|
|
I am trying to recover 22 outlook pst files which were deleted along with the 4 level of directories above them.
To make the problem complicate, these 22 pst files got 0 byte sized before they were deleted(suspect problem with outlook). I was able to use winhex to find all the starting sectors of these 22 files(singature is !BDN). The challenage is how can I make these 22 files to point to their 1st sector using WinHex on the drive?
------------------------------------------------------------------------
For that you would need to understand the data structures of the file system (either FAT or NTFS). Especially for NTFS it's likely not worth the effort in this situation. Once you have found the start sectors, you could rather use WinHex to carve the files manually (select the data as a block in the sectors, hope the files were not fragmented, and use Edit | Copy into new file).
------------------------------------------------------------------------
The pst files are huge. I am sure they are all over the place. The file system is NTFS. Any suggestion where I can get some reading material on the data structures of NTFS.
------------------------------------------------------------------------
If you have the time, I suggest you consider Stefan's File Systems Ravealed training course. Using XWF while exploring the file systems provides an insight that is left behind in typical classroom settings or PowerPoint programs, and I've sat through my share. For example, the hands on approach to breaking down an MFT record using XWF, complete with color coding, makes the strucures jump out, moreso than text book depictions, even in the best of references, e.g., Brian Carrier's superb work.
Granted, this may not be an option in your case, and even the training may not help you recover the PSTs. Your challenge is rather daunting. However, as you asked about resources, I thought I'd share my experience, having recently attended the program.
------------------------------------------------------------------------
> I would suggest you look for some recovery software which
> attempts to recover the cluster chain information from
> the Master File Table
WinHex does exactly this, so I wouldn't suggest to look elsewhere.
> or its mirror version
The MFT table mirror does not contain copies of the FILE records of ordinary files, so looking there is a waste of time.
Anyway, since the files have been truncated at 0 bytes, that means the data runs have most likely been discarded from the FILE records already. They may still be visible in the slack portion of the FILE records. Or you may be able to find earlier states of these FILE records with data runs in the log file.
I have removed the posting that advertised the Indian PST file recovery software. |
|
狗仔卡
提升卡
置顶卡
喧嚣卡
变色卡
显身卡
请问各位精英大佬,我这个U盘是怎么了? 如
二款硬盘扫描工具免费下载
文件删除数据恢复软件免费的有吗?大厂免费
西数4T硬盘 求助
东芝硬盘COM端口的接法(实测成功)
万能数据恢复脚本程序
真正希捷F3批量维修程序 同时操作6个盘 可
RAID数据恢复技术揭秘_第1章:RAID技术详解
国内目前最详细 exFAT文件系统结构
WinHex模板大全(近100种模板)