Page 2 of 2

Re: Beware of Windows 7 when recovering data!

Posted: Tue Oct 21, 2014 8:55 pm
by QuattroDK
I made it best practice here always to use the RSEmergencyGUI CD when recovering windows disks. :idea:
It's not only this Win 7 issue, it is also the system volume information being filled with some info from my windows installation. So if there is any data lost/deleted this alone may ruin your chances for a good recovery. :oops:
--
:ugeek: Alternative - the even better prattice - is to use a read-only device for the client disk - now as USB 3.0 has arrived the speed loss of former days USB 1 or 2 connected disks has gone. AND the devices has become cheaper - I see then at some 60$ where before they were at +250$ (forensic "class")

Re: Beware of Windows 7 when recovering data!

Posted: Wed Oct 22, 2014 6:40 am
by Alt
Linux systems are good for that, too.

Re: Beware of Windows 7 when recovering data!

Posted: Tue May 10, 2016 12:56 pm
by Data-Medics
If you want to deactivate a drive so Windows won't make any changes all you have to do is deactivate the MBR by changing the last two characters in sector 0 from AA to BB. Then Windows will completely ignore the disk. R-Studio on the other hand will have no issue, as it ignores this change. It's a small feature that some of us have requested to be added into R-Studio in the past, but is easy enough to manually do it.

Re: Beware of Windows 7 when recovering data!

Posted: Sun Apr 28, 2019 4:41 am
by coctailrob
I find its best to disable automounting of drives for any machine that is being used for data recovery.
This way it not only prevents Windows from writing to the drive, it also stops it trying to read bad drives which can cause severe slowdowns for drives with bad sectors.
https://www.tenforums.com/tutorials/117 ... ndows.html
Briefly:
1. Open an elevated command prompt.
2. Type diskpart into the elevated command prompt, and press Enter. (see screenshot below)
3. Type automount disable into the elevated command prompt, and press Enter
Of course it means you have to go into diskmanagement to assign drive letters to any drives you do want mounted, for example external drives, but I find that is a small price to pay.

Re: Beware of Windows 7 when recovering data!

Posted: Sun Apr 28, 2019 1:15 pm
by Alt
coctailrob wrote:
Sun Apr 28, 2019 4:41 am
I find its best to disable automounting of drives for any machine that is being used for data recovery.
Thanks for a good advice!

Re: Beware of Windows 7 when recovering data!

Posted: Tue Jun 18, 2019 2:34 pm
by max
Alt wrote:
Mon Mar 01, 2010 8:21 am
Windows 7 can severely undermine successful data recovery after a quick format by extending an empty MFT file to 256KB and effectively killing the information about 229 records of previously stored user's files. Moreover, it may quietly extend the MFT file to 256KB when a fresh disk formatted by XP or Vista is connected to a Windows 7 system.
More information.
@Alt, does it also happens using Windows 10?

Re: Beware of Windows 7 when recovering data!

Posted: Tue Jun 18, 2019 3:22 pm
by Alt
max wrote:
Tue Jun 18, 2019 2:34 pm
@Alt, does it also happens using Windows 10?
Yes, that's necessary for larger disks.

Re: Beware of Windows 7 when recovering data!

Posted: Wed Jun 19, 2019 8:27 am
by max
Alt wrote:
Tue Jun 18, 2019 3:22 pm
max wrote:
Tue Jun 18, 2019 2:34 pm
@Alt, does it also happens using Windows 10?
Yes, that's necessary for larger disks.
What about Windows 10 NTFS formatted disk after quick format using same Windows 10 NTFS partition? Would be possible to recover 100% files if no file has been written on disk after quick format? Or this is not possible to tell unless testing?

Re: Beware of Windows 7 when recovering data!

Posted: Wed Jun 19, 2019 1:15 pm
by Alt
max wrote:
Wed Jun 19, 2019 8:27 am
What about Windows 10 NTFS formatted disk after quick format using same Windows 10 NTFS partition? Would be possible to recover 100% files if no file has been written on disk after quick format? Or this is not possible to tell unless testing?
I'm afraid... Sure not 100%. Unfragmented files will be raw, that is, without their names and other attributes. Fragmented files will be either lost or recovered only partially.