| Author | Message | ||
     Pok Ng Username: pok Registered: N/A |
I am trying to recover 22 outlook pst files which were deleted along with the 4 level of directories above them. To make the problem complicate, these 22 pst files got 0 byte sized before they were deleted(suspect problem with outlook). I was able to use WinHex to find all the starting sectors of these 22 files(singature is !BDN). The challenage is how can I make these 22 files to point to their 1st sector using WinHex on the drive? | ||
| Stefan Fleischmann Username: admin Registered: 1-2001 |
For that you would need to understand the data structures of the file system (either FAT or NTFS). Especially for NTFS it's likely not worth the effort in this situation. Once you have found the start sectors, you could rather use WinHex to carve the files manually (select the data as a block in the sectors, hope the files were not fragmented, and use Edit | Copy into new file). | ||
| Pok Ng Username: pok Registered: N/A |
The pst files are huge. I am sure they are all over the place. The file system is NTFS. Any suggestion where I can get some reading material on the data structures of NTFS. | ||
| Jimmy Weg Username: jw Registered: 7-2006 |
If you have the time, I suggest you consider Stefan's File Systems Ravealed training course. Using XWF while exploring the file systems provides an insight that is left behind in typical classroom settings or PowerPoint programs, and I've sat through my share. For example, the hands on approach to breaking down an MFT record using XWF, complete with color coding, makes the strucures jump out, moreso than text book depictions, even in the best of references, e.g., Brian Carrier's superb work. Granted, this may not be an option in your case, and even the training may not help you recover the PSTs. Your challenge is rather daunting. However, as you asked about resources, I thought I'd share my experience, having recently attended the program. | ||
| Terry Greenwood Username: greenwood Registered: 3-2006 |
As you suggest, with several large pst files, fragmentation is likely to be quite bad. In this situation, carving out chunks will only ever result in partial recovery. I would suggest you look for some recovery software which attempts to recover the cluster chain information from the Master File Table or its mirror version in the logical centre of the disk. To give you an idea of what to look for, have a look at www.ntfs.com where there is some useful information on NTFS structures. Good Luck | ||
| Stefan Fleischmann Username: admin Registered: 1-2001 |
> I would suggest you look for some recovery software which > attempts to recover the cluster chain information from > the Master File Table WinHex does exactly this, so I wouldn't suggest to look elsewhere. > or its mirror version The MFT table mirror does not contain copies of the FILE records of ordinary files, so looking there is a waste of time. Anyway, since the files have been truncated at 0 bytes, that means the data runs have most likely been discarded from the FILE records already. They may still be visible in the slack portion of the FILE records. Or you may be able to find earlier states of these FILE records with data runs in the log file. I have removed the posting that advertised the Indian PST file recovery software. | ||
| hyfyin Username: hyfyin Registered: N/A |
I am trying to recover 4 outlook pst files which were deleted along with the 3 level of directories above them. To make the problem complicate, these 4 pst files got 0 byte sized before they were deleted(suspect problem with outlook as it was trying to recover and outlook was hangup). i have tried many utilities to recover but the pst files are with .tmp extension and some with 0kb. please help, if someone has recovered data from this situation. thanks hyfyin | ||
| Stefan Fleischmann Username: admin Registered: 1-2001 |
In WinHex/X-Ways Forensics I would try Tools | Disk Tools | File Recovery by Type or Specialist | Refine Volume Snapshot | [x] File header signature search and select the Outlook PST file type. | ||
| Paul Nader Username: naderp Registered: N/A |
I am trying to recover 1 outlook pst file which I accidentally deleted from an NTFS HDD containing data only. No writes were done on the drive since the accident. Winhex finds the file but it is 0 bytes long and says it is deleted and the icon is marked with a red cross. When I select the file a popup says: Possibly unable to determine the location of the file or directory "Outlook.pst" on the volume. Possibly unable to determine the location of the file or directory "the file defined in sector 6327764" on the volume. The file was over 4GB when it was deleted. I searched the drive for the outlook .pst file header signature (2142444E3F3F3F3F534D where 3F is the wildcard) and found it in only one location on the 144GB HDD in question. The data seems to be the start of the deleted file because it starts at a sector boundary (18EF070000). I was wondering if someone could help me figure out how I could recover the file. Can I modify the MFT record to have it point to the data block I found and then try and recover it to another disk/partition? Is that possible? Any help greatly appreciated... |