Data Recovery - Used Ontrack - NTFS permissions ruined the file

Discussion in 'OT Technology' started by fintheman, Jul 18, 2006.

  1. fintheman

    fintheman I will ebay O/T!

    Joined:
    Oct 5, 2005
    Messages:
    2,092
    Likes Received:
    0
    Location:
    Brentwood, TN
    Okay, did an ontrack data recovery on a hard drive that was formatted and installed Windows XP on.

    It was a completely garbaged OS system and I had to reinstall and could not do a dirty. I could not get the files at all due to permissions (the password for the admin/main account called "Gary") was not able to do crap with it. So I figured just do the data recovery after the fact, its worked like a charm most of the times for me, especially with ontrack.

    Jpg files and .doc files is all I am trying to get, basically, its garbage when I open them up. I think they are still in tact, the file sizes are correct etc., I am just not sure if NTFS encrpyts it or do you think they are just corrupt?

    I am able to see all the files that were previously on the computer with the ontrack and it looks pretty good.

    Any thoughts? I'm 95% the files are lost, but I thought I'd post this as a

    Any advice for getting files off someone's computer when you can't get into the admim/passworded accounts, it seems that you are pretty much fucked with out it. I'm not talking about from safe mode, just getting the shit at all with the NTFS permissions stripped so I don't have to deal with this bullshit again.
     
  2. P07r0457

    P07r0457 New Member

    Joined:
    Sep 20, 2004
    Messages:
    28,491
    Likes Received:
    0
    Location:
    Southern Oregon
    take ownership of the files and change permissions.
     
  3. deusexaethera

    deusexaethera OT Supporter

    Joined:
    Jan 27, 2005
    Messages:
    19,712
    Likes Received:
    0
    It's worth noting that this needs to be done using an Admin account in the new Windows installation.
     
  4. Slid.

    Slid. I'm a guy.

    Joined:
    Oct 25, 2001
    Messages:
    1,928
    Likes Received:
    0
    Location:
    NH
    This also may need to be done in safe mode.

    There are linux-based programs out there to retrieve and/or reset an XP password. (I've used one in particular twice -- 100% results both times).
     
  5. P07r0457

    P07r0457 New Member

    Joined:
    Sep 20, 2004
    Messages:
    28,491
    Likes Received:
    0
    Location:
    Southern Oregon
    taking ownership does NOT need to occur in safe mode.
     
  6. chips

    chips ...

    Joined:
    May 2, 2004
    Messages:
    3,755
    Likes Received:
    0
    Location:
    Phoenix, AZ


    DOT
     
  7. EvilSS

    EvilSS New Member

    Joined:
    Jun 11, 2003
    Messages:
    5,104
    Likes Received:
    0
    Location:
    STL
    It's possible that when you reinstalled the OS you overwrote sectors containing data from the files you are trying to recover. Recovery only works if the disk sectors the files occupied prior to their being deleted/formatted are not used again before the recovery.

    It's also possible that the user set the files to be either compressed or encrypted (neither is the default for NTFS, btw).
     
  8. P07r0457

    P07r0457 New Member

    Joined:
    Sep 20, 2004
    Messages:
    28,491
    Likes Received:
    0
    Location:
    Southern Oregon
    i've seen data recovered after being overwriten numerous times.
     
  9. EvilSS

    EvilSS New Member

    Joined:
    Jun 11, 2003
    Messages:
    5,104
    Likes Received:
    0
    Location:
    STL
    If the data is physically overwritten on the disk then it physically no longer exists on the disk. I'm talking about the physical location on the disk that the data used to occupy being overwritten. The only way to recover it at this point is to either guess what it was and replace the sector. Anything else requires a pro with tools to physically examine the platter for a residual trace of the data in the media itself.

    No home user is going to be able to do that.
     
  10. P07r0457

    P07r0457 New Member

    Joined:
    Sep 20, 2004
    Messages:
    28,491
    Likes Received:
    0
    Location:
    Southern Oregon
    I disagree. I have used tools that will recover data that has been overwritten before.
     
  11. EvilSS

    EvilSS New Member

    Joined:
    Jun 11, 2003
    Messages:
    5,104
    Likes Received:
    0
    Location:
    STL
    Really? Care to put your tools where your posts are? I know a lot, and I mean a fucking lot, about hard drives. You're wrong. But if you want to prove you can recover a file that has been physically overwritten I'm sure we can arrange a challenge to allow you to prove it.
     
  12. P07r0457

    P07r0457 New Member

    Joined:
    Sep 20, 2004
    Messages:
    28,491
    Likes Received:
    0
    Location:
    Southern Oregon
    ...

     
  13. EvilSS

    EvilSS New Member

    Joined:
    Jun 11, 2003
    Messages:
    5,104
    Likes Received:
    0
    Location:
    STL
    Like I said, care to back it up? You said you can do it yourself, so prove it.
     
  14. P07r0457

    P07r0457 New Member

    Joined:
    Sep 20, 2004
    Messages:
    28,491
    Likes Received:
    0
    Location:
    Southern Oregon
    what, you want to mail me a drive?
     
  15. EvilSS

    EvilSS New Member

    Joined:
    Jun 11, 2003
    Messages:
    5,104
    Likes Received:
    0
    Location:
    STL
    Absolutely. I have a small drive I'm more than willing to donate for this. I'll zero it out, drop some say 10,000 character files on it. Then quick format it, overwrite the files (i'll even leave one on intact except for a few sectors). If you can reproduce them and match the original MD5 hashes, I'll never question anything you say again.

    I mean, you did say
     
  16. P07r0457

    P07r0457 New Member

    Joined:
    Sep 20, 2004
    Messages:
    28,491
    Likes Received:
    0
    Location:
    Southern Oregon
    even if 99% of a file was recovered, the md5 hash will not be the same.
     
  17. EvilSS

    EvilSS New Member

    Joined:
    Jun 11, 2003
    Messages:
    5,104
    Likes Received:
    0
    Location:
    STL
    So, you said you could recover data that has been overwritten. I said, and I quote:
    And you disagreed. You said:
    Now, I was pretty specific in stating (in both my other posts) that physically overwritten sectors could not be recovered without a special set of tools to physically examine the disk. I never said the undamaged portion of the file could not be recovered (reference the underlined sentence above).


    If you look at the OP that I replied to what I describe fits perfectly. Files are the correct size but garbled. That happens if you try to recover files that are no longer fully intact on the disk. A statement you have decided is wrong.

    So, again, care to prove yourself right? Or are you ready to admit you can't do it?
     
  18. P07r0457

    P07r0457 New Member

    Joined:
    Sep 20, 2004
    Messages:
    28,491
    Likes Received:
    0
    Location:
    Southern Oregon
    if you think that overwritten data cannot be recovered, do you care to explain how people can recover data in excess of 80GB from a drive that only holds 80GB?

    I know that I can recover data that has been overwritten because I have done it... Especially with SD/CF cards. But to say that this data will net the same MD5 sum is obsurd. The data can be overwritten, 99% recovered, and not have the same MD5. 1 bit difference and the file can still be usable, but the MD5 will not match.

    You are turing into a waste of time. You wanna send me a drive? Go ahead. But to state that data is not in any way recoverable is simply lame. And if the only way you will be satisfied is by an un-verifiable MD5 then I'm sorry, but you're just jacking off.

    Go talk to the pro's if you don't believe me. Company's like "Drive Savers" do this every day.
     
  19. EvilSS

    EvilSS New Member

    Joined:
    Jun 11, 2003
    Messages:
    5,104
    Likes Received:
    0
    Location:
    STL
    So in other words you are totally full of shit. I never said the file was not recoverable (as I've stated yet AGAIN). I said the bits overwritten on disk could not be recovered without physical examination of the platters (in other words, you have to have a pro open the drive).

    But if you have some magical way to do so then you should contact the storage companies. I'm sure they would love to know how to store two files in the same physical space at the same time and have both readable. Please.

    The fact is you can't recover an overwritten portion of a file without physically disassembling the drive and using special equipment to read the platters. Period. The best you can do is hope that enough of the file exists that the contents can be extracted or that you can guess and reconstruct the bits by hand. THAT is why the MD5 won't match, because you can't recover the data that has actually been overwritten, only the data that hasn't yet been overwritten on disk.

    You also cannot recover more physical bits than will fit on a disk. No software on earth that will run on a normal PC will recover 2 different bits from the same physical location on a disk platter. I'm not talking about the partition, I'm talking about the physical disk itself.


    Sad now that someone calls you out after you spout off you start personal attacks. Face it, you were wrong and got caught.
     
  20. deusexaethera

    deusexaethera OT Supporter

    Joined:
    Jan 27, 2005
    Messages:
    19,712
    Likes Received:
    0
    You can recover data that has been overwritten by reading the data in analog mode, so that you can see the shades of grey between the 1's and 0's that are currently present. By ignoring the current 1's and 0's and looking at what are effectively fractional numbers between 0 and 1, you can reconstruct what the previous set of 1's and 0's used to be.

    Magnetic media is rarely overwritten so strongly that no shadow of the previous data remains. That's why the Department of Defense requires that all deleted files be overwritten 7 times with random patterns of 1's and 0's, to muck up the shadows of the original data so badly that it can't be read anymore.

    EDIT: No, I didn't read the whole thread.

    EDIT: Okay, now I read the whole thread. What I said is still right. HDD read/write heads are far more sensitive than they appear to be, because all of the data they read is passed through a gate circuit that converts all voltages coming from the reader to either the "zero" voltage or the "one" voltage (depending on what the manufacturer's specs are). By bypassing this circuit, you can read the fractional value of each bit and use simple mathematics to reconstruct the original data.
     
    Last edited: Jul 19, 2006
  21. EvilSS

    EvilSS New Member

    Joined:
    Jun 11, 2003
    Messages:
    5,104
    Likes Received:
    0
    Location:
    STL
    And yet again, doing so requires special equipment, as I have said for the third (fourth?) time now?
     
  22. deusexaethera

    deusexaethera OT Supporter

    Joined:
    Jan 27, 2005
    Messages:
    19,712
    Likes Received:
    0
    Yes, it does. You get a 10/10 for correctly evaluating the practicality of the operation.
     
  23. Schproda

    Schproda New Member

    Joined:
    Jul 9, 2006
    Messages:
    442
    Likes Received:
    0
    Location:
    Memphis, TN

    I've also got a program that'll remove files from a HDD that hasn't had zeros and ones written to it. Got money you want to lose? :)

    If you didn't recreate the FS, format or fdisk you shouldn't have any trouble getting your data.
     
  24. EvilSS

    EvilSS New Member

    Joined:
    Jun 11, 2003
    Messages:
    5,104
    Likes Received:
    0
    Location:
    STL
    Uh, you better re-read this thread. You just said your program won't work for recovering data that has been overwritten on disk, which is exactly what I have been saying in this thread.
     
  25. EvilSS

    EvilSS New Member

    Joined:
    Jun 11, 2003
    Messages:
    5,104
    Likes Received:
    0
    Location:
    STL
    For example, here is a sector taken from a disk. This is a actually a chunk of a jpg image:

    Here is the same sector AFTER being overwritten:
    This was taken by using a disk editor (HxD) to open the disk (not the file, not the partition, the raw disk). THIS IS WHAT IS LEFT ON THE DISK after a section of a file is overwritten. There is no practical way to recover the data. There are some expensive ways to possibly do this, or if enough of the file is left unaffected you could guess or just work around it. You cannot recover the overwritten sections of the file and if they are enough to screw the file up, the file is hosed: as I said in my first post.
     

Share This Page