All times are UTC - 5 hours [ DST ]




Post new topic Reply to topic  [ 42 posts ]  Go to page Previous  1, 2, 3  Next
Author Message
 Post subject: Re: Toshiba MQ01ABF050, no bad sectors but "uncorrectable er
PostPosted: March 19th, 2018, 12:30 
Offline

Joined: March 19th, 2015, 15:01
Posts: 1387
Location: isreal
when you have limited (to none) information from the client what happened
and you've to figure out by yourself
the only thing you can do is
you have to have deep knowledge in forensics
and that's why there is limited answers here
because its not something you can write it down in a post (or 2) in a forum


Top
 Profile  
 
 Post subject: Re: Toshiba MQ01ABF050, no bad sectors but "uncorrectable er
PostPosted: March 19th, 2018, 15:11 
Offline

Joined: November 22nd, 2017, 21:47
Posts: 309
Location: France
Quote:
Few options:
- Ask for another fee paying for your time to research (would recommend actually having the laptop with you, perhaps you can try booting with a clone drive and see what actually happens when booting in comparison to the original drive)
- Ask for another fee for outsourcing the job to a specialist
- Say you can no longer help and give the drive back

I do have the whole computer right now ; not the user password though (it shouldn't have been necessary, I can access the current files and folders without it, and they're irrelevant anyway), but it seems to boot normally up to the password input prompt. How could it possibly be different with a clone ? (Especially now that, for sure, the current data is not encrypted.)
Outsourcing : well, if it really is encrypted data, this becomes a really advanced task (if at all possible), and it would make little sense for me to outsource to a specialist who will ask ~10 times more at least.
I'm probably going to ask at least a reduced fee for the time spent on the case, but I'd prefer if I could come up with something for that price – if only an explanation as to why I can't get anything at all...

Quote:
As far as other info - can search online - for example:
https://www.forensicswiki.org/wiki/BitL ... Encryption

Yes, I already searched online, and already found this article, but as I said, this is an almost entirely unknown field for me, I would have to do a lot of research before I could answer with confidence to the simple question : is it or is it not encrypted data ? The info provided on this article doesn't help here since the begining of the partition has been entirely overwritten. And from what I could gather elsewhere, it's very difficult to identify the specific encryption algorithm being used (if any) from a random set of known encrypted data, or even to distinguish encrypted data from totally random data, otherwise it would be a security weakness. Is that correct ?


Top
 Profile  
 
 Post subject: Re: Toshiba MQ01ABF050, no bad sectors but "uncorrectable er
PostPosted: March 19th, 2018, 15:34 
Offline
User avatar

Joined: September 8th, 2009, 18:21
Posts: 15461
Location: Australia
You may be able to determine the "nature" of the data by compressing chunks of it. For example, MPEGs and JPEGs would be incompressible. You might also like to experiment with a small Bitlocker test partition.

_________________
A backup a day keeps DR away.


Top
 Profile  
 
 Post subject: Re: Toshiba MQ01ABF050, no bad sectors but "uncorrectable er
PostPosted: March 19th, 2018, 16:15 
Offline

Joined: November 22nd, 2017, 21:47
Posts: 309
Location: France
@jermy
Quote:
when you have limited (to none) information from the client what happened
and you've to figure out by yourself
the only thing you can do is
you have to have deep knowledge in forensics
and that's why there is limited answers here
because its not something you can write it down in a post (or 2) in a forum

Well, thank you for that input, at least that's an answer. I asked if there was a way to determine whether the data was encrypted, I can accept “there's no simple way” as an answer. I was hoping that someone here would have had a similar case (or it could be a known behaviour with some ranges of laptop computers) and could provide some specific piece of advice. Like : look at sector number XXX, or search for pattern YYY... So you think that nothing more can be done here ? You would just give up for real if you had a case like this in Isreal ?


Top
 Profile  
 
 Post subject: Re: Toshiba MQ01ABF050, no bad sectors but "uncorrectable er
PostPosted: March 19th, 2018, 16:29 
Offline
User avatar

Joined: September 8th, 2009, 18:21
Posts: 15461
Location: Australia
abolibibelot wrote:
I was hoping that someone here would have had a similar case (or it could be a known behaviour with some ranges of laptop computers) and could provide some specific piece of advice. Like : look at sector number XXX, or search for pattern YYY...

I don't know what an encrypted Bitlocker sector looks like, but an AES-encrypted zero-filled sector would have a repeating pattern of 16 bytes (different key, different pattern), eg ...

Code:
Offset(h) 00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F

00000000  B7 18 9A A1 9F 9D 85 C0 ED 26 3C 4D B8 80 04 B4
00000010  B7 18 9A A1 9F 9D 85 C0 ED 26 3C 4D B8 80 04 B4
........
000001E0  B7 18 9A A1 9F 9D 85 C0 ED 26 3C 4D B8 80 04 B4
000001F0  B7 18 9A A1 9F 9D 85 C0 ED 26 3C 4D B8 80 04 B4

_________________
A backup a day keeps DR away.


Top
 Profile  
 
 Post subject: Re: Toshiba MQ01ABF050, no bad sectors but "uncorrectable er
PostPosted: March 19th, 2018, 16:39 
Offline

Joined: November 22nd, 2017, 21:47
Posts: 309
Location: France
@fzabkar
Quote:
You may be able to determine the "nature" of the data by compressing chunks of it. For example, MPEGs and JPEGs would be incompressible. You might also like to experiment with a small Bitlocker test partition.

Thank you for the suggestion. Would encrypted text compress as well as plain text, or at least significantly better than MPEG/JPEG ? Or is it designed to appear as completely random data, no matter what the nature of the unencrypted data is ?
I extracted a 1024KB chunk at a random spot near the 120GB mark, another near the 240GB mark : with both RAR/RAR5 (“good” level) and 7Z/LZMA2 (“maximum” level), the compressed file has a size of 1025KB ; surprisingly, the sizes are exactly the same for both files, respective of the compressor used : 1048816 bytes for both RAR files and 1048844 bytes for both 7Z files. And thus the compressed size is slightly larger than that of the input files, which is 1048576 bytes. So this data is apparently not compressible at all. (In my experience, common compressed video / audio / picture files are at least slightly compressible, if only by 1-2%.) Is this consistent with encrypted data or not ?


Top
 Profile  
 
 Post subject: Re: Toshiba MQ01ABF050, no bad sectors but "uncorrectable er
PostPosted: March 19th, 2018, 16:54 
Offline
User avatar

Joined: September 8th, 2009, 18:21
Posts: 15461
Location: Australia
I would think that, if you were to encrypt a typical text document with AES, the result would be completely random and therefore incompressible.

_________________
A backup a day keeps DR away.


Top
 Profile  
 
 Post subject: Re: Toshiba MQ01ABF050, no bad sectors but "uncorrectable er
PostPosted: March 19th, 2018, 17:36 
Offline

Joined: November 22nd, 2017, 21:47
Posts: 309
Location: France
Quote:
I don't know what an encrypted Bitlocker sector looks like, but an AES-encrypted zero-filled sector would have a repeating pattern of 16 bytes (different key, different pattern)

So, do all encryption schemes treat data at the sector level ? Or is it specific to each scheme ? (Not that it would help much here, but that's interesting to know !)
In this case, all I can see seems totally random... randomness all the way down... nowhere (in “free space”) can I see a pattern of repeated characters. I attached the last megabyte (before “Volume slack”), if anyone is curious (it also compresses as a 1048816 bytes RAR file or a 1048844 bytes 7Z file, like the other two chunks).
Do you (or anyone) happen to know anything else (other than encryption) that would produce such a result ? I guess that data shredders can generate random data that looks similar, WinHex itself has such a feature, HD Sentinel can do that as well for testing purposes, but these would make no sense here... Is there a commonly used “cleaning” software with such a feature, that someone could foolishly use being none-the-wiser ? (Around here, many people who claim to “fix” computers, including many professionals, use that thing called CCleaner, as if it was some panacea... I haven't used it in a long time, being aware that this sort of “one-click-fixes-everything” solution can do a lot of damage, so I don't know if it could have implemented such a feature, and boldly propose to use it in order to get rid of viruses or something... Indeed, it “fixes” everything, just like the drugged chinese guy in “The Blue Lotus”, who kindly proposes to cut his head off in order to help him “find the Way” !...)

Quote:
I would think that, if you were to encrypt a typical text document with AES, the result would be completely random and therefore incompressible.

But you also said that an empty sector produces a specific pattern (at least with AES), which must be highly compressible (even if less than zeroes).


Attachments:
Toshiba 500Go -- 471180767232-471181815807.7z [1 MiB]
Downloaded 539 times
Top
 Profile  
 
 Post subject: Re: Toshiba MQ01ABF050, no bad sectors but "uncorrectable er
PostPosted: March 19th, 2018, 17:51 
Offline
User avatar

Joined: September 8th, 2009, 18:21
Posts: 15461
Location: Australia
@abolibibelot, I don't know much about AES or Bitlocker except what I have seen in hex dumps from AES encrypted WD My Books. I guess that means that I don't know much more than you. :-|

_________________
A backup a day keeps DR away.


Top
 Profile  
 
 Post subject: Re: Toshiba MQ01ABF050, no bad sectors but "uncorrectable er
PostPosted: March 19th, 2018, 18:43 
Offline

Joined: October 16th, 2013, 13:21
Posts: 713
Location: Brazil
abolibibelot wrote:
Do you (or anyone) happen to know anything else (other than encryption) that would produce such a result ? I guess that data shredders can generate random data that looks similar, WinHex itself has such a feature, HD Sentinel can do that as well for testing purposes, but these would make no sense here...


As Mr. Holmes would say, "After you remove all that is impossible, what remains .... ".

Frist : many laptop restore procedures offer the option to quick format or through cleaning of the disk. I never analysed one after this to see if it would write zeros or other things to the drive.

You mention the owner and her partner are cooperative. But as yourself stated, they know little about computers. What you need is cooperation from the person who worked in that computer to know what was done. If you approach her father adequately, there should be no problem. After all, you are also trying to help his daughter.

For the strange data : it it doesn´t come from the restoring procedure, I would bet some cents in it being due to the way the guy tested/formatted the disk.

Also, you didn´t mention the brand / model of the laptop. That could evoke some idea in someone.

One test you can do, "for science" : run something the writes zeros to all the free space of your clone drive, then try running a windows restore in the original computer. If prompted, choose the option for the full clean. Later, you can analyse if the regions are still zeroed out or have strange bytes in them.


Top
 Profile  
 
 Post subject: Re: Toshiba MQ01ABF050, no bad sectors but "uncorrectable er
PostPosted: March 19th, 2018, 19:01 
Offline
User avatar

Joined: September 8th, 2009, 18:21
Posts: 15461
Location: Australia
rogfanther wrote:
Also, you didn´t mention the brand / model of the laptop. That could evoke some idea in someone.

abolibibelot wrote:
The computer is a Sony Vaio running on Windows 8.

_________________
A backup a day keeps DR away.


Top
 Profile  
 
 Post subject: Re: Toshiba MQ01ABF050, no bad sectors but "uncorrectable er
PostPosted: March 19th, 2018, 20:06 
Offline

Joined: October 16th, 2013, 13:21
Posts: 713
Location: Brazil
Ooookay, I looked back at the first post when writing my response, and as the model wasn´t stated in the beginning of the post, didn´t read the rest, as our friend is a little, lets say, verbose in his postings.

@abolibibelot, sorry for that. But the rest of my answers stays : some restore procedures offer the option to clean the whole drive. Perhaps you can run that as a test and see what it writes to the drive.


Top
 Profile  
 
 Post subject: Re: Toshiba MQ01ABF050, no bad sectors but "uncorrectable er
PostPosted: March 19th, 2018, 20:43 
Offline

Joined: November 22nd, 2017, 21:47
Posts: 309
Location: France
@fzakbar : Thanks ! :)
To be more specific, the model is : Sony Vaio SVF152C29M (that's what's on the chassis, but a different model name appears at the “Recovery mode” menu, see below).

@rogfanther
Quote:
As Mr. Holmes would say, "After you remove all that is impossible, what remains .... ".
Frist : many laptop restore procedures offer the option to quick format or through cleaning of the disk. I never analysed one after this to see if it would write zeros or other things to the drive.
You mention the owner and her partner are cooperative. But as yourself stated, they know little about computers. What you need is cooperation from the person who worked in that computer to know what was done.

Well, the partner (who requested my help in the first place) did try to provide some further informations. He wrote me that the father had found the restoring procedure on a forum, activated by typing F4 or F6 at startup (none of those keys does anything, I get to the “Recovery mode” by pressing the “Assist” button – and here it says : “Model : SVF1521A6EW”). I asked the partner to ask the father if the formatting took a few seconds or more than three hours.
He also specified that the initial issue with that computer, for which it had to be fixed (he had already told me this very briefly when he handed it out to me – I thought that it could possibly be related to bad sectors on the drive, hence why I was extra careful, doing first a complete image with ddrescue), was that it was indefinitely hanging at startup, or rather, after a normal startup sequence it would begin to “struggle” (the exact word he used in french is “mouliner”, which may refer to a sustained hard disk drive activity) when reaching the Windows login page, but wouldn't get to the desktop. I don't know how long they waited, for how long it had behaved like this, and what possible event could have triggered this. Does this evoke something that could be the cause of what I'm getting ? Could a virus for instance induce such a behaviour, and result in a complete partition being overwritten with garbage ?
I also saw that there was a McAfee software installed (most likely provided by default with the computer), which includes a “Schredder” module : could it have “shredded” the whole directory structure, unbeknownst to the user, or by mistake ? :shock: But even then, R-Studio would still find at least some remnants of MFT records, right ?

Quote:
If you approach her father adequately, there should be no problem. After all, you are also trying to help his daughter.

It's not that it would be a problem per se, it's just that it would become more complicated than I'd like ! :)

Quote:
For the strange data : it it doesn´t come from the restoring procedure, I would bet some cents in it being due to the way the guy tested/formatted the disk.
Also, you didn´t mention the brand / model of the laptop. That could evoke some idea in someone.

See above.

Quote:
One test you can do, "for science" : run something the writes zeros to all the free space of your clone drive, then try running a windows restore in the original computer. If prompted, choose the option for the full clean. Later, you can analyse if the regions are still zeroed out or have strange bytes in them.

I made an image (onto a 3.5" 2TB HDD), not a clone. I don't have an empty 2.5" HDD right now to do such a test, which would be quite long (3+ hours to overwrite the drive, then the restore procedure) and would probably show that the free space stays zeroed out, I wouldn't see any sound reason not to (although it's a possibility, as I said, rampant is stupidity, and stupidity makes almost anything possible, even the inconceivable ! :)). If the whole restore procedure took less than half an hour as opposed to the 3+ hours that are required to scan the whole drive, then it's not the cause. If it did take 3+ hours, whatever that data is is irrelevant and I'm wasting my time ! :)
Exploring the recovery mode, I can see that there are indeed two options : “Actualize your PC” (which is supposed to restore its performance while keeping the personal files) and “Reinitialize your PC” (which is supposed to “totally reinitialize” the PC and get rid of all files). There's also an “Automatic repair” in the advanced options.

Quote:
Ooookay, I looked back at the first post when writing my response, and as the model wasn´t stated in the beginning of the post, didn´t read the rest, as our friend is a little, lets say, verbose in his postings.

Well, sorry about that, I'm trying to be as thorough as possible... But please reassure me that I'm not quite at that level ! :)


Top
 Profile  
 
 Post subject: Re: Toshiba MQ01ABF050, no bad sectors but "uncorrectable er
PostPosted: March 19th, 2018, 21:29 
Offline

Joined: October 16th, 2013, 13:21
Posts: 713
Location: Brazil
abolibibelot wrote:
Well, the partner (who requested my help in the first place) did try to provide some further informations. He wrote me that the father had found the restoring procedure on a forum, activated by typing F4 or F6 at startup (none of those keys does anything, I get to the “Recovery mode” by pressing the “Assist” button – and here it says : “Model : SVF1521A6EW”). I asked the partner to ask the father if the formatting took a few seconds or more than three hours.


Then, if the father answers anything around "It took some time ", than you can believe with some confidence that it formatted all of the disk.

abolibibelot wrote:
He also specified that the initial issue with that computer, for which it had to be fixed (he had already told me this very briefly when he handed it out to me – I thought that it could possibly be related to bad sectors on the drive, hence why I was extra careful, doing first a complete image with ddrescue), was that it was indefinitely hanging at startup, or rather, after a normal startup sequence it would begin to “struggle” (the exact word he used in french is “mouliner”, which may refer to a sustained hard disk drive activity) when reaching the Windows login page, but wouldn't get to the desktop. I don't know how long they waited, for how long it had behaved like this, and what possible event could have triggered this. Does this evoke something that could be the cause of what I'm getting ? Could a virus for instance induce such a behaviour, and result in a complete partition being overwritten with garbage ?


Maybe a virus, maybe other things. I have seen machines with a monstrous Internet Explorer cache where everything in the machine would seem to hang. I remember talk about corrupt startup sound files related to this hanging at startup. Also interrupted updates. Can be many things, hard to diagnose after the evidence is deleted.. :(

abolibibelot wrote:
I also saw that there was a McAfee software installed (most likely provided by default with the computer), which includes a “Schredder” module : could it have “shredded” the whole directory structure, unbeknownst to the user, or by mistake ? :shock:


I do not know that specific piece of software, but I imagine it is aimed at shredding files. Maybe drives also, but it probably couldn´t run in the boot drive, unless it has an option to clean empty disk space.

abolibibelot wrote:
It's not that it would be a problem per se, it's just that it would become more complicated than I'd like ! :)


Ok.

abolibibelot wrote:
I made an image (onto a 3.5" 2TB HDD), not a clone. I don't have an empty 2.5" HDD right now to do such a test, which would be quite long (3+ hours to overwrite the drive, then the restore procedure) and would probably show that the free space stays zeroed out, I wouldn't see any sound reason not to (although it's a possibility, as I said, rampant is stupidity, and stupidity makes almost anything possible, even the inconceivable ! :)). If the whole restore procedure took less than half an hour as opposed to the 3+ hours that are required to scan the whole drive, then it's not the cause. If it did take 3+ hours, whatever that data is is irrelevant and I'm wasting my time ! :)


It is your choice. If you do not have an adequate 2.5" drive to test, that is enough of a good reason. But the time it will take needs no attention, so it could be set to run and analyze the results later. Not all research discover the ways to do things. Some research discovers the ways that doesn´t work.
As for the values : writing a zero or writing a random value implies mostly in the same work for the software that does it. The same as data erasing programs market all those "'three passes from beginning to end, then from end to beginning , and zig-zag ... etc :D ". The value to write when clearing a sector in a mechanical hdd has much of a personal preference of the programmer.

abolibibelot wrote:
Exploring the recovery mode, I can see that there are indeed two options : “Actualize your PC” (which is supposed to restore its performance while keeping the personal files) and “Reinitialize your PC” which is supposed to totally reinitialize the PC and get rid of all files).


After starting that option to "Reinitialize the pc", some have the option to choose for fast or complete. Even without reading a person could be too fast and click in the ""Complete" button without perceiving.

abolibibelot wrote:
Well, sorry about that, I'm trying to be as thorough as possible... But please reassure me that I'm not quite at that level ! :)


No problem, I´m not complaining. I had read that thread earlier, it really got some long posts..

Condensing : if you cannot discover what really happened, ( no matter the reason ) , and you do not have a lot of time to spend researching , the best explaining to the owner is that the problem with the disk was solved with formatting, but that same problem prevented the recovery of the files. And mention "en passant" that they will need to copy the files back from their backups, camera cards, phones and other media.

And before you answer "But they do not have backups", I know it. People don´t make backups. But it is more polite ( is "politer" a word ? ) to suggest that than say flatly "Don´t you have backups ?You should have backups." :D

Because, as you must have read here a couple of times, even if the person never made a copy of those oh-so-important files, when their computer is run over by a truck, they want to say *you* are guilty of not being able to recover their files.

And I also made a very long post :mrgreen:


Top
 Profile  
 
 Post subject: Re: Toshiba MQ01ABF050, no bad sectors but "uncorrectable er
PostPosted: March 19th, 2018, 22:18 
Offline

Joined: August 18th, 2010, 17:35
Posts: 3636
Location: Massachusetts, USA
https://en.wikipedia.org/wiki/Sony_Vaio_S_series
The Vaio S series was a line of notebook computers from Sony introduced in summer 2004. They have been touted as business laptops, and their designs have focused on being thin and light. They also have features friendly to businesspeople, such as TPM chips.

About 2 months ago, I have personally come across a Lenovo laptop with TPM 2.0, which according to the end user, all of a sudden began booting to a BitLocker screen asking for a BitLocker recovery key. The end user does not ever recall using/activating BitLocker on the computer, nor having an encryption key for BitLocker of any kind.

I believe I used M3 Bitlocker Recovery (https://www.m3datarecovery.com/bitlocke ... -recovery/) on the drive to get a better idea what was going on. The M3's analysis will show some metadata, including a computer ID of some sort [I forget the details at this time]. What is interesting is that the analysis indicates that the recovery key is managed in Active Directory [likely in a corporate environment or university]. Coincidently, the end user is a professor at a university. Ironically, few weeks later, I got another strange call with similar circumstances from a wife of a professor that is teaching at another university. Once again, nobody "knew" anything, so I did not pursue further.

On a brief research, there seems to have been some cases where computers have gotten hacked and data encrypted with BitLocker in exchange for a ransom (this is different from CryptoLocker). Furthermore, the hackers seem to have used the same BitLocker key across all laptops that got affected.

Some links to check out:
http://glassocean.net/bitlocker-is-a-sl ... ker-virus/
https://social.technet.microsoft.com/Fo ... rosecurity
https://www.quora.com/How-do-I-crack-Bi ... ofessional
https://testlab.sit.fraunhofer.de/conte ... _skimming/

Now, it is possible that your client got affected by this BitLocker ransomware OR the random TPM issue related BitLocker encryption, thus encrypting the data, then, after, the father formatting the drive and reinstalling Windows, thereby arriving to the current situation. This is why I [and other] have mentioned that knowing all the details from all the people involved with the laptop are important to make sense of the current state the laptop is in.

Let's assume that your customer's drive got hacked by a BitLocker encryption attack. You could create a clone of the original drive and then force decrypt the data on the drive using the universal bitlocker key found in the article below, then finally run recovery software and see what it finds:
https://www.bleepingcomputer.com/forums ... ansomware/

_________________
Hard Disk Drive, SSD, USB Drive and RAID Data Recovery Specialist in Massachusetts


Top
 Profile  
 
 Post subject: Re: Toshiba MQ01ABF050, no bad sectors but "uncorrectable er
PostPosted: March 20th, 2018, 2:01 
Offline

Joined: November 22nd, 2017, 21:47
Posts: 309
Location: France
@rogfanther :
Quote:
Maybe a virus, maybe other things. I have seen machines with a monstrous Internet Explorer cache where everything in the machine would seem to hang. I remember talk about corrupt startup sound files related to this hanging at startup. Also interrupted updates. Can be many things, hard to diagnose after the evidence is deleted.. :(

Indeed...

Quote:
I do not know that specific piece of software, but I imagine it is aimed at shredding files. Maybe drives also, but it probably couldn´t run in the boot drive, unless it has an option to clean empty disk space.

Yes, and even then, as I said, there would be something left that R-Studio would have found (unless the wanted files were voluntarily deleted, which is very unlikely here).

Quote:
It is your choice. If you do not have an adequate 2.5" drive to test, that is enough of a good reason. But the time it will take needs no attention, so it could be set to run and analyze the results later. Not all research discover the ways to do things. Some research discovers the ways that doesn´t work.

Wise words ! :)
(Reminds me of the Hotel California line : “Some dance to remember, some dance to forget”... I got obsessed over that song and that particular video version a few weeks ago !)

Quote:
As for the values : writing a zero or writing a random value implies mostly in the same work for the software that does it. The same as data erasing programs market all those "'three passes from beginning to end, then from end to beginning , and zig-zag ... etc :D ". The value to write when clearing a sector in a mechanical hdd has much of a personal preference of the programmer.

Yes indeed (although in WinHex the option “Cryptographically secure pseudo-random” is specified as being “slow”), but the purpose of “initializing” is to create a blank slate, so to speak, to make the volume as clean as new, so it makes little sense to use a convoluted writing scheme for this specific task. (And from what I could gather, it doesn't make much more sense from a security standpoint – I guess that most people here would agree that not a single file can be recovered after a single pass of overwriting with zeroes.)

Quote:
Condensing : if you cannot discover what really happened, ( no matter the reason ) , and you do not have a lot of time to spend researching , the best explaining to the owner is that the problem with the disk was solved with formatting, but that same problem prevented the recovery of the files. And mention "en passant" that they will need to copy the files back from their backups, camera cards, phones and other media.
And before you answer "But they do not have backups", I know it. People don´t make backups. But it is more polite ( is "politer" a word ? ) to suggest that than say flatly "Don´t you have backups ? You should have backups." :D
Because, as you must have read here a couple of times, even if the person never made a copy of those oh-so-important files, when their computer is run over by a truck, they want to say *you* are guilty of not being able to recover their files.

Well, as they're reading this thread (and I already gave them explanations about my findings), they probably have a pretty clear idea by now, and are “biting their fingers” about it (“s'en mordre les doigts”, a french idiom meaning : to blame oneself for doing something which had bad consequences, especially something which could have been easily avoided – at least they're not blaming me, which seems to be very common in that line of work !...).


@labtech :
Quote:
The Vaio S series was a line of notebook computers from Sony introduced in summer 2004. They have been touted as business laptops, and their designs have focused on being thin and light. They also have features friendly to businesspeople, such as TPM chips.

I offered my brother a Sony Vaio from 2004 I bought used (he has a handicap, never had a computer before, I wasn't sure if he could use it, so I searched something cheap but reliable), so it must have been one of the first of the series. It's not that thin, but it's pretty durable ! (Last time I checked the battery was still holding charge, and apart from a noisy fan and a possibly flimsy USB port which may cause his external HDD to disconnect randomly, it's still working fine, and is adequate for his purposes, except for watching 720p+ videos. And he's been totally able to use it, I still help him remotely on a regular basis for the technical tasks, but otherwise he's using it on his own and has made great progress in a few years.)

Quote:
About 2 months ago, I have personally come across a Lenovo laptop with TPM 2.0, which according to the end user, all of a sudden began booting to a BitLocker screen asking for a BitLocker recovery key. The end user does not ever recall using/activating BitLocker on the computer, nor having an encryption key for BitLocker of any kind.
I believe I used M3 Bitlocker Recovery on the drive to get a better idea what was going on. The M3's analysis will show some metadata, including a computer ID of some sort [I forget the details at this time]. What is interesting is that the analysis indicates that the recovery key is managed in Active Directory [likely in a corporate environment or university]. Coincidently, the end user is a professor at a university. Ironically, few weeks later, I got another strange call with similar circumstances from a wife of a professor that is teaching at another university. Once again, nobody "knew" anything, so I did not pursue further.
On a brief research, there seems to have been some cases where computers have gotten hacked and data encrypted with BitLocker in exchange for a ransom (this is different from CryptoLocker). Furthermore, the hackers seem to have used the same BitLocker key across all laptops that got affected. [...]
Now, it is possible that your client got affected by this BitLocker ransomware OR the random TPM issue related BitLocker encryption, thus encrypting the data, then, after, the father formatting the drive and reinstalling Windows, thereby arriving to the current situation. This is why I [and other] have mentioned that knowing all the details from all the people involved with the laptop are important to make sense of the current state the laptop is in.
Let's assume that your customer's drive got hacked by a BitLocker encryption attack. You could create a clone of the original drive and then force decrypt the data on the drive using the universal bitlocker key found in the article below, then finally run recovery software and see what it finds

Now that's interesting... But the first thing I read about M3 Bitlocker Recovery is :
“If you accidently formatted Bitlocker encrypted drive using format tool built-in Windows Vista/7/8/8.1/10, there is no way to recover data from formatted Bitlocker encrypted drive, because Bitlocker metadata has been erased completely after formatting under Windows Vista/7/8/8.1/10.”
Do you think that this method could work anyway, in that particular case ? I'll read all this and try that after a night's sleep – or a morning's sleep should I say, as it's 7 AM here... :shock:

Quote:
This is why I [and other] have mentioned that knowing all the details from all the people involved with the laptop are important to make sense of the current state the laptop is in.

What was the specific detail that made it “click”, so to speak, and made you think about that possibility, and that experience you had ? The fact that the computer was hanging and doing something all by itself before the formatting/reinstalling ?

Quote:
Let's assume that your customer's drive got hacked by a BitLocker encryption attack.

Is that kind of attack perpetrated internationally, regardless of the local language ? And wouldn't the attacker have to signal what he (or she, there are nasty female hackers too ! 8)) has done in order to ask the ransom ? Or maybe it is signaled only once the encrypting process is over ?

Anyway, it's a long shot, but it's better than no shot, so thank you a lot ! :)


Top
 Profile  
 
 Post subject: Re: Toshiba MQ01ABF050, no bad sectors but "uncorrectable er
PostPosted: March 20th, 2018, 4:32 
Offline

Joined: November 22nd, 2017, 21:47
Posts: 309
Location: France
Just a quick thought before I really go the f*** to sleep : it it was some kind of ransomware (or even a nasty virus), could it possibly have encrypted the whole partition, or just the individual files ? If that kind of process targets individual files, then the slack space wouldn't have been encrypted, right ? And neither would the MFT, I guess, so something would still be readable somewhere among the garbage...


Top
 Profile  
 
 Post subject: Re: Toshiba MQ01ABF050, no bad sectors but "uncorrectable er
PostPosted: March 20th, 2018, 9:43 
Offline

Joined: October 16th, 2013, 13:21
Posts: 713
Location: Brazil
If some software has the option for cleansing the empty space, why would "something that R-Studio would find" remain , when the idea is exactly to prevent that ?

Condensing somewhat this thing :

If you do not want to talk to the father to discover whatever he remembers about the case, and also do not want to spend the time to make some experiences with the Restore options, we could sum up the situation more or less like :

If the machine is not from some organization ( School, etc ) , the thing had some problem, and was erased by someone when trying to solve the issue. This happens. And the issue was solved. Files are lost , better to move on and forget about them.

The necessary research to discover what happened, and how, would take time, and would have a bigger cost. This thing is starting to get to the point where "esoterical" explanations are being suggested. Files were lost, the original situation was destroyed. Hard to know now, and without the disk at hand, what happened in the past. What really happened doesn´t matter that much, because the end result ( lost files ) will still be the same.

You did what you can do. Now, it is time to give back the disk and forget about it.


Top
 Profile  
 
 Post subject: Re: Toshiba MQ01ABF050, no bad sectors but "uncorrectable er
PostPosted: March 20th, 2018, 12:01 
Offline

Joined: November 22nd, 2017, 21:47
Posts: 309
Location: France
Quote:
If some software has the option for cleansing the empty space, why would "something that R-Studio would find" remain , when the idea is exactly to prevent that ?

Because, from what I know, the so-called cleansing softwares (except maybe the advanced ones, for forensic or “anti-forensic” purposes, which are not free) can't cleanse everything from the active partition they're run from (i.e. the boot drive) – I may be wrong, but I don't think that a regular cleanser/wiper/shredder can overwrite the MFT records no longer in use, and in that situation R-Studio could still reconstruct the original files and folders tree, even though the actual files would be unreadable. Amirite ?

Quote:
If you do not want to talk to the father to discover whatever he remembers about the case,

I might try after all, if only for the sake of completeness...

Quote:
and also do not want to spend the time to make some experiences with the Restore options

I may try with the original drive, since I still have the image in case I happen to find a magical cure, in exchange of the owner's soul or something... But if this was the culprit, don't you think that someone here would know about it ? DR experts see hundreds of cases every year, probably do a lot of research to solve the odd ones, those who come here regularly get acquainted with even more weird situations... if a standard restore procedure with a well established range of laptop computers resulted in such a mess, that would be known by now, I guess.

Quote:
The thing had some problem, and was erased by someone when trying to solve the issue. This happens. And the issue was solved. Files are lost , better to move on and forget about them. The necessary research to discover what happened, and how, would take time, and would have a bigger cost. This thing is starting to get to the point where "esoterical" explanations are being suggested. Files were lost, the original situation was destroyed. Hard to know now, and without the disk at hand, what happened in the past. What really happened doesn´t matter that much, because the end result ( lost files ) will still be the same. You did what you can do. Now, it is time to give back the disk and forget about it.

Well, at least I tried, as hard as I possibly could indeed ! This started out as a “simple” case, hence why I did – if I had known from the begining that someone had tried a recovery and failed, I would have had little hope and moved on already. I was hoping that the situation would be in the “unknown known” category, or the “known unknown” category, apparently it's in the “unknown unknown” category... I was hoping that it would “ring a bell” and evoke a specific scenario, which would save me some headaches and allow me to at least provide an explanation, if not a remedy. But you're right, it's mostly irrelevant in the end – if a doctor says to someone that he is going to die within two weeks, it doesn't matter much if it's from cancer or diarrhea ! :)
And so I'll dance to forget, since I just can't kill the Beast...


Top
 Profile  
 
 Post subject: Re: Toshiba MQ01ABF050, no bad sectors but "uncorrectable er
PostPosted: March 20th, 2018, 12:17 
Offline

Joined: October 16th, 2013, 13:21
Posts: 713
Location: Brazil
For the first point, you are not right. A data cleaning could clean the "unused mft entries", just creating new files that would occupy those entries.
Also, the disk was formatted / restored. Same partition size, new , empty MFTs created in the same place, overwriting the old ones. Again, wanna know for sure, do experiments.

For the rest, the hard disk is already messed with, so people cannot know that happened in it to tell you, mostly so without having the hard disk in hand.
And this is already a case where the money involved will not pay for the desired solution, so better to cut the losses shorter now.

Bye.


Top
 Profile  
 
Display posts from previous:  Sort by  
Post new topic Reply to topic  [ 42 posts ]  Go to page Previous  1, 2, 3  Next

All times are UTC - 5 hours [ DST ]


Who is online

Users browsing this forum: ddd123, Google [Bot], Google Adsense [Bot] and 78 guests


You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot post attachments in this forum

Search for:
Jump to:  
Powered by phpBB © 2000, 2002, 2005, 2007 phpBB Group