Linux - SecurityThis forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
First, apologies if this doesn't belong in the security forum - seemed like the most appropriate to me.
I decided to play around with an old PC and see if I could recover any data from it, more for practice than because I need to.
The PC has Windows on it, has been used for years, and I've just done a "reset Windows" on it.
Fired up Kali in forensic mode. Ran photorec on the drive, it found about a thousand files - mostly text or xml files that seem to be Windows-installation type files, but nothing else.
I'm wondering why I can't find any of the old data. Unless a Windows reset actually writes to the whole drive, but I'd expect it just to do a quick format and replace the MFT/partition table. Any ideas anyone?
I can mount it, but that shows the current state (which is a fresh installation of windows). I'm trying to see if anything remains of the files that were on it previously, before doing the reset.
The thousand or so files I found with Photorec, are deleted files - all the normal Windows files from the current installation are on there, as well. I'm kind of interested to see if it's possible to find the old files that were on it before doing the reset.
I tried that, but it gave errors about the disk parameters being incorrect, and I didn't persevere. But if the disk has been overwritten with zeroes it probably won't find anything either I guess?
I tried that, but it gave errors about the disk parameters being incorrect, and I didn't persevere. But if the disk has been overwritten with zeroes it probably won't find anything either I guess?
A format is not the same as overwrite with zero's. With a normal format only the partition table is overwritten.
testdisk should be able to make some files available again. As long as these files are not overwritten by a new install, or other drive operations.
If you're desparate for the stuff, with a spinning rust drive, there is the option shred was designed to prevent. Residual magnetism hangs about, so stuff can be reconstructed by detecting this and resetting it. It's probably a forensic professional job.
I might have another play around with testdisk in that case, although I thought photorec worked on a similar basis. And just to clarify so I don't mislead anyone - the data isn't especially important - this is more just an opportunity to see what's possible and how much I can recover. I think I have all my important data backed up... although saying that, I haven't tested my backups for a while so I should do that too!
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.