Data recovery - Windows installation
 

First, apologies if this doesn't belong in the security forum - seemed like the most appropriate to me.

I decided to play around with an old PC and see if I could recover any data from it, more for practice than because I need to.

The PC has Windows on it, has been used for years, and I've just done a "reset Windows" on it.

Fired up Kali in forensic mode. Ran photorec on the drive, it found about a thousand files - mostly text or xml files that seem to be Windows-installation type files, but nothing else.

I'm wondering why I can't find any of the old data. Unless a Windows reset actually writes to the whole drive, but I'd expect it just to do a quick format and replace the MFT/partition table. Any ideas anyone?

A 'reset' usually puts a computer back to 'factory' condition - why not just mount it & take a look at the file system(?).

I can mount it, but that shows the current state (which is a fresh installation of windows). I'm trying to see if anything remains of the files that were on it previously, before doing the reset.

The thousand or so files I found with Photorec, are deleted files - all the normal Windows files from the current installation are on there, as well. I'm kind of interested to see if it's possible to find the old files that were on it before doing the reset.

Sorry, realised my first post wasn't clear!

When in doubt, go get it from the horses mouth - here for example.

Note the difference between "reset" and "refresh".

It looks like I have indeed fully reformatted it. I'm surprised Windows does that, actually!

I'm not. They actually tried to help by giving the option. You shot yourself in the foot, not them ... :shrug:

We've all learnt the lesson that data can be lost by "playing around".

You have still the option of testdisk.

I tried that, but it gave errors about the disk parameters being incorrect, and I didn't persevere. But if the disk has been overwritten with zeroes it probably won't find anything either I guess?

A format is not the same as overwrite with zero's. With a normal format only the partition table is overwritten.
testdisk should be able to make some files available again. As long as these files are not overwritten by a new install, or other drive operations.

If you're desparate for the stuff, with a spinning rust drive, there is the option shred was designed to prevent. Residual magnetism hangs about, so stuff can be reconstructed by detecting this and resetting it. It's probably a forensic professional job.

I might have another play around with testdisk in that case, although I thought photorec worked on a similar basis. And just to clarify so I don't mislead anyone - the data isn't especially important - this is more just an opportunity to see what's possible and how much I can recover. I think I have all my important data backed up... although saying that, I haven't tested my backups for a while so I should do that too!