matching (or volume hash matching).

nfnsquared

Wow, this disturbs me. Guess I wasted money upgrading to Acronis 2015:

https://forum.acronis.com/forum/65498

Using True Image 2015? Check your images asap!

stogie1020

Yikes!

I use (both) DriveimageXML for full drive backups and Cobian for full/diffs.

#1 STUNNA

Can DriveimageXML be used to clone drives? If so why should I use that over Norton Ghost?

I use a hiren's usb drive that has both and I use ghost when a drive is failing to clone to the new drive.