If this is your first visit, be sure to check out the FAQ by clicking the link above. You may have to register before you can post: click the register link above to proceed. To start viewing messages, select the forum that you want to visit from the selection below. |
|
|
Thread Tools | Display Modes |
#1
|
|||
|
|||
Recovering lost JPEGs cont.
Refer to previous thread for background.
I manually searched for the headers in a hex editor on the disk and I FINALLY found some of the pics I have lost. Doing this by hand will take forever since I have NO metadata so have no idea what the size is. All this is in unallocated space so there is no MFT record or anything. Actually, I have MFT records of the lost folder and pics in my VM of the resized partition but it's all greek to me. I have no idea what to make out of the records, but any metadata would be useful, especially the physical sector/location of the file so I could instead search for the RARs my girlfriend sent them in, which I cannot do as easily as just search the disk manually. Anyway, why Photorec failed is beyond me. It can't be because it didn't recognize this particular EXIF of these JPEGs taken by her particular camera, no siree bob. It recovered pics that were taken with the same camera, only ones that I had backups of and briefly viewed. How convenient. It's like this piece of **** program is laughing at me. Is there any way to input a specific sector range for it to search on? I have the exact offset on my disk where one of the lost pics are located and I would love to see if any recovery program can do this automatically so I won't have to with my bare hands. Anyone suggest such a program? |
Ads |
#2
|
|||
|
|||
Recovering lost JPEGs cont.
Industrial One wrote:
Refer to previous thread for background. I manually searched for the headers in a hex editor on the disk and I FINALLY found some of the pics I have lost. Doing this by hand will take forever since I have NO metadata so have no idea what the size is. All this is in unallocated space so there is no MFT record or anything. Actually, I have MFT records of the lost folder and pics in my VM of the resized partition but it's all greek to me. I have no idea what to make out of the records, but any metadata would be useful, especially the physical sector/location of the file so I could instead search for the RARs my girlfriend sent them in, which I cannot do as easily as just search the disk manually. Anyway, why Photorec failed is beyond me. It can't be because it didn't recognize this particular EXIF of these JPEGs taken by her particular camera, no siree bob. It recovered pics that were taken with the same camera, only ones that I had backups of and briefly viewed. How convenient. It's like this piece of **** program is laughing at me. Is there any way to input a specific sector range for it to search on? I have the exact offset on my disk where one of the lost pics are located and I would love to see if any recovery program can do this automatically so I won't have to with my bare hands. Anyone suggest such a program? It's just possible, that a scrounger program, cannot deal with fragmented files. If the file is contiguous, and the scrounger recognizes the header, it tries grabbing as many clusters in a row as make sense. Does JPEG have enough consistency info, to determine it's all present ? Maybe Photorec rejects files that don't have the right length or something. Here is another program you can try. This one probably isn't as clever as Photorec, because it doesn't focus on image files. Perhaps, with your knowledge of metadata, when this program finds 100,000 files, all with fake names, you'll be able to locate the ones that are real, or ones you want. http://web.archive.org/web/201009161...rescue19d.html While it says support for NTFS is "incomplete", one poster in this group tried it out on his busted NTFS partition, and the recovery worked (substantial recovery). Give it a try. The program was originally given away for free, then a commercial company bought the source, and the author of the program closed up shop. But the free version still makes the rounds. I have no idea what commercial company bought it, or what name it eventually got. Maybe they bought the source, just to get rid of a freebee :-) Paul |
#3
|
|||
|
|||
Recovering lost JPEGs cont.
I haven't been following this thread, but want to ask you if you ever tried
one of the better (non-free) file recovery programs, like Easeus Data Recovery Wizard? I've used it before to recover some hard to recover files. If it works it would be infinitely easier than using a hex editor to do this. (you'd probably want to install in on another partition, or run a portable version if available) Industrial One wrote: Refer to previous thread for background. I manually searched for the headers in a hex editor on the disk and I FINALLY found some of the pics I have lost. Doing this by hand will take forever since I have NO metadata so have no idea what the size is. All this is in unallocated space so there is no MFT record or anything. Actually, I have MFT records of the lost folder and pics in my VM of the resized partition but it's all greek to me. I have no idea what to make out of the records, but any metadata would be useful, especially the physical sector/location of the file so I could instead search for the RARs my girlfriend sent them in, which I cannot do as easily as just search the disk manually. Anyway, why Photorec failed is beyond me. It can't be because it didn't recognize this particular EXIF of these JPEGs taken by her particular camera, no siree bob. It recovered pics that were taken with the same camera, only ones that I had backups of and briefly viewed. How convenient. It's like this piece of **** program is laughing at me. Is there any way to input a specific sector range for it to search on? I have the exact offset on my disk where one of the lost pics are located and I would love to see if any recovery program can do this automatically so I won't have to with my bare hands. Anyone suggest such a program? |
#4
|
|||
|
|||
Recovering lost JPEGs cont.
On Tuesday, September 11, 2012 2:48:27 AM UTC, Paul wrote:
a row as make sense. Does JPEG have enough consistency info, to determine it's all present ? Maybe Photorec rejects files that don't have the right length or something. The files are contiguous and the first dozen in a row that I recovered by hand (I selected 2MB after the JFIF header since I dont know the size) were perfect quality without anything missing, so I'll assume the length is correct. It's really aweosome photorec recovered everything except what I needed. Someone's screwing with me out there, I have trojans as we speak and my network monitor showed unsolicited upstream and downstream activity, someone's using me to send spam or DDOS sites. I've removed the culprit temporarily so please don't derail the thread about THAT issue. Bill in Co, EaseUS made some great products, but I tried the file recovery wizard right now and it doesn't give me the option to search unallocated space, only partitions, to search the whole disk says would take 16 hours, which is how long I had to wait for iolo and photorec to both do which proved a waste of time, so I don't feel like trying now. Is there any tool that will let me input a sector range so I can stop wasting ridiculous amounts of time like this searching an entire 2TB disk for nothing? Here is another program you can try. This one probably isn't as clever as Photorec, because it doesn't focus on image files. Perhaps, with your knowledge of metadata, when this program finds 100,000 files, all with fake names, you'll be able to locate the ones that are real, or ones you want. http://web.archive.org/web/201009161...rescue19d.html While it says support for NTFS is "incomplete", one poster in this group tried it out on his busted NTFS partition, and the recovery worked (substantial recovery). Give it a try. The program was originally given away for free, then a commercial company bought the source, and the author of the program closed up shop. But the free version still makes the rounds. I have no idea what commercial company bought it, or what name it eventually got. Maybe they bought the source, just to get rid of a freebee :-) Paul |
#5
|
|||
|
|||
Recovering lost JPEGs cont.
Industrial One wrote:
Is there any tool that will let me input a sector range so I can stop wasting ridiculous amounts of time like this searching an entire 2TB disk for nothing? You want "Keep corrupted files". Details here. http://www.cgsecurity.org/wiki/PhotoRec_Step_By_Step The reason for that would be... http://www.cgsecurity.org/wiki/Photo...PhotoRec_works "If, however, the recovered file ends up being smaller than its header specifies, it is discarded." Perhaps "Keep corrupted files" will snag more of them. ******* The source for the program is available as well, if the instructions aren't enough. http://www.cgsecurity.org/testdisk-6.13.tar.bz2 You can open the file with 7-ZIP. Navigate into the src directory. Photorec.c will "read correctly" in Wordpad. If you immediately save the file from Wordpad, it will correct the line endings, and then Notepad can read it properly as well. testdisk-6.13.tar.bz2\testdisk-6.13.tar\testdisk-6.13\src\photorec.c In 7-ZIP, you use the "open inside", when you get to the "tar" level. I don't think you'll need to read source, but it's readily available. Paul |
#6
|
|||
|
|||
Recovering lost JPEGs cont.
I finally recovered the folder with EaseUS data wizard, by selecting that second option to recover files from deleted partitions. It said it would take 16 hours but it only took about 5.
All the filenames and other metadata are intact and since it was only a 200MB folder, the operation was a freebie. Sweet! Now that it's recovered and I've made backups, I wanna put this folder on a very short leash. Whatever caused it to disappear without a trace (I was lucky to still have even the deleted unallocated partition copy which contained remnants of the files) I wanna set a trap for. Is there such a monitoring program? At the least, I want to be informed the next time it disappears so I can take a system snapshot of all running processes. For now I'm marking the folder read-only. Oh and Paul, I did have "keep corrupted files" enabled, I didnt have brute force enabled for searching though. No idea whats wrong with photorec but EaseUS totally put iolo to shame. I remember how awesome iolo Search & Recover was, it felt good spending $70 on something that was actually worth the money, and now it fails miserably... as if JPEG, a compression format as old as I am is some alien format it suddenly doesnt recognize. Shameful. Thanks Bill in Co, you really have saved my ass. Those photos have unbelievable sentimental value that I wouldnt have predicted they would've had in 3 years time. Thank you. And to whoever's botnet I ended up on, turn on your keylogging: drink bleach and die ****tard. I admire how your worm pings a bandwidth test and only uses half your victim's bandwidth to carry out your puerile spam attacks against all your Facebook girlfriends that dumped your dorky ass. You arent clever enough to get this former botmaster to play your faggy little game, kid. I will find you. |
#7
|
|||
|
|||
Recovering lost JPEGs cont.
Industrial One wrote:
I finally recovered the folder with EaseUS data wizard, by selecting that second option to recover files from deleted partitions. It said it would take 16 hours but it only took about 5. All the filenames and other metadata are intact and since it was only a 200MB folder, the operation was a freebie. Sweet! Now that it's recovered and I've made backups, I wanna put this folder on a very short leash. Whatever caused it to disappear without a trace (I was lucky to still have even the deleted unallocated partition copy which contained remnants of the files) I wanna set a trap for. Is there such a monitoring program? At the least, I want to be informed the next time it disappears so I can take a system snapshot of all running processes. For now I'm marking the folder read-only. Oh and Paul, I did have "keep corrupted files" enabled, I didnt have brute force enabled for searching though. No idea whats wrong with photorec but EaseUS totally put iolo to shame. I remember how awesome iolo Search & Recover was, it felt good spending $70 on something that was actually worth the money, and now it fails miserably... as if JPEG, a compression format as old as I am is some alien format it suddenly doesnt recognize. Shameful. Thanks Bill in Co, you really have saved my ass. Those photos have unbelievable sentimental value that I wouldnt have predicted they would've had in 3 years time. Thank you. And to whoever's botnet I ended up on, turn on your keylogging: drink bleach and die ****tard. I admire how your worm pings a bandwidth test and only uses half your victim's bandwidth to carry out your puerile spam attacks against all your Facebook girlfriends that dumped your dorky ass. You arent clever enough to get this former botmaster to play your faggy little game, kid. I will find you. Could you keep the JPG files on a "virtual CD" ? I looked for USB flash drives with a write protect switch, which would be one way to provide a layer of protection against vandalism. When it comes to protection against malware alteration, one approach is to checksum files. That retroactively tells a person, that a file has been changed. But wouldn't react when you want it to (right away). The Sysinternals Process Monitor program, can detect file read and write operations. I don't know if deleting or unlinking is in the set of commands it would log. And then, it has no interface for alerting you that shenanigans are afoot. But at least that program demonstrates the same kinds of hooks, as AV software use. (Hook the file system, to tell when scanning of a file might be needed.) So the best I can suggest, is a read-only or pseudo-read-only (obscure) storage method. If you made an ISO9660 of the JPEG folder, and mounted the resulting .iso file with virtual CD software, that might be a way to provide a measure of protection. The malware would think the files were truly read only (hardware restricted). As long as the miscreant doesn't read this message and figure it out :-) SCSI drives have honest-to-goodness hardware write protect jumpers on them, and you can fit a switch with two wires and a connector on the end, to the jumper position. Write protecting C: isn't a good idea, but if you put your personal data on a SCSI drive (separate partition), you could flip that switch to prevent *anything* from modifying the files. I stopped using SCSI years ago (last drives I bought were 9GB), but some of those jumper options on the drive, really come in handy. IDE or SATA, don't have nearly as many options. You need a SCSI controller card to use such a drive. Prices range from $50 to $300 or more for a simple card, with the $50 cards showing up when one of the SCSI controller card companies is in distress. I think I got a 2906 based card for $50 once. I don't have any really good cards (highest transfer rate). The best one I've got, might be 40MB/sec or 80MB/sec. And I think my SCSI hard drives, don't go over 40MB/sec anyway. The worst kind of SCSI, is async SCSI, and the transfer rate there, is on the order of 5MB/sec. That's the kind of interface my scanner uses (an old SCSI-based scanner). That's one of the reasons I still keep a SCSI controller card within reach. And that's what the 2906 is good for. It would be much cheaper to get a USB flash with a write protect switch, but what are the odds you can still buy one of those. USB flash, at least the ones I can buy locally, are pathetic. Many of them, only write at around 4MB/sec. They're not even worth using as "door stops". Using re-writable optical disks would be a way to host the files, but then, a miscreant could write to the disc if they were clever. A hardware device with a real write protect switch, is a better solution. You detect shenanigans, when the non-write-protected drives are damaged, while your read-only drive stays safe. So a trashed "C:", is how you detect your friend is back... And the files stay safe on the read-only SCSI. Paul |
#8
|
|||
|
|||
Recovering lost JPEGs cont.
On Fri, 14 Sep 2012 23:18:03 -0400, Paul wrote:
Industrial One wrote: I finally recovered the folder with EaseUS data wizard, by selecting that second option to recover files from deleted partitions. It said it would take 16 hours but it only took about 5. All the filenames and other metadata are intact and since it was only a 200MB folder, the operation was a freebie. Sweet! Now that it's recovered and I've made backups, I wanna put this folder on a very short leash. Whatever caused it to disappear without a trace (I was lucky to still have even the deleted unallocated partition copy which contained remnants of the files) I wanna set a trap for. Is there such a monitoring program? At the least, I want to be informed the next time it disappears so I can take a system snapshot of all running processes. For now I'm marking the folder read-only. Oh and Paul, I did have "keep corrupted files" enabled, I didnt have brute force enabled for searching though. No idea whats wrong with photorec but EaseUS totally put iolo to shame. I remember how awesome iolo Search & Recover was, it felt good spending $70 on something that was actually worth the money, and now it fails miserably... as if JPEG, a compression format as old as I am is some alien format it suddenly doesnt recognize. Shameful. Thanks Bill in Co, you really have saved my ass. Those photos have unbelievable sentimental value that I wouldnt have predicted they would've had in 3 years time. Thank you. Could you keep the JPG files on a "virtual CD" ? When it comes to protection against malware alteration, one approach is to checksum files. That retroactively tells a person, that a file has been changed. But wouldn't react when you want it to (right away). So the best I can suggest, is a read-only or pseudo-read-only (obscure) storage method. If you made an ISO9660 of the JPEG folder, and mounted the resulting .iso file with virtual CD software, that might be a way to provide a measure of protection. The malware would think the files were truly read only (hardware restricted). As long as the miscreant doesn't read this message and figure it out :-) If the malware is specifically targeting jpg files, you might put them into a zip or rar archive, optionally password-protected. Create enough parity files (QuickPar) so that you can repair or restore damaged or missing archive parts. Required tools: 7Zip or Winrar QuickPar http://www.quickpar.org.uk/ |
Thread Tools | |
Display Modes | |
|
|