
Anyway, I've been trying out various utilities' deleted file recovery functions and R-TT is, IIRC, the fourth or fifth that I'm trying. All others have failed to find ANYTHING at all. I do find it hard to believe that around 1500 files can all have been overwritten, considering that I powered the system off within a couple of minutes at most - didn't even shut it down, just pulled the plug as soon as I realised what was happening! It does seem that some, even most, utilities for such deleted file recovery can be, shall we say, not very reliable, but based on experience, it does seem that R-TT shows a lot of promise.
So, now my question. I understand that R-TT is still undergoing some development, but it's unfortunate (for me) that the standard Known File Types do not include an entry for Apple Mail message files (extension .emlx). I'm familiar enough with XML to be comfortable with writing the necessary entry, but I'm a little bit lost when it comes to devising the "signature(s)" to be used. I understand the principle well enough, but it does seem to me that many of the fields that could be used as identifying signatures in an e-mail message file would arise at varying offsets, and the definition given for the Known File Types XML files doesn't seem to allow for this. Also, what coding should be added to the signature definitions to allow for message files that contain attachments, which themselves could be image files, sound files, or documents of one form or another. I'm guessing that one would use signatures that look for the MIME tags, but the definition says that only files that match ALL signature entries will be matched, so that suggests I need two separate definitions: one for mails without attachments and the other for those with attachments. Is that right? Ah, but then, what about mails that have more than one attachment?

Any guidance on these questions will be very gratefully received! Not surprisingly, this is quite an urgent issue as the system in question is currently running in Firewire Target mode, to protect against loss of what would otherwise be recoverable data, and so it's out of normal action. I'd like to get it back into action for next week, when normal business resumes at 9am on Monday, if at all possible. I've already decided that if R-TT ends up not being able to recover anything, we're going to have to give up and accept the loss of these files (well, at least, all the mail received since the last system backup, but as that was a few days over the Christmas break, it's still quite a lot of files, including numerous messages that won't even have been read, never mind answered!
Sorry for the lengthy post - but thanks, in advance, for any help anyone can offer!
Oh, and Happy New Year!!!
Nigel