|
|
I am trying to recover 22 outlook pst files which were deleted along with the 4 level of directories above them.
To make the problem complicate, these 22 pst files got 0 byte sized before they were deleted(suspect problem with outlook). I was able to use winhex to find all the starting sectors of these 22 files(singature is !BDN). The challenage is how can I make these 22 files to point to their 1st sector using WinHex on the drive?
------------------------------------------------------------------------
For that you would need to understand the data structures of the file system (either FAT or NTFS). Especially for NTFS it's likely not worth the effort in this situation. Once you have found the start sectors, you could rather use WinHex to carve the files manually (select the data as a block in the sectors, hope the files were not fragmented, and use Edit | Copy into new file).
------------------------------------------------------------------------
The pst files are huge. I am sure they are all over the place. The file system is NTFS. Any suggestion where I can get some reading material on the data structures of NTFS.
------------------------------------------------------------------------
If you have the time, I suggest you consider Stefan's File Systems Ravealed training course. Using XWF while exploring the file systems provides an insight that is left behind in typical classroom settings or PowerPoint programs, and I've sat through my share. For example, the hands on approach to breaking down an MFT record using XWF, complete with color coding, makes the strucures jump out, moreso than text book depictions, even in the best of references, e.g., Brian Carrier's superb work.
Granted, this may not be an option in your case, and even the training may not help you recover the PSTs. Your challenge is rather daunting. However, as you asked about resources, I thought I'd share my experience, having recently attended the program.
------------------------------------------------------------------------
> I would suggest you look for some recovery software which
> attempts to recover the cluster chain information from
> the Master File Table
WinHex does exactly this, so I wouldn't suggest to look elsewhere.
> or its mirror version
The MFT table mirror does not contain copies of the FILE records of ordinary files, so looking there is a waste of time.
Anyway, since the files have been truncated at 0 bytes, that means the data runs have most likely been discarded from the FILE records already. They may still be visible in the slack portion of the FILE records. Or you may be able to find earlier states of these FILE records with data runs in the log file.
I have removed the posting that advertised the Indian PST file recovery software. |
|
狗仔卡
提升卡
置顶卡
喧嚣卡
变色卡
显身卡
【新手看老鸟闪】西数模块定义直观图
WD 28(PST)模块简要说明
电子产品结构与导热材料解决方案
硬盘坏道维修色块全去! 希捷F3去色块又一
58GrenadaBP2家族三角板盘1ERxx系列硬砍0头
发个西数固件11g
ST 2T监控硬盘不认别,怎么解决
可怜啊!希捷12代1T酷鱼ST31000524AS固件JC
主板设计中导热界面材料对降低接触热阻的影
西数机械故障,请大神相助