Il 10 ottobre 2012 12:06, Lorenzo Sutton <lorenzofsut...@gmail.com> ha scritto: > On 10/10/12 10:34, Gollum1 wrote: > Sarebbe utile avere un esempio di una linea di output positiva e una > negativa.
allego due output del comando ntfsundelete, fatto su un'altro disco che ho su questa macchina, la situazione è identica, ho estrapolato un piccolo set di file, tenendo in considerazione la percentuale di recupero dichiarata, e quei flag che ci sono in seconda colonna (devo ancora vedere che cosa significano, ma ho il sospetto che F indichi i file e D le directory, tanto per cominciare)... naturalmente non riesco ad avere la struttura completa delle directory, ma potrebbe essere già un buon inizio... Non credo che la scansione sia fatta in modo sequenziale, e che quindi i file che seguono una directory siano in realtà dentro di essa, ma credo che l'ordinamento sia in base all'inode. Byez -- Gollum1 Tesssssoro, dov'é il mio tessssoro...
Inode Flags %age Date Size Filename --------------------------------------------------------------- File has no data streams. MFT Record 16 Type: File Date: 1970-01-01 01:00 Metadata may span more than one MFT record Data Streams: ________________________________________ File is resident, therefore recoverable. File is 100% recoverable MFT Record 493 Type: File Date: 2012-08-09 18:06 Filename: (2) ETWRTE~2.ETL File Flags: <none> Parent: RtBackup Size alloc: 0 Size data: 0 Date C: 2012-08-09 18:06 Date A: 2012-08-09 18:06 Date M: 2012-08-09 18:06 Date R: 2012-08-09 18:06 Filename: (1) EtwRTEventLog-Application.etl File Flags: <none> Parent: RtBackup Size alloc: 0 Size data: 0 Date C: 2012-08-09 18:06 Date A: 2012-08-09 18:06 Date M: 2012-08-09 18:06 Date R: 2012-08-09 18:06 Data Streams: Name: <unnamed> Flags: Resident Size alloc: 0 Size data: 0 Size init: 0 Size vcn: 0 Data runs: None Amount potentially recoverable 100% ________________________________________ File has an empty runlist, hence no data. File is 0% recoverable MFT Record 26343 Type: File Date: 1970-01-01 01:00 Metadata may span more than one MFT record Data Streams: Name: <unnamed> Flags: None Size alloc: 0 Size data: 0 Size init: 0 Size vcn: 0 Data runs: None Amount potentially recoverable 0% ________________________________________ MFT Record 42598 Type: Directory Date: 2012-08-09 18:08 Filename: (2) USGTHR~1 File Flags: <none> Parent: Temp Size alloc: 0 Size data: 0 Date C: 2012-08-09 18:08 Date A: 2012-08-09 18:08 Date M: 2012-08-09 18:08 Date R: 2012-08-09 18:08 Filename: (1) usgthrsvc File Flags: <none> Parent: Temp Size alloc: 0 Size data: 0 Date C: 2012-08-09 18:08 Date A: 2012-08-09 18:08 Date M: 2012-08-09 18:08 Date R: 2012-08-09 18:08 Data Streams: ________________________________________ File is 100% recoverable MFT Record 68075 Type: File Date: 2012-08-10 11:00 Filename: (2) AVEVTD~1.DBE File Flags: <none> Parent: EVENTDB Size alloc: 0 Size data: 0 Date C: 2012-08-10 11:00 Date A: 2012-08-10 11:00 Date M: 2012-08-10 11:00 Date R: 2012-08-10 11:00 Filename: (1) avevtdb.dbe-journal File Flags: <none> Parent: EVENTDB Size alloc: 0 Size data: 0 Date C: 2012-08-10 11:00 Date A: 2012-08-10 11:00 Date M: 2012-08-10 11:00 Date R: 2012-08-10 11:00 Data Streams: Name: <unnamed> Flags: None Size alloc: 4096 Size data: 2576 Size init: 2576 Size vcn: 1 Data runs: 1 @ 631328 Amount potentially recoverable 100% ________________________________________ File is 0% recoverable MFT Record 72127 Type: File Date: 2012-02-03 16:35 Filename: (2) CFPCON~4.LAN File Flags: <none> Parent: TEMPFI~1 Size alloc: 0 Size data: 0 Date C: 2012-08-10 10:43 Date A: 2012-08-10 10:43 Date M: 2012-08-10 10:43 Date R: 2012-08-10 10:43 Filename: (1) cfpconfg.chinese.lang File Flags: <none> Parent: TempFiles Size alloc: 0 Size data: 0 Date C: 2012-08-10 10:43 Date A: 2012-08-10 10:43 Date M: 2012-08-10 10:43 Date R: 2012-08-10 10:43 Data Streams: Name: <unnamed> Flags: None Size alloc: 28672 Size data: 25976 Size init: 25976 Size vcn: 7 Data runs: 7 @ 573741 Amount potentially recoverable 0% ________________________________________ File is resident, therefore recoverable. File is 100% recoverable MFT Record 132887 Type: File Date: 2012-02-03 16:35 Filename: (2) CAVSHE~3.LAN File Flags: <none> Parent: TEMPFI~1 Size alloc: 0 Size data: 0 Date C: 2012-08-10 10:43 Date A: 2012-08-10 10:43 Date M: 2012-08-10 10:43 Date R: 2012-08-10 10:43 Filename: (1) cavshell.greek.lang File Flags: <none> Parent: TempFiles Size alloc: 0 Size data: 0 Date C: 2012-08-10 10:43 Date A: 2012-08-10 10:43 Date M: 2012-08-10 10:43 Date R: 2012-08-10 10:43 Data Streams: Name: <unnamed> Flags: Resident Size alloc: 0 Size data: 340 Size init: 0 Size vcn: 0 Data runs: None Amount potentially recoverable 100% ________________________________________ MFT Record 193890 Type: Directory Date: 1970-01-01 01:00 Metadata may span more than one MFT record Filename: (1) a88203c5831df77ae060d14f2bd14310 File Flags: <none> Parent: Download Size alloc: 0 Size data: 0 Date C: 2012-07-30 22:16 Date A: 2012-07-30 22:16 Date M: 2012-07-30 22:16 Date R: 2012-07-30 22:16 Data Streams: ________________________________________ File is resident, therefore recoverable. File is 100% recoverable MFT Record 194816 Type: File Date: 2012-02-23 15:17 Filename: (3) index11e.dat File Flags: <none> Parent: NativeImages_v4.0.30319_32 Size alloc: 0 Size data: 0 Date C: 2012-02-23 15:17 Date A: 2012-02-23 15:17 Date M: 2012-02-23 15:17 Date R: 2012-02-23 15:17 Data Streams: Name: <unnamed> Flags: Resident Size alloc: 0 Size data: 0 Size init: 0 Size vcn: 0 Data runs: None Amount potentially recoverable 100% ________________________________________ File has no data streams. MFT Record 222974 Type: File Date: 1970-01-01 01:00 Metadata may span more than one MFT record Data Streams: ________________________________________ File has no data streams. MFT Record 222975 Type: File Date: 1970-01-01 01:00 Metadata may span more than one MFT record Data Streams: ________________________________________ Files with potentially recoverable content: 1203
Inode Flags %age Date Size Filename --------------------------------------------------------------- 16 F..! 0% 1970-01-01 0 <none> 493 FR.. 100% 2012-08-09 0 EtwRTEventLog-Application.etl 26343 FN.! 0% 1970-01-01 0 <none> 42598 D... 0% 2012-08-09 0 usgthrsvc 68075 FN.. 100% 2012-08-10 2576 avevtdb.dbe-journal 72127 FN.. 0% 2012-02-03 25976 cfpconfg.chinese.lang 132887 FR.. 100% 2012-02-03 340 cavshell.greek.lang 193890 D..! 0% 1970-01-01 0 a88203c5831df77ae060d14f2bd14310 194229 D... 0% 2012-07-31 0 locale 194816 FR.. 100% 2012-02-23 0 index11e.dat 222974 F..! 0% 1970-01-01 0 <none> 222975 F..! 0% 1970-01-01 0 <none> Files with potentially recoverable content: 1203