@rogfanther :
Quote:
Maybe a virus, maybe other things. I have seen machines with a monstrous Internet Explorer cache where everything in the machine would seem to hang. I remember talk about corrupt startup sound files related to this hanging at startup. Also interrupted updates. Can be many things, hard to diagnose after the evidence is deleted..
Indeed...
Quote:
I do not know that specific piece of software, but I imagine it is aimed at shredding files. Maybe drives also, but it probably couldn´t run in the boot drive, unless it has an option to clean empty disk space.
Yes, and even then, as I said, there would be something left that R-Studio would have found (unless the wanted files were
voluntarily deleted, which is very unlikely here).
Quote:
It is your choice. If you do not have an adequate 2.5" drive to test, that is enough of a good reason. But the time it will take needs no attention, so it could be set to run and analyze the results later. Not all research discover the ways to do things. Some research discovers the ways that doesn´t work.
Wise words !
(Reminds me of the
Hotel California line : “Some dance to remember, some dance to forget”... I got obsessed over that song and that particular video version a few weeks ago !)
Quote:
As for the values : writing a zero or writing a random value implies mostly in the same work for the software that does it. The same as data erasing programs market all those "'three passes from beginning to end, then from end to beginning , and zig-zag ... etc
". The value to write when clearing a sector in a mechanical hdd has much of a personal preference of the programmer.
Yes indeed (although in WinHex the option “Cryptographically secure pseudo-random” is specified as being “slow”), but the purpose of “initializing” is to create a blank slate, so to speak, to make the volume as clean as new, so it makes little sense to use a convoluted writing scheme for this specific task. (And from what I could gather, it doesn't make much more sense from a security standpoint – I guess that most people here would agree that not a single file can be recovered after a single pass of overwriting with zeroes.)
Quote:
Condensing : if you cannot discover what really happened, ( no matter the reason ) , and you do not have a lot of time to spend researching , the best explaining to the owner is that the problem with the disk was solved with formatting, but that same problem prevented the recovery of the files. And mention "en passant" that they will need to copy the files back from their backups, camera cards, phones and other media.
And before you answer "But they do not have backups", I know it. People don´t make backups. But it is more polite ( is "politer" a word ? ) to suggest that than say flatly "Don´t you have backups ? You should have backups."
Because, as you must have read here a couple of times, even if the person never made a copy of those oh-so-important files, when their computer is run over by a truck, they want to say *you* are guilty of not being able to recover their files.
Well, as they're reading this thread (and I already gave them explanations about my findings), they probably have a pretty clear idea by now, and are “biting their fingers” about it (“s'en mordre les doigts”, a french idiom meaning : to blame oneself for doing something which had bad consequences, especially something which could have been easily avoided – at least they're not blaming me, which seems to be very common in that line of work !...).
@labtech :
Quote:
The Vaio S series was a line of notebook computers from Sony introduced in summer 2004. They have been touted as business laptops, and their designs have focused on being thin and light. They also have features friendly to businesspeople, such as TPM chips.
I offered my brother a Sony Vaio from 2004 I bought used (he has a handicap, never had a computer before, I wasn't sure if he could use it, so I searched something cheap but reliable), so it must have been one of the first of the series. It's not that thin, but it's pretty durable ! (Last time I checked the battery was still holding charge, and apart from a noisy fan and a possibly flimsy USB port which may cause his external HDD to disconnect randomly, it's still working fine, and is adequate for his purposes, except for watching 720p+ videos. And he's been totally able to use it, I still help him remotely on a regular basis for the technical tasks, but otherwise he's using it on his own and has made great progress in a few years.)
Quote:
About 2 months ago, I have personally come across a Lenovo laptop with TPM 2.0, which according to the end user, all of a sudden began booting to a BitLocker screen asking for a BitLocker recovery key. The end user does not ever recall using/activating BitLocker on the computer, nor having an encryption key for BitLocker of any kind.
I believe I used M3 Bitlocker Recovery on the drive to get a better idea what was going on. The M3's analysis will show some metadata, including a computer ID of some sort [I forget the details at this time]. What is interesting is that the analysis indicates that the recovery key is managed in Active Directory [likely in a corporate environment or university]. Coincidently, the end user is a professor at a university. Ironically, few weeks later, I got another strange call with similar circumstances from a wife of a professor that is teaching at another university. Once again, nobody "knew" anything, so I did not pursue further.
On a brief research, there seems to have been some cases where computers have gotten hacked and data encrypted with BitLocker in exchange for a ransom (this is different from CryptoLocker). Furthermore, the hackers seem to have used the same BitLocker key across all laptops that got affected. [...]
Now, it is possible that your client got affected by this BitLocker ransomware OR the random TPM issue related BitLocker encryption, thus encrypting the data, then, after, the father formatting the drive and reinstalling Windows, thereby arriving to the current situation. This is why I [and other] have mentioned that knowing all the details from all the people involved with the laptop are important to make sense of the current state the laptop is in.
Let's assume that your customer's drive got hacked by a BitLocker encryption attack. You could create a clone of the original drive and then force decrypt the data on the drive using the universal bitlocker key found in the article below, then finally run recovery software and see what it finds
Now that's interesting... But the first thing I read about M3 Bitlocker Recovery is :
“If you accidently formatted Bitlocker encrypted drive using format tool built-in Windows Vista/7/8/8.1/10, there is no way to recover data from formatted Bitlocker encrypted drive, because Bitlocker metadata has been erased completely after formatting under Windows Vista/7/8/8.1/10.”
Do you think that this method could work anyway, in that particular case ? I'll read all this and try that after a night's sleep – or a morning's sleep should I say, as it's 7 AM here...
Quote:
This is why I [and other] have mentioned that knowing all the details from all the people involved with the laptop are important to make sense of the current state the laptop is in.
What was the specific detail that made it “
click”, so to speak, and made you think about that possibility, and that experience you had ? The fact that the computer was hanging and
doing something all by itself before the formatting/reinstalling ?
Quote:
Let's assume that your customer's drive got hacked by a BitLocker encryption attack.
Is that kind of attack perpetrated internationally, regardless of the local language ? And wouldn't the attacker have to signal what he (or she, there are nasty female hackers too !
) has done in order to ask the ransom ? Or maybe it is signaled only once the encrypting process is over ?
Anyway, it's a long shot, but it's better than no shot, so thank you a lot !