file-recovery

 

Chapter 8 – Recover Files

 

W tym rozdziale

Chapter 8 – Recover Files

8.1         Quick Start – Recover Files

8.2         When to use a Recover Files search

8.3         Before YOU BEGIN

8.4         Running a Recover Files search

8.4.1       Search for Deleted Files

8.4.2       Search for deleted files, then search for selected “Lost File” types

8.5         Recover Files Search Results

 

 


8.1      Quick Start – Recover Files

 


8.2      When to use a Recover Files search

A "Recover Files" search is best used when:

·         individual files have been deleted and emptied from the Windows Recycle Bin;

·         files have been deleted and bypassed the Windows Recycle Bin;

·         files have been deleted by a virus, Trojan or worm;

·         a file of the same name has saved over another important file;

·         Files have been lost by some other unknown cause.

8.3      Before YOU BEGIN

Minimize Drive Use

Deleted files will remain on a computer up until such time as they are overwritten by new data. For this reason you should minimize the use of the drive on which the files were lost until such time as you have had the opportunity finish your data recovery.

Recovering Data from a C: Drive

Your C: drive is the most vulnerable to new data simply because it is where Windows is running. If practical you may consider connecting the drive to another PC as a secondary and then using that computer to run the search. In critical situation, you may also consider taking a drive image (a sector by sector copy of the entire drive) and working on the image rather than the original drive. For more information see Chapter 15 – Drive Imaging.

Many users may not have the available resources to move the hard drive to another computer. Recover My Files is a relatively small program (less than 20mb), so whilst installing on the problem drive is not ideal, it is a limited risk.

Review your PC power settings

When running a Recover Files search it can be advantageous to boost your PC power settings so that problems are not encountered with drives powering down during the recovery or the save process. See Chapter 7 for more information.

8.4      Running a Recover Files search

To run a Recover Files search:

1.       Run Recover My Files. In the wizard, lick the "Recover Files" icon (if the Wizard screen is not open, click the Start icon in the toolbar) and click the Next button:

2.       In the drive selection window highlight the drive letter from which the files are missing and click Next.

Description: Description: alert, attention, compile, exclamation icon Drive not listed: See 11.1 - Troubleshooting drive selection.
Description: Description: alert, attention, compile, exclamation icon Working with image files: See 14.3 - Recovering data from an image file.

Figure 48, Drive selection screen

Description: C:\Users\GRAHAM~1.GRA\AppData\Local\Temp\SNAGHTML2b6161.PNG

The Device Selection window includes the following information:

Label: Physical drives are listed with their Windows device number.
Logical drives display the drive label (if no label is present then "{no label}" is used).

Size:    The size column contains the size of the physical or logical device. Note that the actual size of the drive is usually smaller than what the drive is labeled. Drive manufactures usually round up the drive capacity, so a 453.99 GB drive in this screen may be sold as 500GB.

FS:       The File-system on the drive, e.g. FAT, NTFS or HFS;

Type:      Describes the way in which the drive is connected to the computer.

 

3.       Select the File Recovery options:

Figure 49, Search for deleted files

Description: C:\Users\GRAHAM~1.GRA\AppData\Local\Temp\SNAGHTMLba58bd.PNG

8.4.1      Search for Deleted Files

Each file on a Windows computer has a record in the file-system index (e.g. the FAT or MFT). When a file is deleted, the record is updated with a deleted file marker. The clusters on the drive used to store the file data are now considered unallocated (i.e. available for new storage). However the file content remains in those clusters. A search for deleted files reads the entire file-system index, including records for deleted files, and displays the file content.

To search for deleted files:

1.       Select the “Search for deleted files.” option;

2.       Click the Start button.

Recover My Files will then commence to read the file-system. This search will take less than 20 minutes to complete. At the completion of the search review the search results as described in 8.5 below. If files are NOT found, try the option to “Search for deleted files, and then search for selected Lost File types”.

8.4.2      Search for deleted files, then search for selected “Lost File” types

As the name suggests “Search for deleted files, then search for selected “Lost File” types” runs the search for deleted files (described above),  then sequentially scans the remaining area of the drive for "Lost” files.

A lost file is a file that is located by file carving. File carving is a sequential search of the drive to find file headers for the specified file types. Learn more about lost files at the beginning of this manual - Data Recovery Fundamentals. This search should be run when:

·         The "Search for deleted files" option did NOT find the missing files;

·         When you wish to be certain that all possible data on the drive is located and recovered.

To search for deleted and lost files:

1.       Select the “Search for deleted files, then search for selected Lost File types” option and click the Next button (shown in Figure 49). The file type selection window will open:

Figure 50, File type selection window

Description: C:\Users\GRAHAM~1.GRA\AppData\Local\Temp\SNAGHTML109e7a5.PNG

2.       Place a select tick in the box next to the file types that you wish to recover.  The file types in this list have a known structure that can be identified if found on the drive (a full list is provided at Appendix 2 - File carving). To search for a file type, type the extension into the “Find File Extension” search box.

Important: The more file types that are selected, the more resource intensive is these search and the longer the search will take. It is suggested that you do not perform a Lost File search for more than 10 files at any one time. A sequential search of a large hard drive, e.g. 2TB or more containing many files may take up to 24 hours.

3.       Click the Start button to commence the search. A search for deleted files (described in 9.2.1 above) will commence.

4.       The start of the lost files search is indicated by the message "Scanning block xxxxx of xxxxx for lost files" above the progress bar.

5.       Lost file are placed in the Lost Files folder. As the search progresses, review the search results (as described below). If the missing files are located, stop the search and save the files.

8.5      Recover Files Search Results

Click the   icon in the search results screen to expand folders. Use the different data view and sort and filter functions to determine if the missing files have been located (see Chapter 6 for more information).

In the search results screen deleted items are identified by the following icons:

    Deleted folder

     Deleted file

   Lost file

The available data views are summarized as follows:

Deleted view

The Deleted view is a fast way to locate relevant files as it shows only deleted files. The folders in the deleted describe the way in which each of the deleted files has been identified, i.e. “Deleted” or “Lost”.

Figure 51, Tree pane, Deleted view

Description: C:\Users\GRAHAM~1.GRA\AppData\Local\Temp\SNAGHTML943b8c.PNG

Folders view

The Folders view shows all files and folders on the examined drive. The “Root” folder contains the existing folder and file structure on the drive. Deleted files and folders are located inside the Root folder and should appear in their original location prior to delete.  Lost and Orphaned files are placed in their own folders under the partition in which they were found.

Figure 52, Tree pane, Folders view

File Type view

The File Type view sorts files by extension. This view shows all files on the examined drive. Select a file type, and then look for the deleted file icons. It is also helpful to sort by the “Is Deleted” column in this view.

Figure 53, Tree pane, File Type view

Date view

The date view groups files by date. This view shows all files on the examined drive. Look for the deleted file and folder icons.

Figure 54, Tree pane, Date view

Validating search results and saving files

To learn how to validate the search results and save files, see “Chapter 10”.