Deep 2
With a signature-and-size .wps profile in hand, let's take a crack at another Deep Scan + Find Lost Files + Scan Custom List of the D:\ volume in hopes of rescuing at least some of those pre-CTB-Locker My Documents\ .wps files.
I click the button. As for deep scan #1, deep scan #2 takes about 20 minutes and finds 8,097 deleted files. Using a Tree View, a *.wps filter returns 128 .wps files that are linked to a ???\ directory, and every single one of them is in "good" condition - ah, that's more like it!
I recover all of the .wps files as they don't give image-type previews. I check the wps checkbox, click the button, and select the Recover with Folder Structure option in the menu that drops down:
Up pops a Browse for Folder window with a Select Destination Folder menu.
I select the C:\ volume in order to not overwrite anything on the D:\ volume. Clicking the button starts the recovery process, which takes about 10 minutes (remember, we're talking >1,000,000 KB here).
At this point we have a C:\Undefined\wps\ folder containing our recovered files; had we chosen the Just Recover option, the individual files would have been loaded into the top level of the C:\ volume (C:\0000007.wps, C:\0000008.wps, etc.), which would be OK for a small number of files but inconvenient for 128 files.
I go through the files one by one to see what's there; 104 of them are intact content-wise.
(i) 98 of them belong to the original set of .wps files.
(ii) 6 of them are actually .xlr files, i.e., they are obviously spreadsheets and they smoothly open as Microsoft Works spreadsheet files when the .wps extension is changed to .xlr.
(Not surprisingly, .xlr files have the same start-of-stream D0 CF 11 E0 A1 B1 1A E1 signature that .wps files have.)
The remaining 24 files are corrupt to the point that Microsoft Works can't open them; I can get into these files with Notepad and there are pockets of intelligibility in some of them, but they're clearly toast.
Size notes
The C:\Undefined\wps\ files have a uniform size of 10,010 KB whereas most of the original .wps files were a lot smaller than that. I anticipated that the C:\Undefined\wps\ files would lose their 'extra weight' upon Save As...-ing them with different (more intuitive) names, and this proved correct.
Many of the original .wps files contained photos; as you would expect, inserting an image into a .wps file can significantly ramp up the file's size. To faithfully recover the image part of a deleted text + image .wps file, the .wps profile's Direct Size must be greater than or equal to that of the file: that's why I set the former as high as I did. BTW, a smaller Direct Size setting (e.g., 100 KB) does not increase the number of recovered .wps files.
Format notes
My two deep scans found the same number of deleted files, which raises the question: Was the recovered .wps data present somewhere in the first scan's results?
As noted in the Not quite so magic subsection of the previous post, .doc, .xls, and .ppt files have the same start-of-stream D0 CF 11 E0 A1 B1 1A E1 signature that .wps files have. Redoing the first scan (with the MSWorks text document checkbox in the Edit Custom Scan List window turned off) and filtering its output with *.doc|*.xls|*.ppt returns
(a) 2 .doc files,
(b) 24 .xls files, and
(c) 102 .ppt files.
All of these files are in the ???\ directory and in "poor" condition; size-wise, >90% of them are larger than 10 MB; confusingly, many of them have duplicate names, e.g., there are 15 0003817.ppts (their sizes are all different, however). I nonetheless recover several of them to see if they are the same as the corresponding .wps files from the second scan: they match.
Tellingly, the (a-c) files 'disappear' - they evidently morph into .wps files - upon redoing the second scan (with MSWorks text document turned back on).
So it seems that Puran File Recovery does not distinguish .wps/.doc/.xls/.ppt files so cleanly after all. In any case, it is at least clear that circumscribing the recovered file size via the Direct Size setting (vide supra) improves the recovery process.
Full
I check the Full Scan checkbox and run a Deep Scan + Full Scan + Find Lost Files + Scan Custom List of the D:\ volume. The full scan takes 45 minutes and finds 11,455 deleted files, of which 127 are ???\ .wps files, all in good condition: recovering a select few of them indicates that the intact .wps/.xlr files found by the second deep scan are present (evidently one of the corrupt files was not picked up for whatever reason) but there's nothing new beyond that.
Our CTB-Locker saga is thankfully coming to a close - we'll wrap it up in the next entry by addressing a last few loose ends.
No comments:
Post a Comment