O.T. - Connection Problem:

Mark Twain wrote:
I tried running undelete360 on
the WD external HD and this is
what it gave me:

http://i63.tinypic.com/rssjg8.jpg

Obviously it doesn't have anything
there I recognize,, none of my doumentation

Robert

I haven't used that program, so don't
know the options at all.

I see a "filter" option, and you want that
to be wide open. Or at least to allow your
MRIMG or other file types to be detected.

Obviously, "Search" is the first step. Followed
by "Recover" after you'd ticked the box to the
left of each file name you want to recover.

And that "Filter" option may be preventing
more interesting things from being seen.

As long as you're not writing to the volume
with the deleted files (which is F: in your
picture), you can spend all the time you want
thinking about it.

Windows 7 normally has System Restore disabled
on all volumes except C: , so System Restore should
not be doing any destructive writes to F: . Don't
even delete any files from F: , until you're happy with
the recovery effort and you got as many as were on offer.

Paul

I found this:

http://www.undelete360.com/gstarted.html

and this:

https://www.youtube.com/watch?v=fUVnr_-epPs

seems the second link some have tried this
and lost all their files as result.

I tried it again but no luck,...
I tried using the filter to search for a
folder but no luck and folder option is
only for the paid version.

http://i68.tinypic.com/16ap1cj.jpg

http://i67.tinypic.com/fdyjnp.jpg

http://i65.tinypic.com/2usu7ew.jpg

This doesn't seem to work or the files
are truly gone because I can't seem to
find them using this.

Robert

Mark Twain wrote:
I found this:

http://www.undelete360.com/gstarted.html

and this:

https://www.youtube.com/watch?v=fUVnr_-epPs

seems the second link some have tried this
and lost all their files as result.

I tried it again but no luck,...
I tried using the filter to search for a
folder but no luck and folder option is
only for the paid version.

http://i68.tinypic.com/16ap1cj.jpg

http://i67.tinypic.com/fdyjnp.jpg

http://i65.tinypic.com/2usu7ew.jpg

This doesn't seem to work or the files
are truly gone because I can't seem to
find them using this.

Robert

OK, give Recuva Free a try. Of the two, Recuva
mentioned "deleted files", so perhaps it will
try the undelete method first. Photorec on the
other hand, scans every sector and is a signature
based scanner (as near as I can determine). The
best chance at recovery for a file as big as an
MRIMG, is a "deleted files" method.

http://www.piriform.com/recuva

http://www.cgsecurity.org/wiki/PhotoRec

Paul

I tried Recuva with the same results:

http://i65.tinypic.com/2yki8ev.jpg

http://i66.tinypic.com/2d8qqt2.jpg

http://i65.tinypic.com/33e3ndw.jpg

http://i65.tinypic.com/33e3ndw.jpg

http://i64.tinypic.com/2ugkyvk.jpg

http://i66.tinypic.com/s59qps.jpg

http://i64.tinypic.com/2vsqnno.jpg

http://i66.tinypic.com/k9f8ci.jpg

http://i68.tinypic.com/dq5gme.jpg

seems its lost

Robert

This is a massive amount of work I've lost,...
the only thing I can think of is to go to the
next Mrimg 8-25-16 and see if I can retrieve
some of it.

Please give me detailed step by step instructions
on how to do this so I don't screw things up again.

As already shown the undelete360 deleted all those other
peoples files and they lost everything like me. So
I would appreciate your assistance in trying to recover
what I can. These programs aren't working.

Thanks,
Robert

Mark Twain wrote:
This is a massive amount of work I've lost,...
the only thing I can think of is to go to the
next Mrimg 8-25-16 and see if I can retrieve
some of it.

If you mean mounting the MRIMG and copying some files
from it, you only need to do one additional thing.

Create a separate empty folder, away from your other
stuff. And copy and paste the MRIMG files into
that empty folder. That should prevent any kind
of "merging calamity". *Don't* copy and paste
from MyDocuments to MyDocuments. Copy from MyDocuments
into a separate WorkingFolder. Then move the files, one
at a time, from WorkingFolder to where they belong.


Please give me detailed step by step instructions
on how to do this so I don't screw things up again.

As already shown the undelete360 deleted all those other
peoples files and they lost everything like me. So
I would appreciate your assistance in trying to recover
what I can. These programs aren't working.

Thanks,
Robert

Well, we don't have any evidence exactly what
happened to your files. They can be unrecoverable,
if enough additional writes are done to the
destination partition. And that might account
for the inability to find anything. Or maybe
undelete360 doesn't really work. I don't know what
to tell you, in that regard.

I've done an undelete operation, under carefully
controlled conditions, and got the file back. So
you can make it work. But a lot of things can
also go wrong. That's why the odds aren't always
in your favor on things like this.

As another example, when I made a typing mistake
while using Robocopy, I managed to delete around
a gigabyte of files. I didn't even try "undelete".
Why ? Because I knew that enough writes to the disk
happened after the accident, that recovery would
be impossible. That's life as they say. If you
can stop writes to the volume instantly after
an accident, it improves the odds of getting
the stuff back. If you don't notice and the
mischief goes on for some time, then your odds
are reduced a lot of getting anything back.

You can try the Photorec link if you want. The
second link of the two I gave. But it doesn't
necessarily use all that good a method, or rather,
the method is sensitive to disk fragmentation, and
you're more likely to get half a file than a full
file.

*******

Also, have you tried this one as a means to do UnDelete ?

http://www.cgsecurity.org/wiki/TestD...e_file_for_FAT

Download TestDisk to the 780, and run it on the partition
in question. And see what it shows for items that have the
flag set.

You highlight the partition you want UnDelete information
about, and it shows the things that can be recovered
in red.

http://www.cgsecurity.org/mw/images/...t_undelete.png

http://www.cgsecurity.org/mw/images/...elect_file.png

Then, with a red file selected, you press the letter "c" to copy,
then specify a different disk as a place to copy the file.

Paul

I tried TestDisk but can't seem to
extract the file or don't know how.

Here are where my Mrimg files are located

http://i63.tinypic.com/dooyus.jpg

Here are the Mrimgs

http://i64.tinypic.com/2637low.jpg

do you still wish me to move them?

Robert

One thing,, I'm not suppose to be using
the 8500? To even turn it on ?

I had been using it since it happened,.
since I didn't know but haven't saved
anything except on a key so am I screwed?

Robert

Yes, I was talking about mounting an Mrimg
ring and extracting the files I need.

You say there's only one thing I need to do
but I royally screwed this up with no directions
and I don't want to repeat what I did.

This isn't as easy as you make it sound and I'm
not a technical person. I've lost 10 years worth
of research and documentation because of this.

So I would appreciate some guidance.

Robert

Mark Twain wrote:
I tried TestDisk but can't seem to
extract the file or don't know how.

Here are where my Mrimg files are located

http://i63.tinypic.com/dooyus.jpg

Here are the Mrimgs

http://i64.tinypic.com/2637low.jpg

do you still wish me to move them?

Robert

The degree of safety, of any data move you
might try, is a function of what kind of
accident you plan on having :-)

It wouldn't cost you any file transfer
time to move

F:\users\Rpbert\8500 Backup(Mrimg) Files

to

F:\8500 Backup(Mrimg) Files

by just dropping that folder right under F:
itself. But that only protects you, if you
plan on copying "Rpbert" over top of "Rpbert"
again. Even if you were to create an empty
folder in

F:\users\Rpbert\EmptyFolder

and dropping the Macrium-recovered content
into EmptyFolder, that would protect your
other home directory contents.

*******

You can format practically any partition by accident.
You can delete the MBR partition table with a
little bit of effort (disk part, "clean" command).
So there are lots of ways to lose data that
are independent of folder choices. Trickery
won't help in those cases.

And this is why I have absolutely no good
options to offer for Ransomware. Disconnecting
disks with valuable data on them, that's the only
absolute protection you have against data loss.
You cannot format a drive which is disconnected.
If data is sitting at rest, on a running drive,
just about anything could happen to it.

So the idea of moving the MRIMG files, is one of
putting them in an "obscure corner" where you
won't trample on them by accident. And it's only
a slight improvement from a safety perspective.

If the OS had a working "immutable" bit, like Linux
has, we wouldn't need to worry so much. On Linux,
you can mark a file as undeleteable, on purpose,
to prevent **** from happening to it. So this is
what the Linux users have as an option. You use the
chattr command, to turn off "i" later so the file
or files can be deleted. It's a permission
bit that says "please please don't delete this file" :-)

https://en.wikipedia.org/wiki/Chattr

"A file with the i attribute cannot be modified.

It cannot be deleted or renamed, no link can be created
to this file and no data can be written to the file.

When set, prevents, even the superuser, from erasing
or changing the contents of the file."

You can emulate that behavior in Windows, but then all
it takes is a clever program (Macrium) to undo it. If
there was an explicit immutable bit, chances of survival
might be a bit better. (The idea being, any utility that
"sees" the immutable bit, should know better than to
remove it using chattr behind the scenes. Every utility
must use the correct logic, for the file to remain
protected.)

Paul

Mark Twain wrote:
One thing,, I'm not suppose to be using
the 8500? To even turn it on ?

I had been using it since it happened,.
since I didn't know but haven't saved
anything except on a key so am I screwed?

Robert


If you have a "delete accident" on a particular
partition, you want to stop any further write
operations to that partition. Until you can undelete
the lost file(s).

If the partition was C: that lost files, then
to stop using C: you'd move C: to another computer
and over there, use it as a "data drive" only. Then,
carry out the TestDisk $MFT search for deleted files.

If you have *another* boot drive to use in the 8500,
of course you can use the 8500 with that. And if the data loss
occurred on a partition other than C: , you could
control writes to that well enough, to not need any
special handling procedures until the undelete is done.

So the objective is, to stop writing to the affected
partition. The OS is constantly fiddling around with
the C: partition, so small writes will be done by the
Search Indexer, by System Restore, various logs,
the Event Viewer, and so on. And the way the file system
works, is it enjoys chowing down on parts of the disk
that were just freed up. By making the drive not be
the OS drive (using it as a data drive on another
computer), that reduces the risk of doing writes.
System Restore can do writes, but on Windows 7, the
default policy is disks newly added to a system have
System Restore turned off. WinXP on the other hand,
was a bitch for this sort of stuff, because System
Restore operation was enabled on everything, and you
can't possibly race over to the interface for that
fast enough on WinXP, to turn it off. Whereas Win7
has a bit more reasonable policy.

I'm just surprised the file names are not showing
up in an undelete search. The possible outcomes a

1) File name visible for "undelete" and no clusters
have been overwritten. This is an excellent candidate
for recovery.

2) A more likely scenario is, the file name is visible for
"undelete" (because the table entry in the $MFT has not
been reused yet). But if the clusters have been overwritten
by other write operations, then the file recovery
status is "poor". You get half a file, or a file with
holes punched in it. Since MRIMG files have integrity
checks, if you run a Macrium "verify" on an MRIMG file,
you can easily tell the backup is damaged.

3) If the File Name isn't visible (with "deleted" flag set),
that only happens if the disk has been used for a substantial
period of time, and all the old freed-up MFT table entries have
been put to usage. Reusing table entries isn't "aggressive"
enough to make the File Names disappear before TestDisk
can spot them. Only a Secure Delete kind of software, is
aggressive enough to remove everything. The file system
does lazy reuse of facilities, with the clusters of data
being the "most unlucky" part, whereas table entries in
the $MFT, in my estimation, last a bit longer. You can
easily be teased with a (2) status, of finding the file
name, flipping the single byte flag that undeletes it,
but because the data clusters overlap with another file,
the file contents are already damaged. And that's what
happens if you don't stop cluster writes to the drive
immediately. The more data you write, the more valuable
clusters get overwritten. Losing all evidence of the
old file names, that takes a while for it to disappear
on its own.

If no utility is able to show the file names of the
recently deleted items, then chances are poor that
a Photorec type scavenger scan, will cough up
a perfectly complete file.

*******

When doing forensic data recovery, you work in a
room filled with "spare disks". And there is no
limit to how many copies you can make of the
source disk, to prevent accidents. I did not
recommend any backup procedure in this case,
because "undelete360", "recuva", "testdisk",
"photorec" should not go trampling on the
disk without user input. They all should be
able to scan without hurting anything. A proper
procedure in a police lab, would be to make a
"dd.exe" copy of the disk immediately, as it
comes into the lab. And never work without
"exact" backup copies.

Your Macrium tool, makes copies of the "living"
data, but not copies of the "dead" data. To copy
both living and dead data, that's a job for
a sector-by-sector "dd.exe" copy. Macrium Reflect
doesn't care about your recently-deleted files,
so is *not* a good choice for forensic copying.
When you want to preserve all the evidence,
every last stinking sector, that's a job for "dd".
And "dd" is available for Linux and Windows.

*******

You can use the 8500 with *any other* bootable
hard drive if you want. It's the disk that had
files deleted on it, you don't boot the C: with
the missing files, until you've given up all hope
of recovering them. If there are no file names
to be seen, using any of the tools, then the
files are effectively "gone". I don't consider
using scavenger tools to be all that practical
(the ones that work without consulting the $MFT),
because any large files are unlikely to be
un-fragmented and available as one continuous
read operation. I don't think a scavenger has
any way of joining together pieces of files.
Photorec is a kind of scavenger, but it doesn't
have a pattern for matching MRIMG files. It's good
for JPG files though.

Paul

Mark Twain wrote:
Yes, I was talking about mounting an Mrimg
ring and extracting the files I need.

You say there's only one thing I need to do
but I royally screwed this up with no directions
and I don't want to repeat what I did.

This isn't as easy as you make it sound and I'm
not a technical person. I've lost 10 years worth
of research and documentation because of this.

So I would appreciate some guidance.

Robert

Just make sure you copy the files into an *empty*
folder. Don't try to copy over top of an
existing structure.

*******

Maybe I'm going to have to simulate what
you've done ?

I'm finding it hard to believe that undelete is not working.

*******

And you haven't lost 10 years worth, if you still have
your Aug.25, 2016 backup. You've lost a months worth.

Paul

That's allot of technical information !@!

Until I get them back,.. I've lost 10 years
and right now I'm not confident we will because
nothing is working.

So do you suggest I do a macrium verify on the Mrimg
in question? So I should shut down the 8500 now and
not use it?

I'm going to put in the spare HD on the 8500

but still am at a loss of what to do now to recover?

Robert

I put in the spare HD which we already
booted for the first time previously.
However it's not working (like everything
else).

This is what it say:

Windows Boot Manager

Windows failed to start. A recent hardware
or software change might be the cause. To fix
the problem:

1. insert your Windows installation disc and
restart your computer
2. choose your language settings and then click next
3. click 'repair your computer'

If you do not have this disk, contact your system
administrator or computer manufacturer for assistance.

Status 0xc000000e

Info: The boot selection failed because a required device
is inaccessible.

Great I set all this up and bought all these HD's
and it doesn't work when needed. A

Robert

So how do I verify a Mrimg? I
went onto Macriuum and all
I see is clone and image.

Robert