Known File Type(s) for Apple Mail message files

[nigelh]

Long story short: a little known Mac OS X 'dis-feature' caused a large number of messages to be deleted from an Inbox sub-folder. (FTR, the whole Inbox sub-folder gets deleted if you remove a POP account from Prefs and the message files it contained do NOT get put into the Deleted Files mailbox, nor even the system trash - they're simply gone! )

Anyway, I've been trying out various utilities' deleted file recovery functions and R-TT is, IIRC, the fourth or fifth that I'm trying. All others have failed to find ANYTHING at all. I do find it hard to believe that around 1500 files can all have been overwritten, considering that I powered the system off within a couple of minutes at most - didn't even shut it down, just pulled the plug as soon as I realised what was happening! It does seem that some, even most, utilities for such deleted file recovery can be, shall we say, not very reliable, but based on experience, it does seem that R-TT shows a lot of promise.

So, now my question. I understand that R-TT is still undergoing some development, but it's unfortunate (for me) that the standard Known File Types do not include an entry for Apple Mail message files (extension .emlx). I'm familiar enough with XML to be comfortable with writing the necessary entry, but I'm a little bit lost when it comes to devising the "signature(s)" to be used. I understand the principle well enough, but it does seem to me that many of the fields that could be used as identifying signatures in an e-mail message file would arise at varying offsets, and the definition given for the Known File Types XML files doesn't seem to allow for this. Also, what coding should be added to the signature definitions to allow for message files that contain attachments, which themselves could be image files, sound files, or documents of one form or another. I'm guessing that one would use signatures that look for the MIME tags, but the definition says that only files that match ALL signature entries will be matched, so that suggests I need two separate definitions: one for mails without attachments and the other for those with attachments. Is that right? Ah, but then, what about mails that have more than one attachment?

Any guidance on these questions will be very gratefully received! Not surprisingly, this is quite an urgent issue as the system in question is currently running in Firewire Target mode, to protect against loss of what would otherwise be recoverable data, and so it's out of normal action. I'd like to get it back into action for next week, when normal business resumes at 9am on Monday, if at all possible. I've already decided that if R-TT ends up not being able to recover anything, we're going to have to give up and accept the loss of these files (well, at least, all the mail received since the last system backup, but as that was a few days over the Christmas break, it's still quite a lot of files, including numerous messages that won't even have been read, never mind answered!

Sorry for the lengthy post - but thanks, in advance, for any help anyone can offer!

Oh, and Happy New Year!!!

Nigel

[nigelh]

Supplementary question:

In the R-TT manual for R-Studio for Mac, starting at the bottom of page 30, it says:

"Digital file type identifier. Should be unique for each file type."

However, I can't find anywhere a list of the IDs used for the 'built-in' file types, so how do I know which unique ID(s) are available for me to use in my own custom file types?

[Alt]

Well, the last question is easy to answer. Don't bother with the 'built-in' file types. You will not be able to cross over them, even if you want.

[nigelh]

Well, the last question is easy to answer. Don't bother with the 'built-in' file types. You will not be able to cross over them, even if you want.

Sorry, it's not entirely clear to me what you mean. Are you saying there can be no conflict with the built in File Types? So the user defined File Types just have to have IDs that are different to each other? If that's the case, then should the File Type I've defined appear in the Known File Types list when I start a scan (so it can be selected)? If so, then I have another problem, because it doesn't!

FTR, here's the entry I've written:

<?xml version="1.0" encoding="utf-8"?>
<FileTypeList>
<!-- Search for Apple Mail message files .emlx -->
<FileType id="9193" group="Internet related files" description="Apple Mail Messages" features="TXT_ANSI TXT_UNICODE" extension="emlx">
<Signature offset="0" from="begin" count="9" size="1">123456789</Signature>
<Signature offset="1" from="begin" count="10" size="1">1234567890</Signature>
<Signature offset="17" from="end" count="1" size="8"></dict>\x0D</Signature>
<Signature offset="9" from="end" count="1" size="9"></plist>\x0D</Signature>
</FileType>
</FileTypeList>

Should it appear in the list, even if there might be an error or two in that?

[Alt]

We are tryig to find a solution for you, but that appeared not so easy. The problem is in the way Mac OS deletes files that are not destined to Trash bin. (R-Studio Help -> Technical Information and Troubleshooting -> Data Recovery on HFS/HFS+ File System).
Meanwhile I recommend you to create an image of the disk drive, if you are still planning to recover files. You will though have to use a hard drive slightly larger than the source disk (R-Studio Help -> Data Recovery Using R-Studio -> Advanced Data Recovery -> Disk Scan). Then you will be able to work with the image rather than the hard drive and bring the system back to the operating mode.
Yes, if you select a unique ID for each custom File Type, that is enough.
Yes, the custom File Type should appear in the Known File Types under its group, for your case in Internet related files under the name Apple Mail Messages. If R-Studio treats it as incorrect, the name will be in italic font and you will not be able to select it.
The file should appear in the place specified on Settings - Main.
Unfortunately I don't have a Mac system right now and will be able to go through the problem more thorougly on Monday.

[nigelh]

We are tryig to find a solution for you, but that appeared not so easy. The problem is in the way Mac OS deletes files that are not destined to Trash bin. (R-Studio Help -> Technical Information and Troubleshooting -> Data Recovery on HFS/HFS+ File System).

Yes, I understand the problem.....

Meanwhile I recommend you to create an image of the disk drive, if you are still planning to recover files. You will though have to use a hard drive slightly larger than the source disk (R-Studio Help -> Data Recovery Using R-Studio -> Advanced Data Recovery -> Disk Scan). Then you will be able to work with the image rather than the hard drive and bring the system back to the operating mode.

I will look into doing that, though I am not sure if I have enough free space on another drive to do this - maybe if I clean out some unwanted files.....

Yes, if you select a unique ID for each custom File Type, that is enough.
Yes, the custom File Type should appear in the Known File Types under its group, for your case in Internet related files under the name Apple Mail Messages. If R-Studio treats it as incorrect, the name will be in italic font and you will not be able to select it.
The file should appear in the place specified on Settings - Main.

No, it's not appearing in the list at all, even if I fully quit and restart R-Studio. But yes, the file I have created is in the location specified in Settings - Main: /Users/nigelh/R-Studio/FileTypes.

Unfortunately I don't have a Mac system right now and will be able to go through the problem more thorougly on Monday.

I very much appreciate your help with this. And as I wasn't really expecting anyone to respond before Monday, I have no complaints! So, I will wait for further advice from you next week.

Many thanks,
Nigel

[Alt]

I wrote a wrong thing when providing a reference to the help chapter on image creation. In fact you need to read Images rather than Scan. Please note that the Scan info file mentioned on the Scan help page has nothing to do with image files. A Scan info file stores information on data structure, not the data themselves. You need to create an image file. Sorry for the mistake.

[nigelh]

I wrote a wrong thing when providing a reference to the help chapter on image creation. In fact you need to read Images rather than Scan. Please note that the Scan info file mentioned on the Scan help page has nothing to do with image files. A Scan info file stores information on data structure, not the data themselves. You need to create an image file. Sorry for the mistake.

Ah, right - but it's OK, I knew what you meant and didn't actually spot your error anyway! No harm done, therefore.

Nigel

[nigelh]

Disk Utility finally finished creating the disk image - took it almost 36 hours. Even though I was using Firewire 800 connections, the process was only reading and writing data at around 2 MBps. I'm really not sure why, as I was expecting the process to be simply copying blocks from source to target, with no intermediate processing being necessary (other than data I/O), as I made an image that is read-only (that is, specifically, NOT compressed) and not encrypted.

Somehow, the image file is only 215.18 GB on the target disk, although when the image is mounted, it does show the same total capacity (232.57 GB), content and free space as the source disk partition. I'm a little bit puzzled about how an image file manages to contain 232 GB into a file of 215 GB, 'saving' 17+ GB, without using compression! I'm guessing there's an overhead (journalling data?) that's not copied to the image somehow, thus saving that space?

I recall that you also earlier thought that I would need a drive (or drive space) slightly larger than the original source disk partition, but this now seems not to be so (at least, not in this case).

Anyway, I'm keen to try out R-Studio again on this disk image, when you have been able to find answers to my queries concerning the custom file Type definition for the Apple Mail messages, so I look forward to hearing further from you soon.

Thanks again
Nigel

[nigelh]

Hi,

I'm just wondering if you have any further news yet on my queries, particularly those concerning the user-defined Known File Type? The XML code I supplied earlier is still not showing up in the list when I run a scan (in italics or otherwise). I'd be very grateful if you would let me know as soon as possible, whether or not you can resolve this issue.

Best regards
Nigel