Data Recovery Help

It’s really annoying when a very important data lost because of broken storage media. That night, a friend - a photographer - lost all of his data of a sudden. It was a wedding event photographs he took earlier. He used Canon EOS 350D camera and Transcend 1GB memory card.

Here is what we did to recover his lost data :

1. First we have to make sure the format of the files we’re going to recover. In this case, the files are mostly of ‘.jpg‘ format. By estimating the camera resolution, we assumed that each file size is around 5Mbytes, so the card contains about 200 image files. The photographer said it was 185 around files. He tells the truth
2. Requirement for this job were :
   • A computer with USB support
   • A card reader
   • Data recovery software
   • A Drive with available space more than the size of the memory card we’re going to recover We prepared our ancient machine of AMD 733Mhz, 128 Megs of RAM, Ms Windows 2000 Operating System, a LeTaec Card reader. For software we’re going to used WinHex V12.5, a very powerful physical disc editor.
3. Let’s get started. I was a little nervous actually. We checked the memory through Windows Explorer. Windows Explorer can’t recognize it, and even suggest us to format that card.
4. We proceed to try recover any files inside it. Clone the card first, if you want to make a backup copy. We read the card physically using WinHex, and we make sure it’s in ‘viewer’ mode.
5. In the “Tools” menu click “Analize Disc” to check the condition of the card, if the card is broken, it will let you know the location of the bad data. You can write it down to compare with our later result. This analyzing process take quite a while, but you’ll be able to compare the location of the bad data with the recovery result :-).
6. You can skip step number 5 though, if you have no time. In the “Tools” menu choose option “Disk Tools” then click on “File recovery by type“. Notice the “Max. file size :” input. It’s the maximum size of each file we’re going to recover, we can put 5Mb or 5000000 bytes just like what we’ve estimated before. Make sure to check the “create sub folder for each file type” and “Ignore read errors (for physically damaged disks)” option, then proceed to click the “OK” button. You can then sit down and relax, while waiting for the recovery process. Have a snack or drink, just don’t consume something that make your adrenaline rushed :).
   
7. After that, you can find the recovered files in the destination folder of your choice. We’re successfully recovered 177 files with good condition and 9 broken files. Not bad for helping the career of our photographer friend Then we compared the recovery result with the card analysis result. We can see that the card’s broken data was in the middle of the physical location. And that’s why it’s really important to backup your data before you lost them.

One day a friend came asking for our help. He uses Microsoft Windows XP operating system. Suddenly lots of his files became some sort of “.bmp” files. And those files can be viewed, but they’re really not a nice picture. We’re it was somekind of virus attack. We started to plan a strategy.

1. Get the newest update for the anti virus definition and database
2. Recover infected files

First we must know, which process/server are running in this machine. We can use ‘tasklist‘ and ‘service.msc‘ commands for this.

We typed “tasklist” first on the command prompt.

c:\tasklist

The screen displayed a suspicious service named “kspool.exe”. Next we called the “service.msc”.

C:\service.msc

The result was the same. We tried to stop this service and …it started again automatically :). Then we checked the dependency of “kspool.exe”. Ooops it’s used by ‘explorer.exe‘.

To kill ‘kspool.exe‘ process we must kill its parent process first - that’s the ‘explorer.exe‘ process. Using “CTR+ALT+DEL” we killed the explorer process and then we proceed to stop the kspool process. Everything works fine then.

File recovery can be started normally, but we thought it’s not a good option. The virus was still there, so we must erase it first. We started the explorer services again.

c:\explorer

Using Windows Explorer we found ‘kspool.exe‘ in the system32 folder. We deleted the file (but not after we copied it to our flash disk for later research ;).

The virus has been erased, then we proceed to check the registry to find the key contains the ‘kspool.exe‘ string.

We found it in :
“HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run”
“HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run”

The description says “kernel spool”. That’s old trick. We deleted it.

Time to recover lost or infected files. We recommend Recover My Files, DOC Regenerator for broken .DOC files, and XLS Regenerator for broken .XLS files. And again don’t forget to update anti virus definition and database.