A recent job involved a corrupted MP3 player. On plugging it into the PC it displayed as an music player, rather than as a hard drive. A bit of reading the manual showed there were multiple modes for the USB interface to work, and once set in the appropiate mode, I could see the device as a storage device. As expected it was a FAT32, but 6.5GB of it's 8GB capacity was in the FOUND.000 subdirectory, as the result of a chkdsk type command.
The files to be recovered were ones the customer had recorded which were no longer visible. The first recovery attempt was a data carve of the disk and this showed a number of files, of the type required, but no file names or directories. The second attempt was a logical read, but this only showed what was seen directly on the PC. The third attempt was a scan of the disk for FAT directory stubs using CnW recovery software. Interestingly this scan came up trumps. All the files that had been lost (and captured on the chkdsk) were found with valid names and valid subdirectories. When recovered the complete MP3 player was much as originally configured.
Friday, October 29, 2010
Sunday, October 17, 2010
Overwritten MAC disk
Friday, October 1, 2010
AVI data carving
Most data files are written sequentially which means that data carving can have a good guess that the data will typically be sequential. However, recently some AVI files have been found that do not seem to follow this pattern.
The file in question was written using a video camera and it appears that the first section was the data - a series of tagged chunks ofthe starting "00dc" or "00wb". An AVI file contains an index and in this version, the index was added to the first block after the main header information. Thus to carve the files it is necessary to read the header, and then in effect go back to find the blocks used. To make the job possible, the index does conatin the offset and length of each tag. It is therefore possinle to search the raw disk for a cluster that contains a '00xx' tag at a certain location within a block, with a defined length.
Recent developments with CnW Recovery software have added the automatic feature so that a trailier can be created if missing. This means that even a partial fragment can be viewed.
The file in question was written using a video camera and it appears that the first section was the data - a series of tagged chunks ofthe starting "00dc" or "00wb". An AVI file contains an index and in this version, the index was added to the first block after the main header information. Thus to carve the files it is necessary to read the header, and then in effect go back to find the blocks used. To make the job possible, the index does conatin the offset and length of each tag. It is therefore possinle to search the raw disk for a cluster that contains a '00xx' tag at a certain location within a block, with a defined length.
Recent developments with CnW Recovery software have added the automatic feature so that a trailier can be created if missing. This means that even a partial fragment can be viewed.
Sunday, September 19, 2010
xD Memory cards
Photo recovery from most camera memory chips is fairly straight forward. If deleted, then file can be recovered, largely with original names. Failing that, data carving can be used to extract the photos. The only remaining issue is recovering fragmented photos, something that CnW Recovery software can do with a moderate success rate.
For some xD memory chips, they can be formatted rather than deleted and the end result is every sector (after a blank directory) is full of 0xFF. ie there is absolutely no information left to recover photos from.
There are theories that if you examine each bit on the memory chip you may discover that it is only at 99% the standard level which means it was previously a different level. This would require the complete resources of the FBI, and probably only have a 25% success rate on each chip. It would be far cheaper, and more successful to pay for the holiday again.
The moral as ever is to make sure that when ever photos are taken, they should be transfered to a new source (ideally multiple locations) and verfied before deleting the camera memory. The other advice is not to delete individual photos as there can be two problems. A single mistake can delete all the photos, and also new photos can be fragmeted making future data recovery harder.
For some xD memory chips, they can be formatted rather than deleted and the end result is every sector (after a blank directory) is full of 0xFF. ie there is absolutely no information left to recover photos from.
There are theories that if you examine each bit on the memory chip you may discover that it is only at 99% the standard level which means it was previously a different level. This would require the complete resources of the FBI, and probably only have a 25% success rate on each chip. It would be far cheaper, and more successful to pay for the holiday again.
The moral as ever is to make sure that when ever photos are taken, they should be transfered to a new source (ideally multiple locations) and verfied before deleting the camera memory. The other advice is not to delete individual photos as there can be two problems. A single mistake can delete all the photos, and also new photos can be fragmeted making future data recovery harder.
Monday, September 13, 2010
Disk drives fails on certain sectors
I received a disk drive today that often worked, but when it hit a few sectors it would fail, so the the only way forward was a power reset. My normal approach would be to do an incremental image, and restart after every failure. This disk was 1TB so an incremental image would take several hours which I did not have. By doing a partial image of the directory area, I couild determine that the required data, from a single subdirectory was stored over the complete disk.
My approach to save time was to do a selective restore of the required directory but at the same time, when a failed sector was found, change the program so that it would be skipped. The hope was that the requested data would not hit too many failed sectors, each requiring a program change and recover restart.
It will actually be a very useful feature to add to the software so that a hardware reset could be done, and recovery then continue.
My approach to save time was to do a selective restore of the required directory but at the same time, when a failed sector was found, change the program so that it would be skipped. The hope was that the requested data would not hit too many failed sectors, each requiring a program change and recover restart.
It will actually be a very useful feature to add to the software so that a hardware reset could be done, and recovery then continue.
Monday, September 6, 2010
Success with XFS deleted files
After a lot of hard work (and head scratching) it is now possible to recover deleted files from the problem XFS disk. This is a new development within the CnW data recovery software which will recover the file without doing any data carving. In other words, the files are recovered with correct names, original dates, and very largely, correct directory structure.
The process, by necessity is rather slow. It starts with a complete scan of the drive (or in this case, the RAID-0) to locate all existing iNode entries on the disk. These are then analysed, and regenerated to provide a list of possible directory entries. Once the disk structure is know, files can be recovered, including all files that have been deleted.
With all deleted files, there is always a danger that a new file written to the disk after the file was deleted, could overwrite critical data. However, if the recover process is started as soon as the error, or corruption is know, recovery levels will be good.
The process, by necessity is rather slow. It starts with a complete scan of the drive (or in this case, the RAID-0) to locate all existing iNode entries on the disk. These are then analysed, and regenerated to provide a list of possible directory entries. Once the disk structure is know, files can be recovered, including all files that have been deleted.
With all deleted files, there is always a danger that a new file written to the disk after the file was deleted, could overwrite critical data. However, if the recover process is started as soon as the error, or corruption is know, recovery levels will be good.
Wednesday, September 1, 2010
Another RAID problem
I rececently received three disks from an Apple RAID. One disk had hardware issues and the RAID was RAID 0, ie all the disks are striped so that 32K of data is written to one disk, then the next 32K to the second disk.
Within the Apple, some files could be recovered, and gthen the while system would hang.
The problem disk had a hardware issue so then when making an image of it, the drive would hang, and the only recovery path was a power cycle reset. By using incremental imaging it was possible to build up an adequate image of the drive. A few sectors had to be skipped, but probably 99.9% were imaged.
To receover the data it was necessary to emulate the Apple RAID. As is typical, the first section, actually a FAT partition was identical on all three disks, but the data section was spread over the three disks, starting at location sector 0x64028. It was necessary to work out both the stripe size and disk order. The stripe size was worked out by fortunately finding a sequential file that had line numbers marked in the text, It was therefore possible to see when there was a jump, in this case after 32K of data, and also the sequence of the disks. The sequence was slightly curious as the disks were marked 1,2,3 but the data in sector 0x6402A was on disk 2, and not disk 1. Thus the order of 2,3,1 was tried and the file system was the readable.
The result was that the CnW incremental imaging, and the RAID option recovered a very large amount of valuable data.
Within the Apple, some files could be recovered, and gthen the while system would hang.
The problem disk had a hardware issue so then when making an image of it, the drive would hang, and the only recovery path was a power cycle reset. By using incremental imaging it was possible to build up an adequate image of the drive. A few sectors had to be skipped, but probably 99.9% were imaged.
To receover the data it was necessary to emulate the Apple RAID. As is typical, the first section, actually a FAT partition was identical on all three disks, but the data section was spread over the three disks, starting at location sector 0x64028. It was necessary to work out both the stripe size and disk order. The stripe size was worked out by fortunately finding a sequential file that had line numbers marked in the text, It was therefore possible to see when there was a jump, in this case after 32K of data, and also the sequence of the disks. The sequence was slightly curious as the disks were marked 1,2,3 but the data in sector 0x6402A was on disk 2, and not disk 1. Thus the order of 2,3,1 was tried and the file system was the readable.
The result was that the CnW incremental imaging, and the RAID option recovered a very large amount of valuable data.
Thursday, August 26, 2010
Multi-core processors
Hardware keeps developing very quickly, and Moore's law which states that the number of transistors in a processor will double every two years is still valid. The speed of operation though has hit a kind of ceiling and 3GHz processors has been fast for about 6 years now. The method of adding more punch to a processor has been with multi processors, and hyperthreading. The problem is that software has not always kept up.
With a lot of data recovery, many processes are sequential. ie read the problem disk, analyse the data, and then write the data somewhere. With multiple processors, probably the best we can manage is 3 parallel tasks. At each end is a bottle neck of a disk drive. The fastest way to read a disk drive is as a sequential stream. If you try and recover from two parts of a disk at the same time, then the drive will spend a lot of time 'thrashing', just moving the head to the new area, and then back to the original area. Overall, the process will be slower. Multiple processors may assist and enable two recoveries at the same time on the PC, but there are always dangers that the USB interface or similar may then end up saturated.
Very few recovery processes naturally make use of parallel processing so normally on a nice 8 core processor, 7 cores remain rather sleepy. CnW are looking at ways to wake a few of the cores up to help with the ever increasing size of disks, but ultimately, the big bottleneck is the speed of reading a disk. eSATA and USB-3 are all helpful parts of the equation, but at the moment, USB-2 just churns along.
With a lot of data recovery, many processes are sequential. ie read the problem disk, analyse the data, and then write the data somewhere. With multiple processors, probably the best we can manage is 3 parallel tasks. At each end is a bottle neck of a disk drive. The fastest way to read a disk drive is as a sequential stream. If you try and recover from two parts of a disk at the same time, then the drive will spend a lot of time 'thrashing', just moving the head to the new area, and then back to the original area. Overall, the process will be slower. Multiple processors may assist and enable two recoveries at the same time on the PC, but there are always dangers that the USB interface or similar may then end up saturated.
Very few recovery processes naturally make use of parallel processing so normally on a nice 8 core processor, 7 cores remain rather sleepy. CnW are looking at ways to wake a few of the cores up to help with the ever increasing size of disks, but ultimately, the big bottleneck is the speed of reading a disk. eSATA and USB-3 are all helpful parts of the equation, but at the moment, USB-2 just churns along.
Monday, August 23, 2010
Deleted XFS files
XFS is a popular file structure for NAS devices, both single disk and RAID. A RAID device may be resilient against disk failure (with the exception of RAID 0), but there is nothing to prevent operator error deleting files. With a NTFS disk, a deleted file is marked as deleted, and much of the meta data remains, although the area of the disk that the file used, could be reused.
XFS is less friendly in that the main data within the critical iNode is blanked. Thus flags indicating if it is a directory or file are blanked, along with the file length. Also, the table that stores the locations of all iNodes is also blanked, or filled with irrelevant values. Recovery is therefore deemed as all but impossible.
My challenge this week is to try and disprove this. iNodes still exist, as do cluster runs and resident data within the iNode. Watch this space to see if progress is made. I doubt a solution will be perfect, and there will always be the danger of producng files with a corrupted file structure, but I am curre ntly convinced that something will be possible.
XFS is less friendly in that the main data within the critical iNode is blanked. Thus flags indicating if it is a directory or file are blanked, along with the file length. Also, the table that stores the locations of all iNodes is also blanked, or filled with irrelevant values. Recovery is therefore deemed as all but impossible.
My challenge this week is to try and disprove this. iNodes still exist, as do cluster runs and resident data within the iNode. Watch this space to see if progress is made. I doubt a solution will be perfect, and there will always be the danger of producng files with a corrupted file structure, but I am curre ntly convinced that something will be possible.
Tuesday, August 17, 2010
Multiple Partitions on a drive
To most users the hard disk has a single partition, or just the C: drive. When it comes to recovery, it is very common to see three partitions. A typical pattern is
- FAT16 (hidden)
- NTFS
- FAT32 (hidden)
The FAT partitions are actually hidden and are configured for system recovery purposes. ie, they will often keep a copy of the operating system and so allow a complete reload of the drive in the event of failure. This saves the manufacturer about 50 cents on not providing a boot DVD with the system and assumes that a disk will fail, but these partitions will remain. Users are actually asked to make their own recovery DVDs.
As far as recovering user data, the only partition to be concerned about is the big NTFS partition. This is where holiday photos, wedding photos and MP3 music will be found.
Forensically though, it is possible to store data in these hidden partitions. Suspicions would be raised if the partitions are bigger than expected. On standard example I have looked at the FAT16 partition is about 60MB, and the FAT32 is about 3GB. The disk was a 250GB. A significantly larger FAT32, or a hidden NTFS must raise questions, and so these partitions would need careful investigation for possible hidden files.
On NAS (Network attached storage) systems, there are often multiple partitions (sometimes more than 4). They are normally all Linux and most of the partitions are Ext2/3. The final partition is the location that data is stored in. This final partition could be XFS, ReiserFS or Ext2/3. In this type of configuration one would expect the final partition to be large, and the rest fairly small. The warning sign would be a second large partition.
Saturday, August 14, 2010
Seagate 7200.11 drives
There was a firmware bug a few years ago with Seagate 7200.11 drives. It typically affected 500GB drives and the symptoms were that the drive span, by could not be detected by the BIOS. It only affects a certain firmware, and is generally known as 'bricking' the drive.
Fortunately CnW Recovery do have a fix for this problem, and has had a high success rate, with complete data recovery. Contact CnW for more details if you think your drive has been affected.
The above problem is not be confused with another common Seagate failure of bearing seizure. The disks spin at 7200 rpm (ie fast) and sometimes the bearing sieze. The solution is a skilled replacement of the platters into a different drive case, only to be undertaken in a clean room with qualified operators. A drive has several platters and the radial alignment between the platters has zero tolerance. ie if the platter moves a micro degree out, all the data will be lost. CnW does not have a solution for this problem, but can recommend companies who can help.
Fortunately CnW Recovery do have a fix for this problem, and has had a high success rate, with complete data recovery. Contact CnW for more details if you think your drive has been affected.
The above problem is not be confused with another common Seagate failure of bearing seizure. The disks spin at 7200 rpm (ie fast) and sometimes the bearing sieze. The solution is a skilled replacement of the platters into a different drive case, only to be undertaken in a clean room with qualified operators. A drive has several platters and the radial alignment between the platters has zero tolerance. ie if the platter moves a micro degree out, all the data will be lost. CnW does not have a solution for this problem, but can recommend companies who can help.
Friday, August 13, 2010
Windows 7 64 bit
64 bit operating systems have been about for several years now and the hardware probably even longer. In the 1980s, it was a very slow move from 8 bit to 16 bit, and then from 16 bit to 32 bit. At last, with Windows 7, 64 bit operating systems are now becoming common, even on laptops, and the key selling point is that the once enourmous 4GB memory limit is now lifted. At a 1980 Intel seminar, it was suggested that 1MB of RAM was all one would ever need! In the course of my programming I now sometimes request 200MB buffers to help with sorting.
Although the operating system is 64 bit, the majority of applications are still 32 bit. The biggest nightmare has been critical support for drivers and other base level drive type programs. I have have been using Windows 7-64 since November 2009 and it is still a pain that the 64 bit Windows Explorer is not supported by Adobe Flash. I also have a nice standard HP printer that does not have a 64 bit driver, and has be used with a fiddle to make it look like a different PCL printer. For CnW Recovery software, support for the hardware dongle has only just been launched.
I like Windows 7, partly because it is on a fast Quad core PC, with 6GB or RAM, and much better than Vista. Whether the 64 bit apsect is worth anything, I am not sure, but I am convinced that this is the way forward., I just wish device drivers for old hardware kept pace.
For recovery purposes, I am looking forward to exploring the multi-tasking features that Visual Studio 2010 has. Disks are getting bigger and bigger, speed is becoming more critical.
A fun tip, you may not be aware of on Windows 7 is the 'Window Key and Tab'. Try it, it is more fun that Alt Tab.
Although the operating system is 64 bit, the majority of applications are still 32 bit. The biggest nightmare has been critical support for drivers and other base level drive type programs. I have have been using Windows 7-64 since November 2009 and it is still a pain that the 64 bit Windows Explorer is not supported by Adobe Flash. I also have a nice standard HP printer that does not have a 64 bit driver, and has be used with a fiddle to make it look like a different PCL printer. For CnW Recovery software, support for the hardware dongle has only just been launched.
I like Windows 7, partly because it is on a fast Quad core PC, with 6GB or RAM, and much better than Vista. Whether the 64 bit apsect is worth anything, I am not sure, but I am convinced that this is the way forward., I just wish device drivers for old hardware kept pace.
For recovery purposes, I am looking forward to exploring the multi-tasking features that Visual Studio 2010 has. Disks are getting bigger and bigger, speed is becoming more critical.
A fun tip, you may not be aware of on Windows 7 is the 'Window Key and Tab'. Try it, it is more fun that Alt Tab.
Thursday, August 12, 2010
Apple Drives
I am often asked which make of drive is good and which is bad. The answer is like trying to recommend which type of car to buy, but there are two drives which should be replaced today if you have one.
The two problem Apple drives are both Segate Momentus (2.5"). The models are
The two problem Apple drives are both Segate Momentus (2.5"). The models are
- Momentus 5400.2 Firmware 7.01
- Momentus 5400.3 Firmware 3.CAE
If you have either of these two drives, then backup up all data today, and have the drive replaced. If the drive dies (this afternoon) physical recovery is all but impossible.
All makes and models of drive fail, but these are currently possibly the worst.
Wednesday, August 11, 2010
Video thumbnails on recovery
When evaluating a demo recovery program it is often very difficult to know if the data you require will be recovered by the licenced copy. Recovering DVDs has an added complication as many DVDs fail in a way that they can not be read by standard DVD readers.
The latest version of CnW Recovery has a wizard to recover Mini DVDs from video cameras. The wizard will first examine the disk to see if readable, and then will extract the video chapters, as MPEGs. For commercial reasons, the demo will not save these files to the hard drive, but will display th first few seconds of each chapter to give confidence that data will be recoverable. The licenced version will continue with a routine to recreate all the IFO files and merge the chapters into a standard VOB all within the stanard VIDEO_TS directory structure.
The latest version of CnW Recovery has a wizard to recover Mini DVDs from video cameras. The wizard will first examine the disk to see if readable, and then will extract the video chapters, as MPEGs. For commercial reasons, the demo will not save these files to the hard drive, but will display th first few seconds of each chapter to give confidence that data will be recoverable. The licenced version will continue with a routine to recreate all the IFO files and merge the chapters into a standard VOB all within the stanard VIDEO_TS directory structure.
Monday, August 9, 2010
Decimal or Hex
I have a personal pet hate of people who use decimal numbers when Hex number make far more sense. On an NTFS disk, the first MFT sector is very often 6,291,519. I cannot remember this number, but 0x60003F is actually very easy. It is made up of a disk partition starting sector of 0x3F, and a cluster size of 8 times the starting cluster of 0xc0000.
When analysing a disk many times sector number make far more sense in Hex than in decimal. Another example can be to determine the cluster size based on file start locations. with a series of start locations such as 512, 640, 1824, 2368 there is no clear patter, but the same numbers in hex are 0x200, 0x280, 0x720, 0x940 it will be a good guess that clusters are probably 0x20 sectors in length.
CnW Recovery software allows for both decinmal and hex to be used, and many menus have an option box to switch between the two. Although it may be easy at first, it is well worth getting used to thinking in Hex when working on disk contents and this helps even more when a complex number is actually made up of several sections. An example maybe a date which has 5 bits for seconds, 6 bits for minutes etc. A decimal number is pretty meaningless, but a hex number is much clearer - though ultimately it is best viewed as a binary number.
Think Hex. Many numbers make far more sense in hex when investigating a disk and computer data. Windows comes with a nice calculator that will flip between decimal and hex when required.
Old joke - There are only 10 types of people in the world, those who understand binary, and those who don't.
When analysing a disk many times sector number make far more sense in Hex than in decimal. Another example can be to determine the cluster size based on file start locations. with a series of start locations such as 512, 640, 1824, 2368 there is no clear patter, but the same numbers in hex are 0x200, 0x280, 0x720, 0x940 it will be a good guess that clusters are probably 0x20 sectors in length.
CnW Recovery software allows for both decinmal and hex to be used, and many menus have an option box to switch between the two. Although it may be easy at first, it is well worth getting used to thinking in Hex when working on disk contents and this helps even more when a complex number is actually made up of several sections. An example maybe a date which has 5 bits for seconds, 6 bits for minutes etc. A decimal number is pretty meaningless, but a hex number is much clearer - though ultimately it is best viewed as a binary number.
Think Hex. Many numbers make far more sense in hex when investigating a disk and computer data. Windows comes with a nice calculator that will flip between decimal and hex when required.
Old joke - There are only 10 types of people in the world, those who understand binary, and those who don't.
Sunday, August 8, 2010
Slack space in NTFS
Slack space on a file system is data that is within allocated clusters, but not actually used. When a file is allocated space on NTFS is normally allocates a number of clusters, and a cluster is often 16 sectors in length. Thus, if a file is say 5K long, then there will be 3K of the cluster which is allocated, but does not contain file information. Also, no user will ever see the contents of this 3K of slack space.
Forensically, slack can be useful as it may contain data from previously deleted files. The data will not be complete but it could conatin between 1 and 8191 bytes of useful (for an 8K cluster). CnW actually has an option to collect these fragments and storfe then in a big file with a header for each length of slack data from each incomplete cluster. It should be noted that slack space will only be found in the final cluster of a file. Thus for a 31K file, there will be 3 complete clusters, and the final cluster will have 1K of slack.
For NTFS, slack space does not stop here. To optimise disk usage, small files are stored after the MFT entry in the 1024 MFT block. The maximum size of file maybe about in the region of 5-600 bytes. Thus when analysing a disk for data in the slack area it is essential to examine each MFT for possible data after the MFT, maybe from previous uses of the block. Again, CnW Recovery has a feature so that all MFTs can store the slack in a specific file, again separating each entry with a header. For more details www.cnwrecovery.com/html/ntfs_forensic.html
Forensically, slack can be useful as it may contain data from previously deleted files. The data will not be complete but it could conatin between 1 and 8191 bytes of useful (for an 8K cluster). CnW actually has an option to collect these fragments and storfe then in a big file with a header for each length of slack data from each incomplete cluster. It should be noted that slack space will only be found in the final cluster of a file. Thus for a 31K file, there will be 3 complete clusters, and the final cluster will have 1K of slack.
For NTFS, slack space does not stop here. To optimise disk usage, small files are stored after the MFT entry in the 1024 MFT block. The maximum size of file maybe about in the region of 5-600 bytes. Thus when analysing a disk for data in the slack area it is essential to examine each MFT for possible data after the MFT, maybe from previous uses of the block. Again, CnW Recovery has a feature so that all MFTs can store the slack in a specific file, again separating each entry with a header. For more details www.cnwrecovery.com/html/ntfs_forensic.html
Saturday, August 7, 2010
Reiser FS
Linux is still a niche operating systems but has many very keen fans. With Windows, there are two file systems that may be used, NTFS and FAT, but with Linux (and Ubuntu) it is possible to install several file systems and so there have been many developments each trying to be better, or faster. The most common file systems as Ext2/3, XFS and ReiserFS (version 3).
The most significant feature of ReiserFS is the way it stores the data on the disk. With FAT, each file always takes at least a cluster (maybe 16K). With NTFS each file over about 500 bytes always takes a cluster, while small files may be stored with the directory entry in the MFT block of 1024 bytes. ReiserFS will use blocks to full capacity. Thus with a 4K block, it may actually contain 5 to 20 files, or the start of a long file. This can mean that the disk can be used with virtually no slack or wasted space.
From the recovery view point this makes data carving a nightmare. For most file systems, data carving always examines just the first bytes of a sector to determine if the sector contains a file start. For the same to be true with ReiserFS, it may have to check every byte, or if the data is 64 bit aligned, every eigth byte in order to detect all possible file starts. Fortunately though, long files normally start on block starts, so normal carving will work, but in order to find all short files, a lot more care has to be taken.
The most significant feature of ReiserFS is the way it stores the data on the disk. With FAT, each file always takes at least a cluster (maybe 16K). With NTFS each file over about 500 bytes always takes a cluster, while small files may be stored with the directory entry in the MFT block of 1024 bytes. ReiserFS will use blocks to full capacity. Thus with a 4K block, it may actually contain 5 to 20 files, or the start of a long file. This can mean that the disk can be used with virtually no slack or wasted space.
From the recovery view point this makes data carving a nightmare. For most file systems, data carving always examines just the first bytes of a sector to determine if the sector contains a file start. For the same to be true with ReiserFS, it may have to check every byte, or if the data is 64 bit aligned, every eigth byte in order to detect all possible file starts. Fortunately though, long files normally start on block starts, so normal carving will work, but in order to find all short files, a lot more care has to be taken.
Friday, August 6, 2010
MFTs and NTFS
Probably the most import element of the NTFS file system is the Master File Table (MFT) structure. This is the block of data that stores information on every file. It contains the file name, dates, size and location on the disk. An MFT entry is normally 1024 bytes long, which means that at times, the file data for a short file (maybe less than 500 bytes) can be stored in this dirctory element, so avoiding having to allocate a 4K area of disk for a small file.
The MFT is made up of several elements, and the most important for receovery purpose are the file allocation locations, file name and the date metadata. On an NTFS disk, the file allocation informtion gives a starting location, and then the number of clusters in the data run. For fragmented files, there are extra staring locations (actually relative locations to the previous start). Occasionally, all the file information can not be fitted into a single 1024 block, so there is a system for chaining multiple MFT blocks.
Analysing the MFT by hand is not easy, so CnW Recovery have added a feature into the software so that an MFT sector is viewed, then moving the mouse over the data will display the decoded information. For more details, click here www.cnwrecovery.com/html/mft_parse.html.
The MFT is made up of several elements, and the most important for receovery purpose are the file allocation locations, file name and the date metadata. On an NTFS disk, the file allocation informtion gives a starting location, and then the number of clusters in the data run. For fragmented files, there are extra staring locations (actually relative locations to the previous start). Occasionally, all the file information can not be fitted into a single 1024 block, so there is a system for chaining multiple MFT blocks.
Analysing the MFT by hand is not easy, so CnW Recovery have added a feature into the software so that an MFT sector is viewed, then moving the mouse over the data will display the decoded information. For more details, click here www.cnwrecovery.com/html/mft_parse.html.
Thursday, August 5, 2010
Hard disk partitions
A physical hard disk is a sequential series of sectors, typically 512 bytes long, though new disks with sectors of 4096 bytes are starting to appear. Logically, the disk can be split into multiple areas, or partitions. Each partition looks to the operator like a separate file. There are several reasons for multiple partitions such as below
- House keeping - to keep disk sizes small
- To prevent a logical drive getting bigger than 2TB
- To separate data and programs
- To have multiple boot mode with different operating systems
- Hidden partitions for system recovery
Most drives still use a partition table in sector 0 to define upto 4 partitions, with the option of an extended partition that in effects chains to a new 'boot' sector and allows for an unlimited number of partitions. The maximum sensible number is probably less than 10.
A very common disk failure is for the boot sector to fail, or be corrupted / overwritten. In order to recover the disk data it is necessary to reconstruct the information that was stored in the partition table, and the critical values are the start sector, sector count in partition (the partition length) and the type of file system, eg NTFS, ReiserFS. Fortunately, thsi information can be discovered by scanning the disk and detecting certain elements such as a Bios Parameter Block, or a series of MFT entries. Thisa feature that CnW Recovery software performs as part of it's Partition function.
Wednesday, August 4, 2010
Which file is a sector in?
Many forensic investigations will scan a complete hard disk for possible interesting strings. The result will be that the string is found in several sectors, but then there is the problem of discovering which files these sectors relate to.
CnW recovery software has a feature within the log to provide an answer to this question. As CnW retains all locations of file fragments, the sme information can be used to discover if a sector is used within any files. This with thelog, the user can search for a specific sector and it will indicate if it is part of a file, or even files. A sector can be marked as part of several files if one has been overwritten by a later file.
If the sector is not part of a file, then it indicates that the data has been found in unallocated space - whch can of course be carved to obtain possibly useful files
CnW recovery software has a feature within the log to provide an answer to this question. As CnW retains all locations of file fragments, the sme information can be used to discover if a sector is used within any files. This with thelog, the user can search for a specific sector and it will indicate if it is part of a file, or even files. A sector can be marked as part of several files if one has been overwritten by a later file.
If the sector is not part of a file, then it indicates that the data has been found in unallocated space - whch can of course be carved to obtain possibly useful files
Tuesday, August 3, 2010
Locating file fragments
When doing a forensic recovery one very important aspect is to log all actions so that they can be repeated. Recovering a file is reading a sequence of sectors, and many times they are in sequence, but not always. For the files that are out of sequence it is necessary to track each fragment / cluster.
The CnW log has a data column that records the number of fragments in a file. If this number in the log is clicked, each fragment (up to a maximum of 80) will be displayed as the starting sector, an sector run length. Abyone can then examine the original disk and establish how the file has been reconstructed.
The CnW log has a data column that records the number of fragments in a file. If this number in the log is clicked, each fragment (up to a maximum of 80) will be displayed as the starting sector, an sector run length. Abyone can then examine the original disk and establish how the file has been reconstructed.
Monday, August 2, 2010
Recovering deleted MAC files
If a file on MAC has been deleted and removed from the trash bin, recovery is difficult. On may operating systems and file systems, a deleted file remains in the directory, but is marked as deleted. With a MAC, the catalog entry is cleared entirely and then the catalog sector is rewritten with no residual information on the file remaining.
The only way to recover MAC deleted files is with data carving. This is a process where the disk is scanned and the start of each sector is examined for known file signatures. For instance, a JPEG file will always start with the bytes 0xFF 0xD8 0xFF then normally a 0xE0 or 0xE1. A clever carving program will then go a few stages further and analyse the data. CnW will try and reconstruct a file name based on metadata within a file, so most JPEGs will be recovered with an original date.
The problem with data carving is that directory structure is retained.
When the file is deleted, so is all the information of where different setions of the file have been saved. Fortunately, most MAC files are sequential so a high recovery rathe can be expected.
The only way to recover MAC deleted files is with data carving. This is a process where the disk is scanned and the start of each sector is examined for known file signatures. For instance, a JPEG file will always start with the bytes 0xFF 0xD8 0xFF then normally a 0xE0 or 0xE1. A clever carving program will then go a few stages further and analyse the data. CnW will try and reconstruct a file name based on metadata within a file, so most JPEGs will be recovered with an original date.
The problem with data carving is that directory structure is retained.
When the file is deleted, so is all the information of where different setions of the file have been saved. Fortunately, most MAC files are sequential so a high recovery rathe can be expected.
Sunday, August 1, 2010
Lost file or directory on NTFS
Occasionally a file, or complete subdirectory may go missing on an NTFS disk. The most common reason actually is operator error, maybe by accidently dragging adirectory into another directory. The way to recover from this situation is to search the disk for a known file, and then work out what has been moved where.
The same problem can also occur when a critical sector fails or is corrupted. This can leave the directory tree with a logical break, and so leave files with no correct location. CnW recovery software has a good solution to this problem. as part of the recovery options, it allows for recovery from file entries. It will either scan the known $MFT (NTFS directory file) for individual MFT entries, or it can scan the complete disk. When an MFT is found it is tested to see if the Master File Table entry is for a file or a directory. If for a file it is recovered, and the directory path then reconstructed as much s possible. For the files that have been lost, a dummy direvctory entry will be created, eg lostdir123, and all files related to the lost directory will be placed together. To find your lost file, either the recovered filoes can be searched, or the log examined to determine the new location
The same problem can also occur when a critical sector fails or is corrupted. This can leave the directory tree with a logical break, and so leave files with no correct location. CnW recovery software has a good solution to this problem. as part of the recovery options, it allows for recovery from file entries. It will either scan the known $MFT (NTFS directory file) for individual MFT entries, or it can scan the complete disk. When an MFT is found it is tested to see if the Master File Table entry is for a file or a directory. If for a file it is recovered, and the directory path then reconstructed as much s possible. For the files that have been lost, a dummy direvctory entry will be created, eg lostdir123, and all files related to the lost directory will be placed together. To find your lost file, either the recovered filoes can be searched, or the log examined to determine the new location
Saturday, July 31, 2010
Clicking disk drives
Often customers for disk recovery say that the computer just stopped. It then often turns out that the computer has been going very slow, or making clicking noises.
Hard disk drives will click when the head cannot locate a track. It will try and recalibrate itself by moving the head as far out as possible, and the clicking is when it hits the end stop. When it does this every second or so, it indicates there is a major problem with the drive. Sometimes the sector will be read, and the clicking will stop, but other times, it will continue and the drive will be dead.
If clicking noises are heard from the drive then this indicates there are problems. The drive may continue for months, or could die a few minutes later. The only safe thing to do is to copy off any files that have not been backed up, followed by a full backup. The next stage is to replace the drive. A new physical drive these days is not expensive, and much cheaper than data recovery.
If the drive does die with clicking noises the most likely reason is that the heads have failed. In maybe 80% of cases they can be replaced, but the cost could be 5 to 20 times that of a new drive. Thus take any clicking seriously with a full backup, and most likely a new hard drive.
CnW Recovery does not work on head replacement, but can recommend companies to assist.
Hard disk drives will click when the head cannot locate a track. It will try and recalibrate itself by moving the head as far out as possible, and the clicking is when it hits the end stop. When it does this every second or so, it indicates there is a major problem with the drive. Sometimes the sector will be read, and the clicking will stop, but other times, it will continue and the drive will be dead.
If clicking noises are heard from the drive then this indicates there are problems. The drive may continue for months, or could die a few minutes later. The only safe thing to do is to copy off any files that have not been backed up, followed by a full backup. The next stage is to replace the drive. A new physical drive these days is not expensive, and much cheaper than data recovery.
If the drive does die with clicking noises the most likely reason is that the heads have failed. In maybe 80% of cases they can be replaced, but the cost could be 5 to 20 times that of a new drive. Thus take any clicking seriously with a full backup, and most likely a new hard drive.
CnW Recovery does not work on head replacement, but can recommend companies to assist.
Friday, July 30, 2010
NAS RAID drives
For a small business, or even home user, the thought of secure data storage is very attractive. Network Attached Storage (NAS) systems are becoming very popular as they may be shared on a network by several PCs, some even purely by wireless interface. The idea of a RAID is that if one drive should fail, the other one will still have the information, so no data should be lost.
Recently, at CnW Recovery I have seen several RAID systems where it is the RAID controller, rather than the drive which has failed. This ends up with multiple, physically working drives, but no way to access the data. Most RAID controllers actually use some kind of Unix file system and recently we have seen XFS, ReiserFS and Ext2 as the data storage. The drives do also typically contain a few Unix partitions to power the Linux based controller system.
To recover the data it is necessary to remove the drives and then logically read the data partition of the drive. CnW software is being developed to make this as easy as possible, and new variations of drive layout are being added on a regular basis.
The main warning of this blog is that a RAID is not quite as secure as the manufacturers might imply, but at the same time, help is on hand to recover the data.
Recently, at CnW Recovery I have seen several RAID systems where it is the RAID controller, rather than the drive which has failed. This ends up with multiple, physically working drives, but no way to access the data. Most RAID controllers actually use some kind of Unix file system and recently we have seen XFS, ReiserFS and Ext2 as the data storage. The drives do also typically contain a few Unix partitions to power the Linux based controller system.
To recover the data it is necessary to remove the drives and then logically read the data partition of the drive. CnW software is being developed to make this as easy as possible, and new variations of drive layout are being added on a regular basis.
The main warning of this blog is that a RAID is not quite as secure as the manufacturers might imply, but at the same time, help is on hand to recover the data.
Thursday, July 29, 2010
How to avoid data recovery
This may be an odd item to write about in a data recovery blog, but actually the best kind of data recovery is not to require it. The critical word is 'Backup'. However, I get many customers who say that they were about to do a backup, or where going to do a backup when they had finished their project, university work etc, and then all of a sudden everything is lost.
For a safe backup there are a few critical points
For a safe backup there are a few critical points
- Must be done automatically, or on a regular basis
- A backup must be stored on another piece of media
- A backup must be stored in a different location
- A backup must be tested with the occasional restore
For many users and small businesses a very easy type of backup is an online system that automatically backs files up when they are added to the system, or edited. There are many available, but the one I use is Carbonite as it is automatic, and has unlimited capacity. It ticks all four boxes above.
The different media is essential as if just a different partition is used, this could fail at the same time as the key data partition.
The different location will cover events such as fire and theft. For non sensitive data, then placing a backup drive in the office or home is a good start, or with friends are neighbours.
Another point on backup is the ability to recreate a complete system disk from scratch in the event of a complete failure. For this one requires disk image of the system disk and Acronis is a popular solution, but not one I have tried.
Always think that if any thing is not backed up, it could be lost - so BACKUP now.
Wednesday, July 28, 2010
Reconstructing video disk from MPEGs
Recovery programs are very good at recovering MPEGs but these are not typically viewable with a DVD player. To view the files it is necessary to create a VIDEO_TS directory with .IFO and .VOB files. To convert MPEGS into such a structure it is normally necessary to a 3rd part product such as IFOEDIT. IFOEDIT is a very good (free) program, but it is maybe a bit too complex for many users. CnW Recovery software has a built in tool to recreate a video disk from MPEGS, and for many users this is a straight forward simple function. There is also a nice feature in that it is included as part of the free demo of CnW Recovery software.
Tuesday, July 27, 2010
Recovery from a formatted disk
I occasionally receive disks that are perfectly valid, with intact files and file system. However, the history of them is that they have been reformatted,and the original files lost. To make things slightly worse, the file system may have been changed. Thus an original FAT32 disk couldnow be a NTFS or the other way around.
To help detect this, CnW Recovery software has a function on the partition scan that will count the number of MFTs (for NTFS) or directory clusters for FAT disks. It will often be clear at the end of the scan if there was a different file system on the disk at a previous time. It is then possible, using the partition manager to force the disk to act as a certain format, eg FAT32 or NTFS before recovering the files.
Often in instances where the file system has been changed, most of the critical file information will have been overwritten, but fortunately all file systems tend to use different areas of the disk so it possible that a complete MFT (NTFS directory sectors) may still be intact as may be many FAT32 directories. By analysing this remaining fragmenst, it is possible to determine the critical parameters before attempting a recovery.
Often a very complete recovery will be possible, as long as the disk has not been used too much after reformatting.
To help detect this, CnW Recovery software has a function on the partition scan that will count the number of MFTs (for NTFS) or directory clusters for FAT disks. It will often be clear at the end of the scan if there was a different file system on the disk at a previous time. It is then possible, using the partition manager to force the disk to act as a certain format, eg FAT32 or NTFS before recovering the files.
Often in instances where the file system has been changed, most of the critical file information will have been overwritten, but fortunately all file systems tend to use different areas of the disk so it possible that a complete MFT (NTFS directory sectors) may still be intact as may be many FAT32 directories. By analysing this remaining fragmenst, it is possible to determine the critical parameters before attempting a recovery.
Often a very complete recovery will be possible, as long as the disk has not been used too much after reformatting.
Monday, July 26, 2010
Hashing in forensic recovery
With any forensic investigation, the term hashing will appear somewhere. But what is hashing, and how important is it?
Hashing is a digital signature, and therefore is unique for each file or document. The most common standard is MD5 which is a 16 byte number, normally displayed as a string of 32 hex text characters. It is secure because any single bit change, anywhere in the file will produce a completely different hash value. It is also secure because there is no way of working out from the result, what the original data string was.
When a file is recovered, or imaged, the whole file is scanned, and a hash value is produced. In future, if the same file has it's hash value calculated, as long as it is the same, then the file is identical. It would be impossible to tamper with the file without changing the hash value. Thus forensically, the reason for hashing is as part of the chain of custody. If is file is read, then it can be distributed as evidence and as long as the hash remains the same, the file is the same. For this reason, the CnW Recovery software always includes a file hash value in the log for forensic applications.
There are possible dangers with hashing. It can be taken because there is hash value, then the file is true, but it must always be considered that a file could have been tampered with before the original recovery or investigation was made.
The second concern is that the MD5 hashing routine has been broken in forensic terms. ie a file has been modified, and kept the same hash value. To do this takes a lot of skill, and a lot of computing power to discover which 16 byte number has to be inserted at which location in the file to produce an unchanged hash value. The solution to this concern is to use longer hash values, such as SHA-1, SHA-256.
My personal view though is that for 99.999999% of applications, MD5 is adequate, and will always detect accidental and transmission errors. With increasing computer power, it true that the length of the hash will have to increase, and each extra byte will improve the strength by 256 times. However in March 2011, SHA-256 has been added to the forensic log
Hashing is a digital signature, and therefore is unique for each file or document. The most common standard is MD5 which is a 16 byte number, normally displayed as a string of 32 hex text characters. It is secure because any single bit change, anywhere in the file will produce a completely different hash value. It is also secure because there is no way of working out from the result, what the original data string was.
When a file is recovered, or imaged, the whole file is scanned, and a hash value is produced. In future, if the same file has it's hash value calculated, as long as it is the same, then the file is identical. It would be impossible to tamper with the file without changing the hash value. Thus forensically, the reason for hashing is as part of the chain of custody. If is file is read, then it can be distributed as evidence and as long as the hash remains the same, the file is the same. For this reason, the CnW Recovery software always includes a file hash value in the log for forensic applications.
There are possible dangers with hashing. It can be taken because there is hash value, then the file is true, but it must always be considered that a file could have been tampered with before the original recovery or investigation was made.
The second concern is that the MD5 hashing routine has been broken in forensic terms. ie a file has been modified, and kept the same hash value. To do this takes a lot of skill, and a lot of computing power to discover which 16 byte number has to be inserted at which location in the file to produce an unchanged hash value. The solution to this concern is to use longer hash values, such as SHA-1, SHA-256.
My personal view though is that for 99.999999% of applications, MD5 is adequate, and will always detect accidental and transmission errors. With increasing computer power, it true that the length of the hash will have to increase, and each extra byte will improve the strength by 256 times. However in March 2011, SHA-256 has been added to the forensic log
Sunday, July 25, 2010
Why photo recovery sometimes has corrupted photos
Digital cameras are great, and so are memory chips, but sometimes failures happen and photos are lost. The typical reason is that part of thye chip is corrupted when taking it out of the camera, or plugging into the PC. Data recovery is fairly straight forward, and many recovery programs will produce good results. The problem comes when some of the photos will not open or are otherwise corrupted.
When a memory chip is corrupted, it is very common for the file allocation table (FAT) to be destroyed which means that the normal recovery program can only assume that the photo was stored sequentially, and again many times this is the case. If you are a photographer that has deleted some photo in the camera, either because they were bad, or to save space then new photos will be fragmentd when stored. This means that different parts of the photo will be stored in different areas of the memory chip. The location of each sector (or cluster) used is stored in the FAT, and this is the critical element which may be missing. Hence photos are not recovered correctly.
The solution is a feature rarely found in recovery software that will examine all the memory chip and reconstruct photos even when the fragments have been scattered over the memory chip. Although it may not be possible to be 100% reliable, extra photos will be recovered that otherwise would be lost. For more details see www.cnwrecovery.com/html/jpeg_frags.html
When a memory chip is corrupted, it is very common for the file allocation table (FAT) to be destroyed which means that the normal recovery program can only assume that the photo was stored sequentially, and again many times this is the case. If you are a photographer that has deleted some photo in the camera, either because they were bad, or to save space then new photos will be fragmentd when stored. This means that different parts of the photo will be stored in different areas of the memory chip. The location of each sector (or cluster) used is stored in the FAT, and this is the critical element which may be missing. Hence photos are not recovered correctly.
The solution is a feature rarely found in recovery software that will examine all the memory chip and reconstruct photos even when the fragments have been scattered over the memory chip. Although it may not be possible to be 100% reliable, extra photos will be recovered that otherwise would be lost. For more details see www.cnwrecovery.com/html/jpeg_frags.html
Erased DVD-RW video disks
Mini video DVD-RW often get either accidently erased, or fail due to camera or operator error. The reason is not too important, but the result can be a video disk that can not be read, and all PCs just state that the disk is blank.
Very few data recovery companies can handle this type of error, but CnW Recovery have developed special hardware to allow such disks to be recovered. As long as the erase was a quick erase, that nomrally takes less than 2 minutes, then the recovery success rate is extremely high. There is a fixed fee of just £40, and no fix, no fee. www.cnwrecovery.co.uk/html/dvd_recovery.html for more details.
Very few data recovery companies can handle this type of error, but CnW Recovery have developed special hardware to allow such disks to be recovered. As long as the erase was a quick erase, that nomrally takes less than 2 minutes, then the recovery success rate is extremely high. There is a fixed fee of just £40, and no fix, no fee. www.cnwrecovery.co.uk/html/dvd_recovery.html for more details.
Saturday, July 24, 2010
Undelete software
We all make mistakes, and deleted files, or directories is a common one. There are lots of software packages that claim to help, but some can actually make things worse, and all, if not used carefully can add to misery by permanately overwriting file that could have been recovered.
When a file is deleted the process is that either the directory entry is marked as deleted, or in the case of Macintosh systems, and some Unix file systems, the file name and details are also deleted. On most common systems (unless special scrubbing software is included) the data remains unchanged on the disk, but the area the data occupies is redesignated as unallocated. This means that any new file can use the space that was previously assigned to the deleted files. Unless you have the budget of the CIA and FBI combined, it is safe to say that an overwritten sector is just that, an previous data is lost for ever. The danger of downloading a data recovery, or undelete program onto the computer where files have been deleted, is very significant. There is no way to stop the program being copied to areas where the deleted files were, and so data will be lost for ever.
Any use of the computer, or even just leaving it one can cause files in unallocated space to be overwritten. For instance, virus checkers ar always having updates, and does Microsoft. Any web browsing generates many temporary files. Shut down must be as soon as possible. The only safe solution is to turn the computer off and remove the drive entirely. Any other approach, or delay increases the chance of permanant loss. Even shutting down the computer writes files. For many forensic investigations it is often suggested the best way is to literally pull the plug, and not try an organised shut down.
The safe solution is to remove the drive and set it up as a slave drive on a different computer running the undelete, or data recovery software. For critical application, or forensic investigation a write blocker should be used to ensure that no data is written to the slave drive.
When it comes to undelete software, gain it is very dangerous to atually try and undelete rather than recover the deleted files to a different drive. With a FAT device, the locations that the original file are stored in is delted when the file is marked as deleted. Undeleting will therefore just assume that the file is sequential - a good starting point, but not always true. Also, for FAT32 files, the starting point of the file is only partitally known, and very few recovery programs actually determine the correct location. Fortunately CnW Recovery does work out the correct location for files of a known type. See www.cnwrecovery.com/html/fat32.html for more details.
When a file is deleted the process is that either the directory entry is marked as deleted, or in the case of Macintosh systems, and some Unix file systems, the file name and details are also deleted. On most common systems (unless special scrubbing software is included) the data remains unchanged on the disk, but the area the data occupies is redesignated as unallocated. This means that any new file can use the space that was previously assigned to the deleted files. Unless you have the budget of the CIA and FBI combined, it is safe to say that an overwritten sector is just that, an previous data is lost for ever. The danger of downloading a data recovery, or undelete program onto the computer where files have been deleted, is very significant. There is no way to stop the program being copied to areas where the deleted files were, and so data will be lost for ever.
Any use of the computer, or even just leaving it one can cause files in unallocated space to be overwritten. For instance, virus checkers ar always having updates, and does Microsoft. Any web browsing generates many temporary files. Shut down must be as soon as possible. The only safe solution is to turn the computer off and remove the drive entirely. Any other approach, or delay increases the chance of permanant loss. Even shutting down the computer writes files. For many forensic investigations it is often suggested the best way is to literally pull the plug, and not try an organised shut down.
The safe solution is to remove the drive and set it up as a slave drive on a different computer running the undelete, or data recovery software. For critical application, or forensic investigation a write blocker should be used to ensure that no data is written to the slave drive.
When it comes to undelete software, gain it is very dangerous to atually try and undelete rather than recover the deleted files to a different drive. With a FAT device, the locations that the original file are stored in is delted when the file is marked as deleted. Undeleting will therefore just assume that the file is sequential - a good starting point, but not always true. Also, for FAT32 files, the starting point of the file is only partitally known, and very few recovery programs actually determine the correct location. Fortunately CnW Recovery does work out the correct location for files of a known type. See www.cnwrecovery.com/html/fat32.html for more details.
Friday, July 23, 2010
Recovery from a Western Digital 250GB disk
I received a WD 250 GB disk that span, and was even recognised by the BIOS. However, every sector read failed. When putting it on the PC3000 UDMA system (Russian hard drive recovery product) it indicated that part of the service area of the disk was corrupted. The next stage was a complete backup of all the readable firmware, and service area before the failed translation module was regenerated. It worked, and the drive was then imaged before running the data recovery process of the slightly corrupted NTFS drive.
HP Media vault
Received a pair of disks recently that were unreadable with with the original HP Media vault. The disks were 300GB and 750GB giving a capacity of just over 1TB. The first disk started with the string "Broadcom NAS Version 1.1 MBR Tag" and did not have a standard boot sector. The second disk had a standard boot sector, but a header suggesting a FAT32 disk.
Both disks actually had Reiser FS as their data structure. After investigation, it was determined that the data was in three stripes, and the locations are stored in sector 1 (ie second on the disk) of each disk. A few enhancements to the CnW Recovery software (http://www.cnwrecovery.com/) and all the data was read and recovered. It was read using the JBOD feature in the RAID option
Both disks actually had Reiser FS as their data structure. After investigation, it was determined that the data was in three stripes, and the locations are stored in sector 1 (ie second on the disk) of each disk. A few enhancements to the CnW Recovery software (http://www.cnwrecovery.com/) and all the data was read and recovered. It was read using the JBOD feature in the RAID option
Subscribe to:
Posts (Atom)