March 19th, 2018, 12:30
March 19th, 2018, 15:11
Few options:
- Ask for another fee paying for your time to research (would recommend actually having the laptop with you, perhaps you can try booting with a clone drive and see what actually happens when booting in comparison to the original drive)
- Ask for another fee for outsourcing the job to a specialist
- Say you can no longer help and give the drive back
As far as other info - can search online - for example:
https://www.forensicswiki.org/wiki/BitL ... Encryption
March 19th, 2018, 15:34
March 19th, 2018, 16:15
when you have limited (to none) information from the client what happened
and you've to figure out by yourself
the only thing you can do is
you have to have deep knowledge in forensics
and that's why there is limited answers here
because its not something you can write it down in a post (or 2) in a forum
March 19th, 2018, 16:29
abolibibelot wrote:I was hoping that someone here would have had a similar case (or it could be a known behaviour with some ranges of laptop computers) and could provide some specific piece of advice. Like : look at sector number XXX, or search for pattern YYY...
Offset(h) 00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F
00000000 B7 18 9A A1 9F 9D 85 C0 ED 26 3C 4D B8 80 04 B4
00000010 B7 18 9A A1 9F 9D 85 C0 ED 26 3C 4D B8 80 04 B4
........
000001E0 B7 18 9A A1 9F 9D 85 C0 ED 26 3C 4D B8 80 04 B4
000001F0 B7 18 9A A1 9F 9D 85 C0 ED 26 3C 4D B8 80 04 B4
March 19th, 2018, 16:39
You may be able to determine the "nature" of the data by compressing chunks of it. For example, MPEGs and JPEGs would be incompressible. You might also like to experiment with a small Bitlocker test partition.
March 19th, 2018, 16:54
March 19th, 2018, 17:36
I don't know what an encrypted Bitlocker sector looks like, but an AES-encrypted zero-filled sector would have a repeating pattern of 16 bytes (different key, different pattern)
I would think that, if you were to encrypt a typical text document with AES, the result would be completely random and therefore incompressible.
March 19th, 2018, 17:51
March 19th, 2018, 18:43
abolibibelot wrote:Do you (or anyone) happen to know anything else (other than encryption) that would produce such a result ? I guess that data shredders can generate random data that looks similar, WinHex itself has such a feature, HD Sentinel can do that as well for testing purposes, but these would make no sense here...
March 19th, 2018, 19:01
rogfanther wrote:Also, you didn´t mention the brand / model of the laptop. That could evoke some idea in someone.
abolibibelot wrote:The computer is a Sony Vaio running on Windows 8.
March 19th, 2018, 20:06
March 19th, 2018, 20:43
As Mr. Holmes would say, "After you remove all that is impossible, what remains .... ".
Frist : many laptop restore procedures offer the option to quick format or through cleaning of the disk. I never analysed one after this to see if it would write zeros or other things to the drive.
You mention the owner and her partner are cooperative. But as yourself stated, they know little about computers. What you need is cooperation from the person who worked in that computer to know what was done.
If you approach her father adequately, there should be no problem. After all, you are also trying to help his daughter.
For the strange data : it it doesn´t come from the restoring procedure, I would bet some cents in it being due to the way the guy tested/formatted the disk.
Also, you didn´t mention the brand / model of the laptop. That could evoke some idea in someone.
One test you can do, "for science" : run something the writes zeros to all the free space of your clone drive, then try running a windows restore in the original computer. If prompted, choose the option for the full clean. Later, you can analyse if the regions are still zeroed out or have strange bytes in them.
Ooookay, I looked back at the first post when writing my response, and as the model wasn´t stated in the beginning of the post, didn´t read the rest, as our friend is a little, lets say, verbose in his postings.
March 19th, 2018, 21:29
abolibibelot wrote:Well, the partner (who requested my help in the first place) did try to provide some further informations. He wrote me that the father had found the restoring procedure on a forum, activated by typing F4 or F6 at startup (none of those keys does anything, I get to the “Recovery mode” by pressing the “Assist” button – and here it says : “Model : SVF1521A6EW”). I asked the partner to ask the father if the formatting took a few seconds or more than three hours.
abolibibelot wrote:He also specified that the initial issue with that computer, for which it had to be fixed (he had already told me this very briefly when he handed it out to me – I thought that it could possibly be related to bad sectors on the drive, hence why I was extra careful, doing first a complete image with ddrescue), was that it was indefinitely hanging at startup, or rather, after a normal startup sequence it would begin to “struggle” (the exact word he used in french is “mouliner”, which may refer to a sustained hard disk drive activity) when reaching the Windows login page, but wouldn't get to the desktop. I don't know how long they waited, for how long it had behaved like this, and what possible event could have triggered this. Does this evoke something that could be the cause of what I'm getting ? Could a virus for instance induce such a behaviour, and result in a complete partition being overwritten with garbage ?
abolibibelot wrote:I also saw that there was a McAfee software installed (most likely provided by default with the computer), which includes a “Schredder” module : could it have “shredded” the whole directory structure, unbeknownst to the user, or by mistake ?
abolibibelot wrote:It's not that it would be a problem per se, it's just that it would become more complicated than I'd like !
abolibibelot wrote:I made an image (onto a 3.5" 2TB HDD), not a clone. I don't have an empty 2.5" HDD right now to do such a test, which would be quite long (3+ hours to overwrite the drive, then the restore procedure) and would probably show that the free space stays zeroed out, I wouldn't see any sound reason not to (although it's a possibility, as I said, rampant is stupidity, and stupidity makes almost anything possible, even the inconceivable ! ). If the whole restore procedure took less than half an hour as opposed to the 3+ hours that are required to scan the whole drive, then it's not the cause. If it did take 3+ hours, whatever that data is is irrelevant and I'm wasting my time !
abolibibelot wrote:Exploring the recovery mode, I can see that there are indeed two options : “Actualize your PC” (which is supposed to restore its performance while keeping the personal files) and “Reinitialize your PC” which is supposed to totally reinitialize the PC and get rid of all files).
abolibibelot wrote:Well, sorry about that, I'm trying to be as thorough as possible... But please reassure me that I'm not quite at that level !
March 19th, 2018, 22:18
March 20th, 2018, 2:01
Maybe a virus, maybe other things. I have seen machines with a monstrous Internet Explorer cache where everything in the machine would seem to hang. I remember talk about corrupt startup sound files related to this hanging at startup. Also interrupted updates. Can be many things, hard to diagnose after the evidence is deleted..
I do not know that specific piece of software, but I imagine it is aimed at shredding files. Maybe drives also, but it probably couldn´t run in the boot drive, unless it has an option to clean empty disk space.
It is your choice. If you do not have an adequate 2.5" drive to test, that is enough of a good reason. But the time it will take needs no attention, so it could be set to run and analyze the results later. Not all research discover the ways to do things. Some research discovers the ways that doesn´t work.
As for the values : writing a zero or writing a random value implies mostly in the same work for the software that does it. The same as data erasing programs market all those "'three passes from beginning to end, then from end to beginning , and zig-zag ... etc ". The value to write when clearing a sector in a mechanical hdd has much of a personal preference of the programmer.
Condensing : if you cannot discover what really happened, ( no matter the reason ) , and you do not have a lot of time to spend researching , the best explaining to the owner is that the problem with the disk was solved with formatting, but that same problem prevented the recovery of the files. And mention "en passant" that they will need to copy the files back from their backups, camera cards, phones and other media.
And before you answer "But they do not have backups", I know it. People don´t make backups. But it is more polite ( is "politer" a word ? ) to suggest that than say flatly "Don´t you have backups ? You should have backups."
Because, as you must have read here a couple of times, even if the person never made a copy of those oh-so-important files, when their computer is run over by a truck, they want to say *you* are guilty of not being able to recover their files.
The Vaio S series was a line of notebook computers from Sony introduced in summer 2004. They have been touted as business laptops, and their designs have focused on being thin and light. They also have features friendly to businesspeople, such as TPM chips.
About 2 months ago, I have personally come across a Lenovo laptop with TPM 2.0, which according to the end user, all of a sudden began booting to a BitLocker screen asking for a BitLocker recovery key. The end user does not ever recall using/activating BitLocker on the computer, nor having an encryption key for BitLocker of any kind.
I believe I used M3 Bitlocker Recovery on the drive to get a better idea what was going on. The M3's analysis will show some metadata, including a computer ID of some sort [I forget the details at this time]. What is interesting is that the analysis indicates that the recovery key is managed in Active Directory [likely in a corporate environment or university]. Coincidently, the end user is a professor at a university. Ironically, few weeks later, I got another strange call with similar circumstances from a wife of a professor that is teaching at another university. Once again, nobody "knew" anything, so I did not pursue further.
On a brief research, there seems to have been some cases where computers have gotten hacked and data encrypted with BitLocker in exchange for a ransom (this is different from CryptoLocker). Furthermore, the hackers seem to have used the same BitLocker key across all laptops that got affected. [...]
Now, it is possible that your client got affected by this BitLocker ransomware OR the random TPM issue related BitLocker encryption, thus encrypting the data, then, after, the father formatting the drive and reinstalling Windows, thereby arriving to the current situation. This is why I [and other] have mentioned that knowing all the details from all the people involved with the laptop are important to make sense of the current state the laptop is in.
Let's assume that your customer's drive got hacked by a BitLocker encryption attack. You could create a clone of the original drive and then force decrypt the data on the drive using the universal bitlocker key found in the article below, then finally run recovery software and see what it finds
This is why I [and other] have mentioned that knowing all the details from all the people involved with the laptop are important to make sense of the current state the laptop is in.
Let's assume that your customer's drive got hacked by a BitLocker encryption attack.
March 20th, 2018, 4:32
March 20th, 2018, 9:43
March 20th, 2018, 12:01
If some software has the option for cleansing the empty space, why would "something that R-Studio would find" remain , when the idea is exactly to prevent that ?
If you do not want to talk to the father to discover whatever he remembers about the case,
and also do not want to spend the time to make some experiences with the Restore options
The thing had some problem, and was erased by someone when trying to solve the issue. This happens. And the issue was solved. Files are lost , better to move on and forget about them. The necessary research to discover what happened, and how, would take time, and would have a bigger cost. This thing is starting to get to the point where "esoterical" explanations are being suggested. Files were lost, the original situation was destroyed. Hard to know now, and without the disk at hand, what happened in the past. What really happened doesn´t matter that much, because the end result ( lost files ) will still be the same. You did what you can do. Now, it is time to give back the disk and forget about it.
March 20th, 2018, 12:17
Powered by phpBB © phpBB Group.