Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Reset overwrites every single file


  • Please log in to reply
19 replies to this topic

#1 LH47

LH47

  • Members
  • 31 posts
  • OFFLINE
  •  
  • Local time:04:11 PM

Posted 25 January 2016 - 06:30 PM

A customer just reset her Win 8.1 and lost all her files. She has hardly used it since this event, so I used Recuva,, which found 40 GB's worth of data.

 

But according to Recuva, it was almost all overwritten - mostly by drivers. I copied the data over anyhow, but it is all too corrupted to read.

 

I'm at a loss, because over 6 different operating systems, I have always been able to recover - at least something. How is it possible that an OS install that uses under 20 GB, could overwrite 40 GB worth of data.  It's a big hard drive, and the odds against it would seem to be astronomical.

 

In fact, even the files (all PDF's) that Recuva claimed were not overwritten, would not open. (Though every item in the list did have a yellow light in front of it.)

 

I have had similar results with other software.

 

Am I doing something wrong? Did she accidentally reset it 2 - 3 times? :orange:



BC AdBot (Login to Remove)

 


#2 JohnC_21

JohnC_21

  • Members
  • 23,235 posts
  • ONLINE
  •  
  • Gender:Male
  • Local time:04:11 PM

Posted 25 January 2016 - 06:43 PM

It depends where are the files are on the drive and what was overwritten. A file could have a few bytes overwritten by another file and thus make it corrupt. I am surprised you got anything after a reset as that basically is a factory restore. One file could write over several parts of a drive. Refresh is what should have been used. 

 

The other program you may want to try is PhotoRec. Any file recovered would have a generic name and you want to make sure you pick what file extensions you want to recover in folder options or you will recover even dll files. The files are also recovered in real time to the folder that PhotoRec was unzipped to. But, I don't hold out much hope.



#3 LH47

LH47
  • Topic Starter

  • Members
  • 31 posts
  • OFFLINE
  •  
  • Local time:04:11 PM

Posted 25 January 2016 - 08:42 PM

Actually, all I wanted were the MS doc's (docx). Her husband was writing a book, and he did not back anything up. A year's work was on the drive....And it was a $300 "Tech Helper" outsourced by HP who remoted into her system and did this all without any warning to her. :dance:

 

In the past, I have recovered many files from (manually) re-formatted hard drives.  But I never tried it from systems that were reinstalled via a recovery partition. Must be much more destructive.

 

Thanks!



#4 JohnC_21

JohnC_21

  • Members
  • 23,235 posts
  • ONLINE
  •  
  • Gender:Male
  • Local time:04:11 PM

Posted 25 January 2016 - 09:29 PM

PhotoRec will scan the drive and look for any docx files. You can set docx in the folder options.You do not want to use Qphotorec. It is not as powerful as PhotoRec.

Download Testdisk and unzip to a folder on your desktop. Not the desktop of the computer you are trying to recover data from. That drive should not be accessed any further. Pull the drive and use a USB enclosure or Adapter.

 

Run PhotoRec and let it scan the drive. Any files recovered will be to the folder you unzipped the Testdisk zip file to.

 

http://www.cgsecurity.org/wiki/PhotoRec_Step_By_Step

 

At this screen you can see the folder option at the bottom. Download the Windows version, not the 64bit version .

 

PhotoRec_src.png



#5 LH47

LH47
  • Topic Starter

  • Members
  • 31 posts
  • OFFLINE
  •  
  • Local time:04:11 PM

Posted 26 January 2016 - 09:37 AM

Wow. Thank you very much for all of that.  I will get right on it.

 

I did run the last recovery app from a usb drive. (I was surprised it let me do that...). My first instinct was to pull the drive, but it's one of those (deleted) 'All-in-Ones', and so now I will have to figure out how to open it up. (no visible screws anywhere - do I need a spudger?)

 

This poor guy is very bright, but he's over 80, and when they told him to back up his data, he did. He had at least 4-5 copies of all his documents. All on the same hard drive partition.  :-(



#6 JohnC_21

JohnC_21

  • Members
  • 23,235 posts
  • ONLINE
  •  
  • Gender:Male
  • Local time:04:11 PM

Posted 26 January 2016 - 10:04 AM

There is a way to do it using a bootable linux disk but it is a little more involved. You would need to use Parted Magic on a bootable disk or USB.  Create a folder on a attached external drive then from within that folder run PhotoRec. It will scan the hard drive and then recover files to the folder on the external drive.

 

Do you have a make and model of the all in one?



#7 LH47

LH47
  • Topic Starter

  • Members
  • 31 posts
  • OFFLINE
  •  
  • Local time:04:11 PM

Posted 26 January 2016 - 11:02 AM

HP 19-2114 .

 

I'm a little bit confused as to why I would need to run a live CD, if I'm also running PhotoRec from an external  USB drive, and scanning the C: drive on the HP...?  Or is that 2 different thoughts? (I'm not a good geek....)

 

The very first thing I tried was a 64 bit Ubuntu live CD. But I could not boot to it -- (one of those UEFI/BIOS issues, I figured,)  and if the files are overwritten, then it would not help. I have seen all of the files-- Recuva copied them to a flash drive - where they are now, original file names and all. But they are unreadable.

 

I'm reading the PhotoRec directions. A bit geeky for me, alas, ("Raw"? Encase EWF?? Huh? :huh: )  I wanted to try "TestDisk" first, but I'm running Win 7 Pro 64 bit with WOW64 (as is every MS OS post Win 2k) so I'm not sure which one to install.

 

I work 2 jobs, I never get more than $40 for a PC job, and I have a policy that if I can't fix it, then I don't charge anything....and you can imagine how dicey that can get! I suppose I should probably point this customer at one of the big kids.

 

But thank you!



#8 JohnC_21

JohnC_21

  • Members
  • 23,235 posts
  • ONLINE
  •  
  • Gender:Male
  • Local time:04:11 PM

Posted 26 January 2016 - 11:07 AM

When you boot the all in one there are always going to be some writes to the drive and it's possible these writes are overwriting those docx files. I would not boot the hard drive of the all in one. When using a bootable linux disk there would be no writes to the hard drive of the all in one.

 

Edit: At this point, I don't think TestDisk will work. Your only chance now is to scan the disk with software like PhotoRec. You can make a USB bootable with Rufus that supports booting UEFI but in order to do this you need to enter BIOS and disable SecureBoot. I believe on HP you can tap ESC at boot and tell the computer to boot legacy. Try that option with Ubuntu if you still have the disk.

 

Edit Edit:

 

Here is the service guide.


Edited by JohnC_21, 26 January 2016 - 11:13 AM.


#9 LH47

LH47
  • Topic Starter

  • Members
  • 31 posts
  • OFFLINE
  •  
  • Local time:04:11 PM

Posted 27 January 2016 - 10:04 AM

Well... Thank you!  

 

The PC booted off the thumb drive, and I painstakingly followed the tutorial here (an heroic effort by the author, IMHO). Next time, I would first use "Diskpart" first. Too many partitions on these new drives.

 

Had a little problem choosing the file types. I only wanted .doc and .docx, but there was no option for .docx, and when I (thought ) I chose ".doc" the scan only took 15 minutes, and did not find anything at all. (And I know there were old Word docs there) . Was there a custom option? A lot of very small writing in that utility...

 

So I went back and let it search for everything, but was informed that it would take over 3 days....  So I stopped it and looked at what it had recovered so far, and, again, nothing readable.   (The customer waited over a week to call me. )

 

For the record, the online Tech "Help" company the customer called is named "Online PC Protect" (844.841.0432.) They remoted into her system (!) and then told her that "everyone on the planet has her passwords." (Though they never told her to change them, so she didn't...)

 

Then they reset her computer, wiping out all the files without warning her, and charged her  :trumpet:.....$749.99....to "fix" a $200 computer. :wacko:

 

Anyhooo... I told her to email the FTC and call her credit card company. (hope it's not too late.)

 

The good news is that her husband found hard copies of most of his book. Meanwhile, I put a USB-formatted DVD in the drive, and told him how to send things there, once they were saved on the hard drive.

 

I'm babbling because I found that tool a trifle geeky, but I'm glad I have it -I will practice on a test system. Thank you very much. 


Edited by LH47, 27 January 2016 - 10:06 AM.


#10 JohnC_21

JohnC_21

  • Members
  • 23,235 posts
  • ONLINE
  •  
  • Gender:Male
  • Local time:04:11 PM

Posted 27 January 2016 - 10:14 AM

Thanks for the update and a link to that tutorial. I posted that Photorec detected docx. I got that info from here. I will have to check my Testdisk and see if I can find it. Possibly the Rescuedisk has an earlier version of PhotoRec.

 

Yes, have the person call the credit card company and demand a charge back.

 

Edit: I looked at the packages on the SystemRescueCD and it does have the latest version of Testdisk/PhotoRec. I am wondering if the Windows version is different then the linux version but I can't imagine why.


Edited by JohnC_21, 27 January 2016 - 10:18 AM.


#11 LH47

LH47
  • Topic Starter

  • Members
  • 31 posts
  • OFFLINE
  •  
  • Local time:04:11 PM

Posted 27 January 2016 - 03:29 PM

I will check it out.

 

Meanwhile, and this is interesting/borderline concerning....

 

Turns out that these people (1- masters degree,  1-PhD) tried to put this huge charge on an Amex card, but the crookks refused to take it. They would only take a debit card. So the victims handed over their bank account info.  (did I say PhD?)

 

So the victim went to the bank and put a freeze on all accounts. NOW....the bank will not UN-freeze this account, unless they have a written guarantee (from me) that the system is clean.

 

Has anyone ever heard of this? I don't know about you folks, but with all the crap out there, the only way that I could guarantee a clean system would be to write zero's to the drive and start all over. (after already spending many many hours getting it up and running right)

 

Would you sign a guarantee that this computer is clean?? And then, if the crooks have snuck some kind of root kit on there, I would be liable for the hundred$ of thousand$ that these folks have in their account?? :axe:

Am I paranoid? This is America - land of the Trumps and the Fiorini's.

 

And I live in a single wide mobile home in a park in the boonies.... I'm chopped liver! They'll crucify me and sell my organs. :huh:



#12 JohnC_21

JohnC_21

  • Members
  • 23,235 posts
  • ONLINE
  •  
  • Gender:Male
  • Local time:04:11 PM

Posted 27 January 2016 - 03:43 PM

I don't understand why the bank is making you guarantee the computer is clean. I would explain to the bank you had no involvement in the matter except for trying to recover the data and was only done because you were asked to look at it. The people should be talking to a good lawyer. 

 

The only way I would guarantee the computer is completely clean is by zeroing out the drive and installing with fresh media. You can download an iso of Windows 8.1 here. You can zero the drive during the Windows install using the diskpart clean all command. The first thing though would be to reset the UEFI/BIOS settings. 



#13 LH47

LH47
  • Topic Starter

  • Members
  • 31 posts
  • OFFLINE
  •  
  • Local time:04:11 PM

Posted 27 January 2016 - 05:03 PM

Thanks. I have a flash drive with a recent 8.1 on it, and I can get to a diskpart from there. But even after writing zero's, it could conceivably get infected again the first time they went online.

 

I don't get it, either, but I just finished reading Taibbi's "Griftopia" and tonight I was going out to see "The Big Short", and now this bank is trying to make me pay for their problem, so I got paranoid! :horse:

 

I called the customer, and she said that I should just tell them what apps I ran, and sign that. That's really all I can do, and I don't even want to do that.

 

I don't think these people are overly concerned with the money they lost. ;-)

 

Thanks again!



#14 JohnC_21

JohnC_21

  • Members
  • 23,235 posts
  • ONLINE
  •  
  • Gender:Male
  • Local time:04:11 PM

Posted 27 January 2016 - 05:18 PM

Maybe the people would be better off with a Chromebook or using linux on the All in one. At least with a Chromebook, it is pretty much locked down. ChromeOS is based on linux.

 

I still can't believe the bank would have you sign off on anything, especially after they factory reset it.



#15 LH47

LH47
  • Topic Starter

  • Members
  • 31 posts
  • OFFLINE
  •  
  • Local time:04:11 PM

Posted 28 January 2016 - 11:11 AM

It was the crooks who reset it. I don't know why it crashed in the first place  -a power glitch, I think.   I'm happy to hear that you also find it strange; the whole thing makes me a bit uncomfortable, so I covered my tush in the letter: 

 

 

(I ran) "Super Anti-Spyware, ADW Cleaner, Spybot Search and Destroy (cleaned and immunized), RKill, MalwareBytes, Mbar Rootkit scanner, Hitman Pro, Hijack This, TDSS Rootkit scanner,  Stinger, Rogue Killer, full Kaspersky boot time virus scan.

    

There were no Trojans or viruses found. No rootkits were found.  (Some rootkits are impossible to find and remove without a low level format.)  MalwareBytes found and removed a WebSearch toolbar. The other apps found and removed hundreds of common tracking cookies.

 

The only way to ensure a “Clean” computer is to write zero’s to the drive and then re-install the operating system. Even then, it could conceivably still be compromised the first time it is turned on, and/or be incurably infected with a newer “Firmware” virus on the hard drive. "

 

 

I hope I ran enough apps.  I didn't save all the log files. ( I do have a life... :huh:)


Edited by LH47, 28 January 2016 - 02:53 PM.





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users