[Okta Webinar] Learn how to a build a cloud-first strategyRegister Now

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 147
  • Last Modified:

Can the restoration of hard drive data be made without a MS restore point?

Hi Experts,

Recently a staff member left our organisation and the laptop had the restore point removed. Also all the emails from his mailbox were permanently deleted.

I was wondering if anyone has come across any off the shelf software that could delve deep into the hard drive to restore the OST and other files from a previous date, about 2 months.

Or is this something that can only performed from a company with special forensic hardware/software?

Thanks in Advance,
0
Hec C
Asked:
Hec C
3 Solutions
 
ChopOMaticCommented:
You might try Shadow Explorer to look at any existing shadow volumes:

http://www.shadowexplorer.com/

You could also try RecoverMyFiles for recovery of deleted files. It lets you see exactly what it would recover before you pay for it.

All that said, do know that if this is a hard drive with potentially important evidence on it, any tinkering you do yourself alters that evidence and could render it inadmissible in future legal proceedings. If it's important and could turn into a legal case, don't be pennywise and pound-foolish. I see it all the time in DF cases.
0
 
btanExec ConsultantCommented:
can try to do a quick check on Volume Shadow Copies (turned on by default). VS services  monitors a volume for any changes to the data stored on it and will create backups only containing those changes. Tool like  Shadow Explorer program can show what if VSCs are available for a given mounted volume.
Another few are
 Testdisk to undelete files from an NTFS file system.
 Recuva that does undelete and deep scan as well
 PC Inspector that recover also other file types

Side note - May be good to check out audit trail of what the actions done so to focus on the "recovery" trails.  Exchange 2010 SP1 introduced "Auditing Mailbox Access", which allows administrators to record operations on a mailbox such as the deletion or copy of e-mails. You can find out here on the use in steps

also other such as restoring from an OST after Deleting the Mailbox
0
 
nobusCommented:
i found the best by far being getdataback : https://www.runtime.org/data-recovery-software.htm
0
Concerto's Cloud Advisory Services

Want to avoid the missteps to gaining all the benefits of the cloud? Learn more about the different assessment options from our Cloud Advisory team.

 
btanExec ConsultantCommented:
there is also the systools suite for recovery and in particular for the OST recovery, it attempts to recover deleted OST Files http://www.systoolsgroup.com/ost-recovery.html
0
 
Hec CAuthor Commented:
Thanks for the feedback!!

Unfortunately Windows inbuilt Shadow Explorer was switched off so the option to recover previous versions was not available. Getdataback, RecoverMyFiles  and recuva did or could retrieve deleted data but they didn't give me the option to retrieve data from an OST file at an earlier restore point.

I will try systools OST recovery then reply back to this post.
0
 
btanExec ConsultantCommented:
actually if there is no OST file found from the undeleted recovery I doubt there may be such existence or the employee has purpose secure erase that. the systool work on OST file if it exist as far as I understand. Regardless, OST files can be recreated as long as the Exchange server and that user mailbox is intact. OST will also be unlike PST file in which the latter is used for archival and will be more valued compared to the former.
Just in case of interest to still search OST here is another (it also has others for PST etc) - http://www.nucleustechnologies.com/exchange-ost-recovery.html
0
 
Hec CAuthor Commented:
Hi again, apologies for the late feedback.

In the end I ended up getting quotes for a forensic restore to retrieve the ost file as it does appear that the employee did purposely remove the file as OST recovery did not work for me.  I sent the quotes to the boss to retrieve the data, which may not have had what he is after, would not have been worth it.  

There are definitely some good products out there, we just have to tighten up on exchange backup procedures.

thanks again!
0
 
Hec CAuthor Commented:
Although I was unable to retrieve the data the information provided was very helpful in researching my options and then taking the necessary steps to move forward.
0

Featured Post

A Cyber Security RX to Protect Your Organization

Join us on December 13th for a webinar to learn how medical providers can defend against malware with a cyber security "Rx" that supports a healthy technology adoption plan for every healthcare organization.

Tackle projects and never again get stuck behind a technical roadblock.
Join Now