If this is your first visit, be sure to check out the FAQ by clicking the link above. You may have to register before you can post: click the register link above to proceed. To start viewing messages, select the forum that you want to visit from the selection below. |
|
|
Thread Tools | Display Modes |
#361
|
|||
|
|||
O.T. - Connection Problem:
Mark Twain wrote:
I tried running undelete360 on the WD external HD and this is what it gave me: http://i63.tinypic.com/rssjg8.jpg Obviously it doesn't have anything there I recognize,, none of my doumentation Robert I haven't used that program, so don't know the options at all. I see a "filter" option, and you want that to be wide open. Or at least to allow your MRIMG or other file types to be detected. Obviously, "Search" is the first step. Followed by "Recover" after you'd ticked the box to the left of each file name you want to recover. And that "Filter" option may be preventing more interesting things from being seen. As long as you're not writing to the volume with the deleted files (which is F: in your picture), you can spend all the time you want thinking about it. Windows 7 normally has System Restore disabled on all volumes except C: , so System Restore should not be doing any destructive writes to F: . Don't even delete any files from F: , until you're happy with the recovery effort and you got as many as were on offer. Paul |
Ads |
#362
|
|||
|
|||
O.T. - Connection Problem:
I found this:
http://www.undelete360.com/gstarted.html and this: https://www.youtube.com/watch?v=fUVnr_-epPs seems the second link some have tried this and lost all their files as result. I tried it again but no luck,... I tried using the filter to search for a folder but no luck and folder option is only for the paid version. http://i68.tinypic.com/16ap1cj.jpg http://i67.tinypic.com/fdyjnp.jpg http://i65.tinypic.com/2usu7ew.jpg This doesn't seem to work or the files are truly gone because I can't seem to find them using this. Robert |
#363
|
|||
|
|||
O.T. - Connection Problem:
Mark Twain wrote:
I found this: http://www.undelete360.com/gstarted.html and this: https://www.youtube.com/watch?v=fUVnr_-epPs seems the second link some have tried this and lost all their files as result. I tried it again but no luck,... I tried using the filter to search for a folder but no luck and folder option is only for the paid version. http://i68.tinypic.com/16ap1cj.jpg http://i67.tinypic.com/fdyjnp.jpg http://i65.tinypic.com/2usu7ew.jpg This doesn't seem to work or the files are truly gone because I can't seem to find them using this. Robert OK, give Recuva Free a try. Of the two, Recuva mentioned "deleted files", so perhaps it will try the undelete method first. Photorec on the other hand, scans every sector and is a signature based scanner (as near as I can determine). The best chance at recovery for a file as big as an MRIMG, is a "deleted files" method. http://www.piriform.com/recuva http://www.cgsecurity.org/wiki/PhotoRec Paul |
#364
|
|||
|
|||
O.T. - Connection Problem:
I tried Recuva with the same results:
http://i65.tinypic.com/2yki8ev.jpg http://i66.tinypic.com/2d8qqt2.jpg http://i65.tinypic.com/33e3ndw.jpg http://i65.tinypic.com/33e3ndw.jpg http://i64.tinypic.com/2ugkyvk.jpg http://i66.tinypic.com/s59qps.jpg http://i64.tinypic.com/2vsqnno.jpg http://i66.tinypic.com/k9f8ci.jpg http://i68.tinypic.com/dq5gme.jpg seems its lost Robert |
#365
|
|||
|
|||
O.T. - Connection Problem:
This is a massive amount of work I've lost,...
the only thing I can think of is to go to the next Mrimg 8-25-16 and see if I can retrieve some of it. Please give me detailed step by step instructions on how to do this so I don't screw things up again. As already shown the undelete360 deleted all those other peoples files and they lost everything like me. So I would appreciate your assistance in trying to recover what I can. These programs aren't working. Thanks, Robert |
#366
|
|||
|
|||
O.T. - Connection Problem:
Mark Twain wrote:
This is a massive amount of work I've lost,... the only thing I can think of is to go to the next Mrimg 8-25-16 and see if I can retrieve some of it. If you mean mounting the MRIMG and copying some files from it, you only need to do one additional thing. Create a separate empty folder, away from your other stuff. And copy and paste the MRIMG files into that empty folder. That should prevent any kind of "merging calamity". *Don't* copy and paste from MyDocuments to MyDocuments. Copy from MyDocuments into a separate WorkingFolder. Then move the files, one at a time, from WorkingFolder to where they belong. Please give me detailed step by step instructions on how to do this so I don't screw things up again. As already shown the undelete360 deleted all those other peoples files and they lost everything like me. So I would appreciate your assistance in trying to recover what I can. These programs aren't working. Thanks, Robert Well, we don't have any evidence exactly what happened to your files. They can be unrecoverable, if enough additional writes are done to the destination partition. And that might account for the inability to find anything. Or maybe undelete360 doesn't really work. I don't know what to tell you, in that regard. I've done an undelete operation, under carefully controlled conditions, and got the file back. So you can make it work. But a lot of things can also go wrong. That's why the odds aren't always in your favor on things like this. As another example, when I made a typing mistake while using Robocopy, I managed to delete around a gigabyte of files. I didn't even try "undelete". Why ? Because I knew that enough writes to the disk happened after the accident, that recovery would be impossible. That's life as they say. If you can stop writes to the volume instantly after an accident, it improves the odds of getting the stuff back. If you don't notice and the mischief goes on for some time, then your odds are reduced a lot of getting anything back. You can try the Photorec link if you want. The second link of the two I gave. But it doesn't necessarily use all that good a method, or rather, the method is sensitive to disk fragmentation, and you're more likely to get half a file than a full file. ******* Also, have you tried this one as a means to do UnDelete ? http://www.cgsecurity.org/wiki/TestD...e_file_for_FAT Download TestDisk to the 780, and run it on the partition in question. And see what it shows for items that have the flag set. You highlight the partition you want UnDelete information about, and it shows the things that can be recovered in red. http://www.cgsecurity.org/mw/images/...t_undelete.png http://www.cgsecurity.org/mw/images/...elect_file.png Then, with a red file selected, you press the letter "c" to copy, then specify a different disk as a place to copy the file. Paul |
#367
|
|||
|
|||
O.T. - Connection Problem:
I tried TestDisk but can't seem to
extract the file or don't know how. Here are where my Mrimg files are located http://i63.tinypic.com/dooyus.jpg Here are the Mrimgs http://i64.tinypic.com/2637low.jpg do you still wish me to move them? Robert |
#368
|
|||
|
|||
O.T. - Connection Problem:
One thing,, I'm not suppose to be using
the 8500? To even turn it on ? I had been using it since it happened,. since I didn't know but haven't saved anything except on a key so am I screwed? Robert |
#369
|
|||
|
|||
O.T. - Connection Problem:
Yes, I was talking about mounting an Mrimg
ring and extracting the files I need. You say there's only one thing I need to do but I royally screwed this up with no directions and I don't want to repeat what I did. This isn't as easy as you make it sound and I'm not a technical person. I've lost 10 years worth of research and documentation because of this. So I would appreciate some guidance. Robert |
#370
|
|||
|
|||
O.T. - Connection Problem:
Mark Twain wrote:
I tried TestDisk but can't seem to extract the file or don't know how. Here are where my Mrimg files are located http://i63.tinypic.com/dooyus.jpg Here are the Mrimgs http://i64.tinypic.com/2637low.jpg do you still wish me to move them? Robert The degree of safety, of any data move you might try, is a function of what kind of accident you plan on having :-) It wouldn't cost you any file transfer time to move F:\users\Rpbert\8500 Backup(Mrimg) Files to F:\8500 Backup(Mrimg) Files by just dropping that folder right under F: itself. But that only protects you, if you plan on copying "Rpbert" over top of "Rpbert" again. Even if you were to create an empty folder in F:\users\Rpbert\EmptyFolder and dropping the Macrium-recovered content into EmptyFolder, that would protect your other home directory contents. ******* You can format practically any partition by accident. You can delete the MBR partition table with a little bit of effort (disk part, "clean" command). So there are lots of ways to lose data that are independent of folder choices. Trickery won't help in those cases. And this is why I have absolutely no good options to offer for Ransomware. Disconnecting disks with valuable data on them, that's the only absolute protection you have against data loss. You cannot format a drive which is disconnected. If data is sitting at rest, on a running drive, just about anything could happen to it. So the idea of moving the MRIMG files, is one of putting them in an "obscure corner" where you won't trample on them by accident. And it's only a slight improvement from a safety perspective. If the OS had a working "immutable" bit, like Linux has, we wouldn't need to worry so much. On Linux, you can mark a file as undeleteable, on purpose, to prevent **** from happening to it. So this is what the Linux users have as an option. You use the chattr command, to turn off "i" later so the file or files can be deleted. It's a permission bit that says "please please don't delete this file" :-) https://en.wikipedia.org/wiki/Chattr "A file with the i attribute cannot be modified. It cannot be deleted or renamed, no link can be created to this file and no data can be written to the file. When set, prevents, even the superuser, from erasing or changing the contents of the file." You can emulate that behavior in Windows, but then all it takes is a clever program (Macrium) to undo it. If there was an explicit immutable bit, chances of survival might be a bit better. (The idea being, any utility that "sees" the immutable bit, should know better than to remove it using chattr behind the scenes. Every utility must use the correct logic, for the file to remain protected.) Paul |
#371
|
|||
|
|||
O.T. - Connection Problem:
Mark Twain wrote:
One thing,, I'm not suppose to be using the 8500? To even turn it on ? I had been using it since it happened,. since I didn't know but haven't saved anything except on a key so am I screwed? Robert If you have a "delete accident" on a particular partition, you want to stop any further write operations to that partition. Until you can undelete the lost file(s). If the partition was C: that lost files, then to stop using C: you'd move C: to another computer and over there, use it as a "data drive" only. Then, carry out the TestDisk $MFT search for deleted files. If you have *another* boot drive to use in the 8500, of course you can use the 8500 with that. And if the data loss occurred on a partition other than C: , you could control writes to that well enough, to not need any special handling procedures until the undelete is done. So the objective is, to stop writing to the affected partition. The OS is constantly fiddling around with the C: partition, so small writes will be done by the Search Indexer, by System Restore, various logs, the Event Viewer, and so on. And the way the file system works, is it enjoys chowing down on parts of the disk that were just freed up. By making the drive not be the OS drive (using it as a data drive on another computer), that reduces the risk of doing writes. System Restore can do writes, but on Windows 7, the default policy is disks newly added to a system have System Restore turned off. WinXP on the other hand, was a bitch for this sort of stuff, because System Restore operation was enabled on everything, and you can't possibly race over to the interface for that fast enough on WinXP, to turn it off. Whereas Win7 has a bit more reasonable policy. I'm just surprised the file names are not showing up in an undelete search. The possible outcomes a 1) File name visible for "undelete" and no clusters have been overwritten. This is an excellent candidate for recovery. 2) A more likely scenario is, the file name is visible for "undelete" (because the table entry in the $MFT has not been reused yet). But if the clusters have been overwritten by other write operations, then the file recovery status is "poor". You get half a file, or a file with holes punched in it. Since MRIMG files have integrity checks, if you run a Macrium "verify" on an MRIMG file, you can easily tell the backup is damaged. 3) If the File Name isn't visible (with "deleted" flag set), that only happens if the disk has been used for a substantial period of time, and all the old freed-up MFT table entries have been put to usage. Reusing table entries isn't "aggressive" enough to make the File Names disappear before TestDisk can spot them. Only a Secure Delete kind of software, is aggressive enough to remove everything. The file system does lazy reuse of facilities, with the clusters of data being the "most unlucky" part, whereas table entries in the $MFT, in my estimation, last a bit longer. You can easily be teased with a (2) status, of finding the file name, flipping the single byte flag that undeletes it, but because the data clusters overlap with another file, the file contents are already damaged. And that's what happens if you don't stop cluster writes to the drive immediately. The more data you write, the more valuable clusters get overwritten. Losing all evidence of the old file names, that takes a while for it to disappear on its own. If no utility is able to show the file names of the recently deleted items, then chances are poor that a Photorec type scavenger scan, will cough up a perfectly complete file. ******* When doing forensic data recovery, you work in a room filled with "spare disks". And there is no limit to how many copies you can make of the source disk, to prevent accidents. I did not recommend any backup procedure in this case, because "undelete360", "recuva", "testdisk", "photorec" should not go trampling on the disk without user input. They all should be able to scan without hurting anything. A proper procedure in a police lab, would be to make a "dd.exe" copy of the disk immediately, as it comes into the lab. And never work without "exact" backup copies. Your Macrium tool, makes copies of the "living" data, but not copies of the "dead" data. To copy both living and dead data, that's a job for a sector-by-sector "dd.exe" copy. Macrium Reflect doesn't care about your recently-deleted files, so is *not* a good choice for forensic copying. When you want to preserve all the evidence, every last stinking sector, that's a job for "dd". And "dd" is available for Linux and Windows. ******* You can use the 8500 with *any other* bootable hard drive if you want. It's the disk that had files deleted on it, you don't boot the C: with the missing files, until you've given up all hope of recovering them. If there are no file names to be seen, using any of the tools, then the files are effectively "gone". I don't consider using scavenger tools to be all that practical (the ones that work without consulting the $MFT), because any large files are unlikely to be un-fragmented and available as one continuous read operation. I don't think a scavenger has any way of joining together pieces of files. Photorec is a kind of scavenger, but it doesn't have a pattern for matching MRIMG files. It's good for JPG files though. Paul |
#372
|
|||
|
|||
O.T. - Connection Problem:
Mark Twain wrote:
Yes, I was talking about mounting an Mrimg ring and extracting the files I need. You say there's only one thing I need to do but I royally screwed this up with no directions and I don't want to repeat what I did. This isn't as easy as you make it sound and I'm not a technical person. I've lost 10 years worth of research and documentation because of this. So I would appreciate some guidance. Robert Just make sure you copy the files into an *empty* folder. Don't try to copy over top of an existing structure. ******* Maybe I'm going to have to simulate what you've done ? I'm finding it hard to believe that undelete is not working. ******* And you haven't lost 10 years worth, if you still have your Aug.25, 2016 backup. You've lost a months worth. Paul |
#373
|
|||
|
|||
O.T. - Connection Problem:
That's allot of technical information !@!
Until I get them back,.. I've lost 10 years and right now I'm not confident we will because nothing is working. So do you suggest I do a macrium verify on the Mrimg in question? So I should shut down the 8500 now and not use it? I'm going to put in the spare HD on the 8500 but still am at a loss of what to do now to recover? Robert |
#374
|
|||
|
|||
O.T. - Connection Problem:
I put in the spare HD which we already
booted for the first time previously. However it's not working (like everything else). This is what it say: Windows Boot Manager Windows failed to start. A recent hardware or software change might be the cause. To fix the problem: 1. insert your Windows installation disc and restart your computer 2. choose your language settings and then click next 3. click 'repair your computer' If you do not have this disk, contact your system administrator or computer manufacturer for assistance. Status 0xc000000e Info: The boot selection failed because a required device is inaccessible. Great I set all this up and bought all these HD's and it doesn't work when needed. A Robert |
#375
|
|||
|
|||
O.T. - Connection Problem:
So how do I verify a Mrimg? I
went onto Macriuum and all I see is clone and image. Robert |
Thread Tools | |
Display Modes | |
|
|