by abolibibelot » Tue Jun 02, 2020 7:12 pm
First, 97GB seems HUGE for an e-mail database. You should sort messages by year and/or category. Second, an e-mail database is not just a blob of “mostly text”, it has a distinct structure, if key components of that structure have been corrupted it may no longer be properly recognized by the software accessing it, Thunderbird in this case. I don't know specifically how robust the file format used by Thunderbird is, but generally speaking, for any type of remotely complex file, if the header has been overwritten it does not sound good. Third, a large database file which is regularly modified will almost certainly be fragmented, possibly massively fragmented (hundreds or thousands of fragments all over the place). In which case the odds of successful recovery by means of raw file carving are very low. Fourth, something as important as an e-mail database should be backed up at least weekly if not daily.
If you were wise enough to do a complete image of the partition where that humongous file was located right after it happened, it may still be possible to do a custom analysis of the MFT records pertaining to that file. It would have been interesting to see what R-Studio displayed in the “Sectors” tab of its hexadecimal analyser. I once
did something very convoluted, using ddrescue, to recover a bunch of massively fragmented files, in a situation where I had made a partial image containing all the sectors occupied by those files (except the unreadable ones), and an incomplete MFT, and a list of those files' clusters, while the drive's condition had declined to the point where it was no longer possible to complete the image in order to get the whole MFT. I had obtained the list of sectors / clusters with Recuva, HD Sentinel and nfi, when the drive was still operational ; R-Studio can display the list of sectors occupied by a file, but, unless it's been added in a recent update, it offers no way of exporting the complete list for further purposes (only one value at a time can be copied with CTRL+C which is not practical at all).
First, 97GB seems HUGE for an e-mail database. You should sort messages by year and/or category. Second, an e-mail database is not just a blob of “mostly text”, it has a distinct structure, if key components of that structure have been corrupted it may no longer be properly recognized by the software accessing it, Thunderbird in this case. I don't know specifically how robust the file format used by Thunderbird is, but generally speaking, for any type of remotely complex file, if the header has been overwritten it does not sound good. Third, a large database file which is regularly modified will almost certainly be fragmented, possibly massively fragmented (hundreds or thousands of fragments all over the place). In which case the odds of successful recovery by means of raw file carving are very low. Fourth, something as important as an e-mail database should be backed up at least weekly if not daily.
If you were wise enough to do a complete image of the partition where that humongous file was located right after it happened, it may still be possible to do a custom analysis of the MFT records pertaining to that file. It would have been interesting to see what R-Studio displayed in the “Sectors” tab of its hexadecimal analyser. I once [url=https://superuser.com/questions/1267818/rebuild-massively-fragmented-files-with-a-partial-image-and-a-list-of-their-sect]did something very convoluted[/url], using ddrescue, to recover a bunch of massively fragmented files, in a situation where I had made a partial image containing all the sectors occupied by those files (except the unreadable ones), and an incomplete MFT, and a list of those files' clusters, while the drive's condition had declined to the point where it was no longer possible to complete the image in order to get the whole MFT. I had obtained the list of sectors / clusters with Recuva, HD Sentinel and nfi, when the drive was still operational ; R-Studio can display the list of sectors occupied by a file, but, unless it's been added in a recent update, it offers no way of exporting the complete list for further purposes (only one value at a time can be copied with CTRL+C which is not practical at all).