Thunderbird email recovery help needed

[CakeBoy]

Guys, does anyone please know of a way either to reverse the compaction process (I know, I know) or of a utility that is capable of recovering emails following the compaction process in Thunderbird (on an XP platform)?

I had a bit of a disaster last night which resulted in the loss of all emails in my personal inbox. In short, AV ran and found a trojan embedded in an unopened email attachment. My plan was to disinfect it and then compact the folder in order that the infected attachment did not remain 'deleted but still there' and be reported over and over by the AV utility. Unfortunately, somehow (being very tired) I told the AV to remove the file. Accordingly, it removed my inbox entirely (as it is technically the 'file' containing the email database).

No problem, I could simply remove the inbox index file and the inbox itself would be reindexed complete with the 'lost' messages - except the compact command had by now actioned and I know of nothing (short of a professional recovery service costing thousands) that will get the messages back from this point. My inbox shows 0KB in size now, so it's a proper undelete job at disk level.

In the old days of DOS filesystems, I would have searched on a bit by bit basis but I don't know of any utility capable of doing that with NTFS.

Anyone please (hopefully)?

[GreenBean]

Oh dear .At the risk of asking the obvious you say that you told the AV to remove the file. Do you mean delete it or move it to a virus vault? If the latter then you could restore it from the vault. If the former and it was deleted before the compaction then it may be possible to recover it if it has not been overwritten. You could try something like http://ntfsundelete.com/ . I do not know this particular program but it says the right things and appears to be free.

[CakeBoy]

Thanks GB, you have come to my rescur yet again. That is a very good utility and although it is now clear from using it that my inbox has been lost forever, at least it offered the possibility of being able to be sure by proper investigation. I should have been moving stuff out of the inbox to other folders. Complacency and computers are once again proven to be a bad combination

[Gouezeri]

Might seem obvious, but what kind of inbox were you using (pop? imap?) have you checked your mailserver to see if it has been flushed (try telneting in to it using the relevant port). I'd also make sure in the future that only new unread emails are stored in your inbox, and have everything else filtered (easy to do with thunderbird). Unfortunately, problems like this always occur when you're distracted by something else. Hope you get it sorted (yell and I'll catch you up on any tmc email)

[lukas]

Sorry to hear Cakes. I'd have suggested making a block-by-block backup of your entire partition to some external device and do the bit-by-bit search on it - the (unix) utility 'strings' on such a file sometimes works wonders. Though I don't know how exactly Thunderbird saves the mail ...

This is exactly the reason why I keep my mails on (my) IMAP-Server, and also why that IMAP-Server has a working backup mechanism. A few years ago I lost everything from the good old ZNetz/Fidonetz days to that date, fond memories there you go!

[CakeBoy]

Thanks guys, unfortunately it has unfortunately all gone. I am sure there is a method of searching block by block but I suspect that will involve pro kit.

Our incoming mail multiple servers using pop connections. Some of the mail is 18 months or more old and I very much doubt it would still be around on the server.

We need to integrate a mailserver here for precisely the back-up thing you mention Lukas, I'll start looking at options, though a dedicated small footprint unit may be preferable to leaving on, for instance, a full-sized box running Linux.

In Windows environments, at least, Thunderbird stores all mails in a folder on a single database as a file and then indexes them using another file. I think it is similar on Unix based systems.

Thanks again guys

[Gouezeri]

Postfix and fetchmail are the way to go mate.

[Neo]

Did you tell the AV to also quarantine infected files, if so, you can find a backup in the corresponding folders, in your AV folder.

[CakeBoy]

Yes, I did - just prior to the deletion, but I think only the infected attachments were saved. I have located some .tmp files in the Panda quarantine folder. I think the issue is that Panda treats the entire email database file as one when it deletes but it can ringfence individual infections when only quarantining. I may be wrong and would love to get them back

[Neo]

If you can get the whole database back, perhaps you can backup the email files without the infected one...I aint sure but it's worth a try

[CakeBoy]

Can't get it back unfortunately. Yes, it would be possbile to remove the infection and retain the rest using a combination of an AV program and subsequent compaction of the database. I was tardy with my email housekeeping and back-ups ....... then paid the price