Recovering lost JPEGs cont.

[Industrial One]

Refer to previous thread for background.

I manually searched for the headers in a hex editor on the disk and I
FINALLY found some of the pics I have lost. Doing this by hand will
take forever since I have NO metadata so have no idea what the size
is. All this is in unallocated space so there is no MFT record or
anything. Actually, I have MFT records of the lost folder and pics in
my VM of the resized partition but it's all greek to me. I have no
idea what to make out of the records, but any metadata would be
useful, especially the physical sector/location of the file so I could
instead search for the RARs my girlfriend sent them in, which I cannot
do as easily as just search the disk manually.

Anyway, why Photorec failed is beyond me. It can't be because it
didn't recognize this particular EXIF of these JPEGs taken by her
particular camera, no siree bob. It recovered pics that were taken
with the same camera, only ones that I had backups of and briefly
viewed. How convenient. It's like this piece of shit program is
laughing at me.

Is there any way to input a specific sector range for it to search on?
I have the exact offset on my disk where one of the lost pics are
located and I would love to see if any recovery program can do this
automatically so I won't have to with my bare hands.

Anyone suggest such a program?

 

[Paul]

Refer to previous thread for background.

I manually searched for the headers in a hex editor on the disk and I
FINALLY found some of the pics I have lost. Doing this by hand will
take forever since I have NO metadata so have no idea what the size
is. All this is in unallocated space so there is no MFT record or
anything. Actually, I have MFT records of the lost folder and pics in
my VM of the resized partition but it's all greek to me. I have no
idea what to make out of the records, but any metadata would be
useful, especially the physical sector/location of the file so I could
instead search for the RARs my girlfriend sent them in, which I cannot
do as easily as just search the disk manually.

Anyway, why Photorec failed is beyond me. It can't be because it
didn't recognize this particular EXIF of these JPEGs taken by her
particular camera, no siree bob. It recovered pics that were taken
with the same camera, only ones that I had backups of and briefly
viewed. How convenient. It's like this piece of shit program is
laughing at me.

Is there any way to input a specific sector range for it to search on?
I have the exact offset on my disk where one of the lost pics are
located and I would love to see if any recovery program can do this
automatically so I won't have to with my bare hands.

Anyone suggest such a program?

It's just possible, that a scrounger program, cannot deal with
fragmented files. If the file is contiguous, and the scrounger
recognizes the header, it tries grabbing as many clusters in
a row as make sense. Does JPEG have enough consistency info,
to determine it's all present ? Maybe Photorec rejects files
that don't have the right length or something.

Here is another program you can try. This one probably isn't
as clever as Photorec, because it doesn't focus on image
files. Perhaps, with your knowledge of metadata, when this
program finds 100,000 files, all with fake names, you'll be
able to locate the ones that are real, or ones you want.

http://web.archive.org/web/20100916...ome.org/WoundedMoon/win32/driverescue19d.html

While it says support for NTFS is "incomplete", one poster in
this group tried it out on his busted NTFS partition, and
the recovery worked (substantial recovery). Give it a try.

The program was originally given away for free, then a
commercial company bought the source, and the author of the
program closed up shop. But the free version still makes the
rounds. I have no idea what commercial company bought it, or
what name it eventually got. Maybe they bought the source,
just to get rid of a freebee

Paul

 

[Industrial One]

a row as make sense. Does JPEG have enough consistency info,

to determine it's all present ? Maybe Photorec rejects files

that don't have the right length or something.

The files are contiguous and the first dozen in a row that I recovered by hand (I selected 2MB after the JFIF header since I dont know the size) were perfect quality without anything missing, so I'll assume the length is correct.

It's really aweosome photorec recovered everything except what I needed. Someone's screwing with me out there, I have trojans as we speak and my network monitor showed unsolicited upstream and downstream activity, someone's using me to send spam or DDOS sites. I've removed the culprit temporarily soplease don't derail the thread about THAT issue.

Bill in Co, EaseUS made some great products, but I tried the file recovery wizard right now and it doesn't give me the option to search unallocated space, only partitions, to search the whole disk says would take 16 hours, which is how long I had to wait for iolo and photorec to both do which proveda waste of time, so I don't feel like trying now.

Is there any tool that will let me input a sector range so I can stop wasting ridiculous amounts of time like this searching an entire 2TB disk for nothing?

 

[Paul]

Is there any tool that will let me input a sector range
so I can stop wasting ridiculous amounts of time like
this searching an entire 2TB disk for nothing?

You want "Keep corrupted files". Details here.

http://www.cgsecurity.org/wiki/PhotoRec_Step_By_Step

The reason for that would be...

http://www.cgsecurity.org/wiki/PhotoRec#How_PhotoRec_works

"If, however, the recovered file ends up being smaller
than its header specifies, it is discarded."

Perhaps "Keep corrupted files" will snag more of them.

*******

The source for the program is available as well, if
the instructions aren't enough.

http://www.cgsecurity.org/testdisk-6.13.tar.bz2

You can open the file with 7-ZIP. Navigate into the
src directory. Photorec.c will "read correctly" in
Wordpad. If you immediately save the file from Wordpad,
it will correct the line endings, and then Notepad
can read it properly as well.

testdisk-6.13.tar.bz2\testdisk-6.13.tar\testdisk-6.13\src\photorec.c

In 7-ZIP, you use the "open inside", when you get to the "tar" level.

I don't think you'll need to read source, but it's readily available.

Paul

 

[Industrial One]

I finally recovered the folder with EaseUS data wizard, by selecting that second option to recover files from deleted partitions. It said it would take 16 hours but it only took about 5.

All the filenames and other metadata are intact and since it was only a 200MB folder, the operation was a freebie. Sweet!

Now that it's recovered and I've made backups, I wanna put this folder on avery short leash. Whatever caused it to disappear without a trace (I was lucky to still have even the deleted unallocated partition copy which contained remnants of the files) I wanna set a trap for.

Is there such a monitoring program? At the least, I want to be informed thenext time it disappears so I can take a system snapshot of all running processes. For now I'm marking the folder read-only.

Oh and Paul, I did have "keep corrupted files" enabled, I didnt have brute force enabled for searching though.

No idea whats wrong with photorec but EaseUS totally put iolo to shame. I remember how awesome iolo Search & Recover was, it felt good spending $70 onsomething that was actually worth the money, and now it fails miserably...as if JPEG, a compression format as old as I am is some alien format it suddenly doesnt recognize. Shameful.

Thanks Bill in Co, you really have saved my ass. Those photos have unbelievable sentimental value that I wouldnt have predicted they would've had in 3years time. Thank you.

And to whoever's botnet I ended up on, turn on your keylogging: drink bleach and die ****tard. I admire how your worm pings a bandwidth test and only uses half your victim's bandwidth to carry out your puerile spam attacks against all your Facebook girlfriends that dumped your dorky ass.
You arent clever enough to get this former botmaster to play your faggy little game, kid. I will find you.

 

[Paul]

I finally recovered the folder with EaseUS data wizard, by selecting that second option to recover files from deleted partitions. It said it would take 16 hours but it only took about 5.

All the filenames and other metadata are intact and since it was only a 200MB folder, the operation was a freebie. Sweet!

Now that it's recovered and I've made backups, I wanna put this folder on a very short leash. Whatever caused it to disappear without a trace (I was lucky to still have even the deleted unallocated partition copy which contained remnants of the files) I wanna set a trap for.

Is there such a monitoring program? At the least, I want to be informed the next time it disappears so I can take a system snapshot of all running processes. For now I'm marking the folder read-only.

Oh and Paul, I did have "keep corrupted files" enabled, I didnt have brute force enabled for searching though.

No idea whats wrong with photorec but EaseUS totally put iolo to shame. I remember how awesome iolo Search & Recover was, it felt good spending $70 on something that was actually worth the money, and now it fails miserably... as if JPEG, a compression format as old as I am is some alien format it suddenly doesnt recognize. Shameful.

Thanks Bill in Co, you really have saved my ass. Those photos have unbelievable sentimental value that I wouldnt have predicted they would've had in 3 years time. Thank you.

And to whoever's botnet I ended up on, turn on your keylogging: drink bleach and die ****tard. I admire how your worm pings a bandwidth test and only uses half your victim's bandwidth to carry out your puerile spam attacks against all your Facebook girlfriends that dumped your dorky ass.
You arent clever enough to get this former botmaster to play your faggy little game, kid. I will find you.

Could you keep the JPG files on a "virtual CD" ?

I looked for USB flash drives with a write protect switch, which would
be one way to provide a layer of protection against vandalism.

When it comes to protection against malware alteration, one approach
is to checksum files. That retroactively tells a person, that
a file has been changed. But wouldn't react when you want it to
(right away).

The Sysinternals Process Monitor program, can detect file read and
write operations. I don't know if deleting or unlinking is in the
set of commands it would log. And then, it has no interface for
alerting you that shenanigans are afoot. But at least that program
demonstrates the same kinds of hooks, as AV software use. (Hook the
file system, to tell when scanning of a file might be needed.)

So the best I can suggest, is a read-only or pseudo-read-only (obscure)
storage method. If you made an ISO9660 of the JPEG folder, and mounted
the resulting .iso file with virtual CD software, that might be a way to
provide a measure of protection. The malware would think the files
were truly read only (hardware restricted). As long as the miscreant
doesn't read this message and figure it out

SCSI drives have honest-to-goodness hardware write protect jumpers on them,
and you can fit a switch with two wires and a connector on the end, to
the jumper position. Write protecting C: isn't a good idea, but
if you put your personal data on a SCSI drive (separate partition),
you could flip that switch to prevent *anything* from modifying the files.
I stopped using SCSI years ago (last drives I bought were 9GB), but some
of those jumper options on the drive, really come in handy. IDE or
SATA, don't have nearly as many options. You need a SCSI controller
card to use such a drive. Prices range from $50 to $300 or more for
a simple card, with the $50 cards showing up when one of the SCSI
controller card companies is in distress. I think I got a 2906 based
card for $50 once. I don't have any really good cards (highest transfer rate).
The best one I've got, might be 40MB/sec or 80MB/sec. And I think my
SCSI hard drives, don't go over 40MB/sec anyway.

The worst kind of SCSI, is async SCSI, and the transfer rate there,
is on the order of 5MB/sec. That's the kind of interface my scanner
uses (an old SCSI-based scanner). That's one of the reasons I still
keep a SCSI controller card within reach. And that's what the 2906
is good for.

It would be much cheaper to get a USB flash with a write protect
switch, but what are the odds you can still buy one of those.
USB flash, at least the ones I can buy locally, are pathetic.
Many of them, only write at around 4MB/sec. They're not even
worth using as "door stops".

Using re-writable optical disks would be a way to host the
files, but then, a miscreant could write to the disc if they
were clever. A hardware device with a real write protect switch,
is a better solution. You detect shenanigans, when the non-write-protected
drives are damaged, while your read-only drive stays safe. So
a trashed "C:", is how you detect your friend is back... And
the files stay safe on the read-only SCSI.

Paul

 

[Char Jackson]

Could you keep the JPG files on a "virtual CD" ?

When it comes to protection against malware alteration, one approach
is to checksum files. That retroactively tells a person, that
a file has been changed. But wouldn't react when you want it to
(right away).

So the best I can suggest, is a read-only or pseudo-read-only (obscure)
storage method. If you made an ISO9660 of the JPEG folder, and mounted
the resulting .iso file with virtual CD software, that might be a way to
provide a measure of protection. The malware would think the files
were truly read only (hardware restricted). As long as the miscreant
doesn't read this message and figure it out

If the malware is specifically targeting jpg files, you might put them
into a zip or rar archive, optionally password-protected. Create
enough parity files (QuickPar) so that you can repair or restore
damaged or missing archive parts.

Required tools:
7Zip or Winrar
QuickPar <http://www.quickpar.org.uk/>