Backups usually help…
So last Friday (May 1st, 2009) I was asked at work to upgrade the hard drive in the CEOs laptop. Alright no problem, we go to the closest store and pick up a new two hundred and fifty gigabyte hard drive to put in the laptop. I get the new drive and decide to make sure the old drive has no errors before I image the disk over.
I run the usual Windows `chkdsk` commands and it finds some stuff and fixes it quickly. I put the new drive on a small external USB adapter and throw in the TRK Rescue disc to run a `dd` on the drive. The program completes, and I put the new drive into the system. The new drive boots up and all is fine. I can resize the partition later when I have more time.
A little later I get a phone call saying that there are no folders in the CEOs Outlook Pane. “Alright.” So I walk up and take a look, sure enough no folders under the six PST files that were mounted from the local hard disk. I close the Personal Folders and then remount then in Outlook. Nothing. “Alright…”
So I browse to the My Documents folder where the files are kept and I search around. I find the six PST files. Looking over them, file size: 0 bytes. Yeah, zero bytes. Three of these files were over two gigabytes (2GB) and the other three were in the range of eight hundred megabytes (800MB). Now, we have a problem.
I come to find out that the `chkdsk` run found something wrong with these large files and marked them as zero bytes in the file table on the drive.
So I quickly take the original hard disk down to my system here and throw it on the USB adapter and start running a simple undelete utility on the files. It finds them, but still as zero bytes, and only restores a zero byte file. Now we have a larger problem. So I start searching around the Internet for some utilities that will scan the disk and reconstruct the damaged or missing PST files.
I come to find a program called Office Recovery by DiskInternals. The program installed, and I had it scan the disk. This took forever on my little machine but after many hours found the parts and displayed them to me. I was able to save the mail to a PST file on my primary hard disk. But still a problem, all of the new messages had their times erased and most of the messages have the `From:` field replaced with their Exchange counterparts /O= and /OU= stuff.
I need to recover the files themselves, not the contents. So a little more searching and reading up and I find out that a program I found a long time back can help. So I installed X-Ways Forensics, and had it scan the external disk. Following some bits and pieces of information around the Internet I was able to do a File Recovery by Type. This scans the entire disk for any files with the particular header, looking for PST files you need to search for the header: `!BDN` in hex of course. It found the files, so I told it to grab four gigabytes (4GB) of data starting from the beginning of each PST file. This of course pulls tons of useless data with it, but does get the information that we need.
I then had six four gigabyte PST files sitting on my primary disk. Alright, lets try this. I loaded Outlook and File -> Open -> Personal Folder, I selected the first of the PST files and clicked OK. Nope! Outlook threw out some horrible errors and told me to fix the corrupt file. But for once… Just once, it told me how to do this. I then located `scanpst.exe` which comes with Office and using the utility chose to fix one file at a time. This reduced the file size to an acceptable level and I was able to import them into Outlook successfully. Once in Outlook, I created a new Personal Folder and moved the contents into the new folders so I was sure they would not be corrupt. After working on this for eight hours, I decided that was probably the best I was going to do, and the most data I was going to be able to recover.
This morning I put them back on to the CEOs laptop and for now she is happy. But this entire problem would not have been so huge if we were allowed to make backups. We have on many occasions, multiple times a month gone up with external drives and blank DVD’s to help back stuff up, and we are never given time to do so. She does not want her data stored on the multi-thousand dollar SAN we have setup for such things.
How do you tell the CEO to use the technology we have for the company to store data, that is protected for her access only and strictly monitored? You want data protection and backups and security, yet will not allow us to back it up, blow off I.T when we want to help you back up from your local machine.
Either way, this could have had a much worse outcome, I think she will let us take backups and give I.T the time it needs to do so as well.
You should see if you can get her to sponsor a corporate e-mail retention policy. .PST’s are the spawn of Satan…
The only down side to your effort is now you are expected to be able to recover anything from all kinds of other systems that you are not given the time or resources to back up.
@Chad
I completely agree with you on this one, and I know the day will come.
Well, now you have quite a good example of a situation that could have gone horribly wrong. Try and reason with her that the SAN exists for a reason and those agonizing few hours of no email could have been allieviated if you had done so…
DiskInternals software found the mails.. but it wouldn’t recover unless i purchase the software..
do you know anyother freeware software that can do the job?????
@Hassan
You might want to try SourceForge and see if any of the open source projects can help you. I had the company purchase any of the software that I needed, and this of course does not apply to all.
@Zharvek
i will try it…
@All
i liked the concept of File Recovery by Type.. but the thing is.. my PST file is already without Header.. its a zero byte file.. i tried to WinHex it.. but i can see that all the bytes are already Zero???
This is almost the same problem I had here. I used a program called ‘X-Ways Forensics’. There is a file scraping feature in the software to pull together the data. You most likely cannot afford it, but if you look in the right place. To find it. I’m not giving suggestions, but in a quick situation, maybe searching some P2P networks. But your on your own here. I don’t wish to promote piracy via my website.
dont worry Zharvek.. this program i already have since ever.. i have it found alot of the header and i pulled all the data.. but still scanpst.exe couldnt fix those extracted PST files
0 Byte PST after SCANPST and CHKDSK
Hello,
I lost my pst file of approx 1GB size containing important official mails of 4 month period. I have been taking backup once in a while, but for this period I did not have backup.
I used to store all my PSTs in a USB HDD drive, so that I could use Outlook 2007 both from Office Laptop and Home Laptop, by plugging the HDD to respective laptops, HDD being lighter and easier to carry around. Both laptops run Windows XP SP2.
On one occasion however, what probably happened was that while logged into outlook, I put the laptop in Hibernate mode(not shutdown), and then inadvertently pulled out the HDD.
On next login I got an outlook error about PST being corrupted (don’t recall the exact message) and outlook recommended that I run Inbox Repair Tool (scanpst.exe).
I ran scanpst.exe, but it could not repair the Inbox. Scanpst.exe created a logfile in the same folder as the pst folder, which I have appended below.
After this, Scanpst recommended that I run CHKDSK. Here is when I made blunder of not taking a backup of the corrupted pst, before running chkdsk.
After running chkdsk (following the sequence – My Computer>Properties>Tools>Checknow), to my horror, I found that pst file was reduced to 0 bytes.
Immediately after this mishap, I made sure not to write anything at all on this external USB HDD, and other than one 0 byte pst file, condition of the rest of the file system and physical condition of the HDD is excellent.
The size of the HDD is about 80 GB and about 40% is free space. For fear of overwriting, I did not analyze the fragmentation condition of the HDD. But the since the PST file is about 1GB in size, it may be fragmented.
I tried to run a variety of (atleast 3-4) types of recovery softwares including file signature verification types of software, but they failed to recover the mails in the pst file in question, as the softwares usually came up with 0 bytes pst only. (It seems that a deleted file is easier to recover than recovering the mails data in a pst file which is not deleted, but has 0 bytes)
Can you provide more detailed do-it-yourself detailed instructions and how to recover the mails in 0 byte pst file using X-ways Forensics or other software?
Scanpst log file content>>>>
Microsoft (R) Inbox Repair Tool
Copyright (C) Microsoft Corp 1995-1996. All rights reserved.
**Beginning NDB recovery
**Attempting to open database
**Attempting to validate header
!!End-of-file less than actual (read=44A94400, actual=448A4400)
**Attempting to validate AMap
!!AMap page @1124008960: CRC mismatch (read 4CCC649C, computed 666C1A77)
!!AMap page @1124008960: Sig mismatch (read 89C9, computed 0000)
!!AMap page @1124008960: PTYPE mismatch (read E7, expected 84)
!!AMap page @1124008960: PTYPE does not repeat (E7/45)
!!AMap page @1124008960: BID mismatch (read F609C89C945604C, expected 42FF0400)
!!AMap page @1124262912: CRC mismatch (read 00000000, computed 29560247)
!!AMap page @1124262912: PTYPE mismatch (read 00, expected 84)
!!AMap page @1124262912: BID mismatch (read 0, expected 4302E400)
!!AMap page @1124516864: Sig mismatch (read 62F2, computed 0000)
!!AMap page @1124516864: PTYPE mismatch (read 80, expected 84)
!!AMap page @1124516864: BID mismatch (read 7E89BA, expected 4306C400)
!!AMap page @1124770816: CRC mismatch (read BF473D63, computed 0FA233F1)
!!AMap page @1124770816: Sig mismatch (read 0F4C, computed 0000)
!!AMap page @1124770816: PTYPE mismatch (read E5, expected 84)
!!AMap page @1124770816: PTYPE does not repeat (E5/E2)
!!AMap page @1124770816: BID mismatch (read C0D2673588AE5DEC, expected 430AA400)
@shrieksss
First try getting a trial of Office Recovery by DiskInternals. See if that helps, I used it and it helped a little.
You might need some more advanced tools if this cannot find anything.
Zharvek,
After reading about your success in retrieving the pst files of your CEO, I did try the trial version of Diskinternals. There was some recovery of my lost mails but it was only around 5%. Can you provide the steps that you followed to use X-Ways Forensics for recovery or any other method?
@shrieksss
Being honest, I don’t know the exact steps I did, but it was searching for all files that had the .pst extension, and scanning all data from that location +4GB into a file (lots of trash as well) and then using the Microsoft PST Tool to scan that file and pull out any data it found as being part of the PST file. Something with the Disk menu, and scan disk or something. I would need to find a machine with the software for exact steps.
Zharvek,
Thanks for your help. let me know if you are able to throw any additional light.