Partition Recovery after Cloning

[DCGPX]

Hi

Data recovery is not my strongest point so after some advice.

Basically I was asked to transfer the OS from an original 37GB to a slave 160GB HDD, before I cloned I checked the 160GB and it was empty so I cloned away.
Client then contacted me to say their business files that were on the larger drive are now missing - obviously!

I am triple positive that this drive was empty but they say it did contain their files nonetheless.

So I have tried to recover partition/files using :

EASUS Data Recovery
DDR Recovery for NTFS
GetBackData for NTFS

but all I get as recovery options are the Windows system I cloned off the original drive and not the original contents of the larger drive before I cloned.

I also defragmented larger drive after I cloned as well which probably didn't help

I'm assuming that since I cloned the MBR as well then recovery of previous partitions not going to be straight forward??

As I said data recovery not my strongest point, anyone any advice on future attempts to recover these files ( assuming they actually were there but that said I'd have expected one of the recovery to show an empty drive)

TIA

 

[wimwauters]

1st rule in data recovery, OS upgrades and repartitioning is to audit/check the backup...
endusers are clueless, and what looks like an empty drive to your software,
might contain hidden/encrypted logical/spanned/RAID partitions.

You will have overwritten the first 37GB of the 160GB drive, so forget about getting any of that data back.

Your data recovery software will need to look for deleted partitions,
or you pick the 160GB one, or just scan the 'empty area' (above 37GB) for file fragments.

If the original partition wasn't too fragmented, you will yield useful results.
Don't expect miracles

 

[DCGPX]

Yeah thats what I thought after Googling to death.

End user is clueless, wouldn't have knowledge to hide/encrypt anything.

I'm still adament the drive was empty, I ALWAYS check.

Only thing they say was on this drive was these business files, less than 30MB apparently, so bye bye and coaching on regular backups methinks!

Aw well little lesson learnt - At least my work order explicitly says data is clients responsibility unless told otherwise.

Still a little peeved in a way that it feels my fault as I think I under estimated their understanding of what moving the OS actually means, I now think they honestly beleives its copy and paste!

 

[computerdoc]

If data is very valuable, it can be recovered by recovery facilities even after it has been written over for a hefty fee.

 

[PC Problems]

I have been down this route before...

You should have insurance that covers you for this incase they take further legal action.

Also, legally it is the data owners responsibility to backup their data, not yours.

I know this doesnt help your case, but you should always protect yourself first.

Do you have thorough legal Terms and Conditions compiled by a good solicitor? I do - my T&C cost me £2000. Sounds high you think, then image the cost and trouble if they take you to court and you dont have any T&C's. They would wipe the floor with you...

Before attemping any job involving changing, modifying, altering data on any storage system...Ask this question - HAVE YOU GOT A CURRENT BACKUP OF YOUR DATA?

Be humble when you approach them, but politely point out their data is THEIR responsibility...

 

[MobileTechie]

If data is very valuable, it can be recovered by recovery facilities even after it has been written over for a hefty fee.

I'm afraid that is not true. There have been theoretical models of retrieval methods but these were based on old drive technology and even then nobody seems to actually have done it. It's all based on a paper by someone who never demonstrated it. Maybe the NSA or MI5 managed it at some point but I've never found any commercial examples of it. Even if it was possible, the time it would take for a scanning transmission electron microscope to retrieve the raw magetic data would be immense even for tiny amounts of data and then you'd have to reconstruct it somehow back up to the sector level that DR experts usually deal with.

In the old days drives had servo stepper motors serving wider tracks more inaccurately. Now they use guide tracks and voicecoils, MUCH more dense writing, different recording methods and a host of other techniques that make render even this unproven method even less credible.

http://en.wikipedia.org/wiki/Data_recovery#Overwritten_data

It's funny because this one paper by Guttman spawned a mini industry of pointless overwriting algorithms and wiping apps "...using our special Guttman Method certified technology...." etc which just wastes hours of people's time writing over data 35 times! That can't be good for your drive.

Even Guttman himself admitted it was not required on modern drives http://en.wikipedia.org/wiki/Gutmann_method#Criticism, an admission that most people in the industry think didn't go nearly far enough since he still claimed it WAS possible in the past without providing evidence, and still claimed more than one pass might have some use. I cannot find any evidence anyone can retrieve data written over by a just a single pass with any data (be it zeros or random or whatever).

 

[MobileTechie]

Still a little peeved in a way that it feels my fault as I think I under estimated their understanding of what moving the OS actually means, I now think they honestly beleives its copy and paste!

If that data was actually there then it was partly your fault in my opinion. You cannot expect someone to understand what cloning means. You should have spoken to them and explained "Is there any data on that drive? Because once I clone the disk, anything on it will be gone, possibly forever".

A large part of my initial conversations with clients whose systems I am working on involves this sort of thing - explaining about data loss and double checking what data they have, what is backed up and what isn't etc. You cannot be too careful.

I have a number of customers who insist on calling their external HDD full of valuable data "my backup" even though that is the only place that data exists. I try to explain how external HDDs are even more unreliable than internal ones and how they do not have a backup, just a precarious data store. But people just don't get it.

 

[wimwauters]

...

I have a number of customers who insist on calling their external HDD full of valuable data "my backup" even though that is the only place that data exists. I try to explain how external HDDs are even more unreliable than internal ones and how they do not have a backup, just a precarious data store. But people just don't get it.

Yep, I've stopped trying so much with 'backup' and 'archive'. Just get it into their heads that they need 'copies', or 'more than one copy' (which in English apparently means 'more than just the original' ).

Excellent posts, BTW, thumbs up for MobileTechie

 

[DCGPX]

I've since spoken to client who after all this now has decided that the files aren't that important and they'll just start again afresh.

Lessons learnt though -

1. NEVER over estimate a clients understanding

2. Triple check they understand they need backups.

3. Quadruple check everything myself before committing any non retreivable act!!

I have insurance for this just in case !!

Might just look into a policy of imaging prior as a pre requisite to any cloning to keep for a month.

 

[CPU]

Data recovery is not my strong point as well but in the past we have had success with Davory using switches (not sure if this is still available) and 1st ntfs datarecovery. We have had success with these tools getting lost partitions but mostly for file recovery. Disk management and a hardware check for raid tells all