Anyone work in data forensics?

[DHR]

Age old story, mate, not backup etc. lost family pictures from a single USB disk yadda yadda *facepalm*

Effectively drop box has been syncing down and overwriting files, he's out of lucky from paying for professional recovery and I suspect the data has gone either way.

I've offered to at least take a bit for bit forensic copy of the drive and have a poke around on the copy?

Anyone done this recently either as an amateur or pro?

 

[pc-guy]

Is it solid state drive or mechanical drive?

I had used data recovery years before. It is paid by the amount of data. I lost my entire photo video archive to a raid failure. Managed to get back 80% of the data.

my drive was mechanical so it wasn’t very difficult I believed.

I think with solid state they may have to replace components on the board etc to get it read again.

 

[UnworthyBean]

If the drive is still working then it's a lot easier to at least give it a go. The likes of Recuva are usually pretty good at recovering stuff so you may as well give it a go. To be honest I think most companies can't offer much more as they normally specialise in hardware or actual failures of drives.

I think the main questions are:
- How big is the disk?
- How much data is there to recover?
- How long ago since it was overwritten?

 

[DHR]

Thanks both, it's a 1tb, unknown amount of data to recover ATM, overwritten a couple of days ago but not used since

 

[Rroff]

Solid state is generally well beyond amateur data recovery.

If mechanical and it hasn't been messed with too much you should be able to pull something - Recuva has usually worked for me.

 

[DHR]

Sorry missed the main question, it's a trad hdd

Solid state is generally well beyond amateur data recovery.

Out of interest and complete ignorance I assume it's down to the manner in which space is reused on ssds?

 

[pc-guy]

Sorry missed the main question, it's a trad hdd



Out of interest and complete ignorance I assume it's down to the manner in which space is reused on ssds?

Not quite. Data recovery software doesn’t work well with solid state data retrieval. The data on the solid state is unlikely to have been overwritten, just new data written to another sector.

where with HDD the data could have been overwrite. But the information can be very easily retrieved. As previously mentioned, try some data recovery softwares first.

 

[Confused Stu]

PhotoRec is a good free tool for recovering pictures and other files that are deleted but not overwritten.

https://www.cgsecurity.org/wiki/PhotoRec

 

[Donnie Fisher]

+1 for photorec ... takes a long time, but recovered an absolute ton of photos I had lost in a similar manner. IIRC it doesn't necessary recover the full filenames all the time, but it saved my bacon once (imagine realising youd lost a friends wedding photos type thing ! )

 

[Confused Stu]

+1 for photorec ... takes a long time, but recovered an absolute ton of photos I had lost in a similar manner. IIRC it doesn't necessary recover the full filenames all the time, but it saved my bacon once (imagine realising youd lost a friends wedding photos type thing ! )

You're right - it doesn't recover filenames or folder structure, but for carving files from unallocated it's very good.

 

[DHR]

Keep the suggestions coming, all possibilities.

 

[pc-guy]

Most free even some paid softwares will not be able to recover folder structures. I can’t remember the one I used for my own DIY recovery a few years ago, that software created folders but the folders weren’t named as per original naming m. They were some sort of hex code. Also on a HDD the same sector you can have multiple imprints of files written to that sector before. So that software created root director based on that and subsequent sub directors. Come to think of it, the folders were probably named as sector address.

but you should t be too concerned about folder structures as long as files are recovered. To a large extent if the software dumps all the files into a single directory, it is better that way so you can see all the files in one place and sort them out yourself.

with software recovery, you will never ever get your data back in the form that it was represented in the original drive. The file record of the drive is usually corrupted or damaged which is the reason why you can’t read the files in the first place.

 

[Donnie Fisher]

Another thing with photo rec is I found it best to use a completely separate sister drive to write the found files to. That way you don't overwrite anything in the source drive.

 

[APM]

I used one named BitRecover if I remember correctly,worked very well for a small cost.

 

[Paul_RD]

I have had good results with Ontrack EasyRecovery.
It's a bit old now but it may work for you.