Jump to content

Data recovery - do I have any chance?


Recommended Posts

With all due respect, the problem is Murphy's Law!

All your tests will always work OK, ever: they should, since they're not mission-critical and you have nothing to loose.

Now, this does *not* mean it's safe to use unattended procedures with unbacked-up precious content present in the machine, because then things become mission-critical and you've got *a lot* to loose, and this means things will go wrong at this point: that is what Murphy's Law is all about. Sorry!

You should have at least opened the box and physically disconnected the HDD where you had unbacked-up precious data, before proceeding unattended. Or created a pair of full, known-good, off-line backups, which would be the best course to take. Sorry, my intention is not at all to lecture on you, just to get the matter in the right light (or focus, or whatever such metaphor you like most).

Link to comment
Share on other sites


The data disk was repartitioned by the setup, which is obviously enough to kiss anything on it good bye

NO, it isn't. :realmad:

Heck!! I am trying to reduce the chance of misunderstandings.

  1. Re-partitioning a disk changes (at the most) 4*16=48 bytes in the MBR and, if Extended Partition volumes are used a bunch of other sectors. <- in practice EVERYTHING CAN be recovered if only primaries are created and ALMOST EVERYHING if also logical volumes were created
  2. Re-formatting a pre-existing partition (with the same filesystem it was there before) under MS OS up to XP (or in later OS with the /Q switch or "quick" mode) overwrites the filesystems structure <- EVERYTHING that was not fragmeneted CAN be recovered - possibly losing the original filename
  3. Re-formatting a pre-existing partition (with a different filesystem) under MS OS up to XP (or in later OS with the /Q switch or "quick" mode) overwrites OTHER parts of the filesystem structure <- in most cases almost EVERYTHING can be recovered, often including fragmented files and their names
  4. Formatting a new partition made at different addresses than the pre-existing one under MS OS up to XP (or in later OS with the /Q switch or "quick" mode) overwrites other areas <- results will differ on a case per case basis, but in many cases a large number of files can be recovered
  5. If a disk has been wiped, NOTHING can be recovered.
  6. If a partition or volume (newly made or pre-existing) has been formatted on Vista :ph34r: or later OS without the /q switch, the area occupied by the partition of volume will be wiped and NOTHING can be recovered from it

Fully Unattended is (of course IMHO) overall a "foolish" approach (because of Murphy's Law) in each and every case, EXCEPTION made for "bare metal" deployment.

Please note how OP never explicitly stated WHICH windows OS was used, though in his profile there is "Windows 7 x64".

jaclaz

Edited by jaclaz
Link to comment
Share on other sites

Well, then explain why I couldn't recover jack sh... even though only like first 10 GB were overwritten (the bloody system WAS installed on wrong disk like I said before), I couldn't even see a single trace of any of the huge movie files.

Fully unattended setup is great... as long as you have only one physical disk in the PC :P

Link to comment
Share on other sites

Well, then explain why I couldn't recover jack sh... even though only like first 10 GB were overwritten (the bloody system WAS installed on wrong disk like I said before), I couldn't even see a single trace of any of the huge movie files.

If you ONLY repartitioned, you didn't write "only" 10 Gb.

If the subsequent format and/or install overwrote 10 Gb then you have lost the first 10 Gb, including, most likely the $MFT (I presume it was a NTFS partition).

ANY non fragmented file residing physically beyond the overwritten area can be recovered, often losing it's original filename.

The fact that you were not able to recover anything means NOT that anything wasn't recoverable, it simply means that you were not able to recover anything.

And without any meaningful detail (the ones you completely failed to provide) and EXACT sequence of the steps you performed, even if I wanted to find an explanation, I would not be able to.

jaclaz

Edited by jaclaz
Link to comment
Share on other sites

Which meaningful details I completely failed to provide, pretty please?

If you don't want to find an explanation (I am not even asking anyone to do so anyway) why do you bother posting here?

You know, you are kind of ridiculing me here for not being exactly precise with describing stuff, but you didn't even pay attention to what I wrote in the first place. I might had not said 10 (20, 500, 2323)GB were owerwritten, but I specifically mentioned different (wrong) disk was used for the installation.

Anyway, when a mod comes around, this could be locked down because nothing meaningful could be added to the subject. Thanks.

Link to comment
Share on other sites

Try not to be too offended. Most of those types of statements from jaclaz are usually meant to either get you thinking of what important details you might have forgotten, or as an example to other readers of the type of questions and info that are required to get the best answer the quickest. It might help if you were to provide the exact statements in your unattended that have anything to do with partitioning, formatting and installing the OS so that we can get a even better idea where to go from here, if anywhere. Also I think jaclaz mentioned being curious which OS exactly was installed - Win7 x64 we assume? What all have you tried to recover the data off the disc? I think you said you were not able to find anything, right? Are you using the newly installed OS on the disc, or did you go ahead and install onto the "right" disc and you're using that?

Cheers and Regards

Link to comment
Share on other sites

Allright, I am fairly short-tempered and I just didn't like his tone, it reminded me too much of lots of people on the internets who like to outsmart others and make them look like idiots. That doesn't necessarily make it true though, does it...

90% of the disk was filled with 5-20GB movie files of which I could not find a single trace. There was also some music there, but I could find traces of those files, although reported sizes were only in kB.

Yes system is Win7 x64 as stated in my "profile".

What actually happened was wrong disk was chosen by the setup, OS installed on it, but after that the correct one was used for boot (at least in the very final stage). Basically after I booted into Windows and realized what happened, nothing was written onto it (by me at least, not sure how much does OS write in the background, but probably very little if anything)

I use (and been using for years) File Scavenger for recovery purposes, long scan, both ran on the partitions and disk as a whole.

            <DiskConfiguration>
<Disk wcm:action="add">
<DiskID>0</DiskID>
<WillWipeDisk>true</WillWipeDisk>
<CreatePartitions>
<CreatePartition wcm:action="add">
<Order>1</Order>
<Type>Primary</Type>
<Size>100</Size>
</CreatePartition>
<CreatePartition wcm:action="add">
<Order>2</Order>
<Type>Primary</Type>
<Size>51200</Size>
</CreatePartition>
<CreatePartition wcm:action="add">
<Order>3</Order>
<Type>Primary</Type>
<Extend>true</Extend>
</CreatePartition>
</CreatePartitions>
<ModifyPartitions>
<ModifyPartition wcm:action="add">
<Order>1</Order>
<PartitionID>1</PartitionID>
<Active>true</Active>
<Format>NTFS</Format>
<Label>Boot</Label>
</ModifyPartition>
<ModifyPartition wcm:action="add">
<Order>2</Order>
<PartitionID>2</PartitionID>
<Format>NTFS</Format>
<Letter>C</Letter>
<Label>SYSTEM</Label>
</ModifyPartition>
<ModifyPartition wcm:action="add">
<Order>3</Order>
<PartitionID>3</PartitionID>
<Format>NTFS</Format>
<Letter>F</Letter>
<Label>PROGRAMY</Label>
</ModifyPartition>
</ModifyPartitions>
</Disk>
</DiskConfiguration>
<ImageInstall>
<OSImage>
<InstallFrom>
<MetaData wcm:action="add">
<Key>/IMAGE/INDEX</Key>
<Value>1</Value>
</MetaData>
</InstallFrom>
<InstallTo>
<DiskID>0</DiskID>
<PartitionID>2</PartitionID>
</InstallTo>
</OSImage>
</ImageInstall>

Link to comment
Share on other sites

I'll try to expand. :)

I know that you know what you did and what happened, but you failed to describe it with enough accuracy/details, and/or provided conflicting reports.

Initially you talked of having wiped the disk. (the disk is "the whole thing" from sector LBA 0 up to the last sector accessible on the media).

Then you talked of re-partitioning (and implicitly formatting the new partition(s)) and "installing".

Then of having lost 1TB of data. (which possibly means that the drive was actually a 1 Tb in size one and was filled "up to the brim").

Still you did not provide EXACT details on how it was partitioned before and after the accident.

If you actually wiped the disk, NOTHING can be recovered. <- each and every sector of the disk is filled with zeroes

If you actually repartitioned the disk and formatted each partition/volume without the /q switch under the (presumed) Windows7 OS, NOTHING can be recovered. <- each and every sector of each partition/volume is filled with zeroes (the ones that are not are filled with the filesystem structure data)

Then you talked of having written 10 Gb (which obviously only overwrites 10 Gb or a little more than that).

IF the "format" command in your unattended setup behaves like the "full format" you have lost EVERYTHING.

IF as I suspect, it does instead a "quick" one, there may be chances.

To completely wipe (or "format full") a 1 Tb hard disk takes A LOT of time (hours), if it took you minutes to do the install it is not possible that you have wiped the whole 1 Tb.

NON FRAGMENTED files that have NOT been overwritten may still be recoverable.

It is UNcommon that very large files like the one you described are non-fragmented, though :(.

File Scavenger is an exceptionally good tool :thumbup , but it is not the only one and not necessarily the "right" one to attempt recovering those files.

As an example, if I had that accident happen to me :w00t: I would try defraser:

http://sourceforge.net/projects/defraser/

http://computer-forensics.sans.org/blog/2009/05/13/automated-recovery-of-multimedia-from-unallocated-space/

jaclaz

Link to comment
Share on other sites

myself, it used wrong disk, but partitioning went as it should.

jac, I defragmented the disk just couple days before. So in theory you are absolutely right. But reality check had different opinion :P

At least I have lots of free space on the data disk now, lol.

Link to comment
Share on other sites

myself, it used wrong disk, but partitioning went as it should.

Which again tells nothing.

I won' t insist on asking exact details :no: since you are evidently not in the right mood to provide them, after all it's you that have lost the files and posted here for help, literally:

Data recovery - do I have any chance?

On the record it is now noted how I did try to provide some help :yes: .

Too bad I lost my time, admittedly not very precious, but still.... :(

demotivational-posters-disappointed-eagle.jpg

bye.gif

jaclaz

Link to comment
Share on other sites

myself, it used wrong disk, but partitioning went as it should.

Which again tells nothing.

It might help to occasionally describe the specific info you would like to get, rather than just point out the general failures of info you didn't get. :) Some people learn better from examples rather than trying to guess what you are looking for. Just sayin'...

Cheers and Regards

Edited by bphlpt
Link to comment
Share on other sites

I'll try to expand. :)

I know that you know what you did and what happened, but you failed to describe it with enough accuracy/details, and/or provided conflicting reports.

Initially you talked of having wiped the disk. (the disk is "the whole thing" from sector LBA 0 up to the last sector accessible on the media).

Then you talked of re-partitioning (and implicitly formatting the new partition(s)) and "installing".

Then of having lost 1TB of data. (which possibly means that the drive was actually a 1 Tb in size one and was filled "up to the brim").

Still you did not provide EXACT details on how it was partitioned before and after the accident.

If you actually wiped the disk, NOTHING can be recovered. <- each and every sector of the disk is filled with zeroes

If you actually repartitioned the disk and formatted each partition/volume without the /q switch under the (presumed) Windows7 OS, NOTHING can be recovered. <- each and every sector of each partition/volume is filled with zeroes (the ones that are not are filled with the filesystem structure data)

Then you talked of having written 10 Gb (which obviously only overwrites 10 Gb or a little more than that).

IF the "format" command in your unattended setup behaves like the "full format" you have lost EVERYTHING.

IF as I suspect, it does instead a "quick" one, there may be chances.

To completely wipe (or "format full") a 1 Tb hard disk takes A LOT of time (hours), if it took you minutes to do the install it is not possible that you have wiped the whole 1 Tb.

NON FRAGMENTED files that have NOT been overwritten may still be recoverable.

It is UNcommon that very large files like the one you described are non-fragmented, though :(.

File Scavenger is an exceptionally good tool :thumbup , but it is not the only one and not necessarily the "right" one to attempt recovering those files.

As an example, if I had that accident happen to me :w00t: I would try defraser:

http://sourceforge.net/projects/defraser/

http://computer-forensics.sans.org/blog/2009/05/13/automated-recovery-of-multimedia-from-unallocated-space/

jaclaz

The only point that I got out of that post that the OP had not addressed in his previous post to this (#23) was the implied question of the exact size of the disk and how it had been previously partitioned prior to the mishap. Did I miss something?

I agree with jaclaz that even though the unattended file specifies that "<WillWipeDisk>true</WillWipeDisk>", and I didn't see a /q option specified for any of the partition format statements, if the OP was able to find any info at all during his recovery efforts, then there must not have been a "wipe" executed and the format must have been a quick one:

[...] as I suspect, it does instead a "quick" one, [...]

So there might be a small chance to recover more of the OP's data.

Cheers and Regards

Edited by bphlpt
Link to comment
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
  • Recently Browsing   0 members

    • No registered users viewing this page.
×
×
  • Create New...