Surviving a home data disaster: How Shirley got her files back

Recovering 736 missing digital images can be arduous -- and expensive

1 2 3 4 5 6 7 Page 6
Page 6 of 7

The signature search results were presented in two simple text files. The first contained a long list of all 38,477 files found. The second summarized the number of files found by file type -- including 1,137 files classified as JPEG images. Unlike the VeriFile report, the signature search results did not classify the files as good, repairable or partially recoverable.

While the deleted files recovery retrieved the original file names, in the signature recovery, each file is given a name based on the exact address on the disk where the data was found. A summary listed every file that had a picture file header, or signature, but with no file names to go on and no way to preview the documents, deciding whether to proceed was a tough call. How many of those were really Shirley's photographs? How many were readable? It was hard to say.

This is the point where the customer must make a decision. You could stop now and only be out the $100 analysis fee. Or you could proceed, pay lots of money, receive the recovered images and see what you get. To help with that decision, Ontrack will let you pick 10 files from the list -- up to 2MB of data -- and will send them to you at no additional charge.

Going for broke

Should I keep the money or see what's behind the curtain? I went for it. The marching orders: Give me every JPEG image you can find on the disk. Barry went to work.

A few hours later he had found 2,245 total JPEG files, including 953 valid files (not deleted), 155 deleted files and 1,137 files that weren't referenced by the file system at all. He placed the files into two folders on the primary drive of my recovery machine.

The Good Files folder contained all of the JPEG images Ontrack could find on Shirley's disk during the file recovery pass, whether the files were deleted or active: 1,108 in all. The files were spread across a hierarchy of 1,187 folders and subfolders. That was quite a mess to wade through.

As it turned out, nearly all of the missing photos Ontrack found during the file recovery pass were in a single folder (Found.ODR) and its many subfolders, but to be sure I didn't miss any files I checked every folder. I found 13 of the missing photos in Shirley's My Documents and My Pictures subfolders of Found.ODR. As one might assume, all of the other subfolders (i386, Program Files, etc.) in the results set contained unrelated JPEG images.

As a shortcut I used the free X1 Desktop Search program to make sure I didn't miss any files. X1 indexed the folder hierarchy, displaying all of the JPEG images in a single list view, and its preview capability allowed me to review all of the JPEG files fairly quickly by rolling over them by using the down arrow key.

Some 1,108 keystrokes later I had previewed every file. I recovered just 20 readable images that looked like Shirley's photos -- about what I got with EasyRecovery's deleted files search.

The Sigsrch folder contained all of the JPEG files restorable from the raw recovery: 1,137 of them. Unlike the file recovery pass, which included both deleted and active JPEG images, this one only included files with JPEG file signatures that resided in the free space on disk. After sorting through the files in both recovery folders and pulling out all of the images that obviously weren't Shirley's photographs, I came up with 753 viewable photos.

Although I did the best job I could removing unwanted images, I suspect that Shirley will find a few images that aren't hers. Sorting through them will be time-consuming, since the images are jumbled together in no particular order.

clear.gif
clear.gif
 
clear.gif
A peek at a damaged file
clear.gif
Here's what one of the damaged images looks like at the bits and bytes level from within the Windows NT Device Examination utility.
A damaged JPEG file. (Click image for larger view.)
A damaged JPEG file. (Click image for larger view.)

The letters "MZ" at the top of the last column indicate the point where this deleted file was overwritten by a new file. The letters that form the new file header indicate that this is a Windows executable file.

In this case, says Barry, a Windows dynamic link library file has completely overwritten the entire image file, including the original file header, irreversibly damaging it. This photo was lost.

clear.gif
 
clear.gif
clear.gif
1 2 3 4 5 6 7 Page 6
Page 6 of 7
  
Shop Tech Products at Amazon