What makes what he tried to recover unusable?
He only carved some of the files. What he did carve, for example some of the Word docs, have the correct extension but do not open in Word or are full of gibberish or have some content but did not recover completely. If I look at what he carved I could manually carve out usable data from some of the files.
Did he have the same results that you did?
I was able to carve way more files and folders. What I carved all seem to open in the corresponding program, just full of zeros.
The only real mistake he made, presumably, was the he wrote the recovered files to the same physical volume he was trying to recover the information from. In effect he overwrote some unallocated space which may hold the documents that he is looking for.
Still not sure what all happened, but according to the client files were written to the C\ drive (files were recovered from F\). That does not explain why the original directory has files full of zeros on subsequent examination.
Why don't you ask the IT guy what he used? Unless it was pirated software i doubt he has much reason to hide it from you, but the main focus is the fact that either of you were unable to recover those files successfully. I think you will be doing your client a disservice if you do not look for evidence of overwriting utilities. You mention that you feel he is not savvy enough, but this isn't rocket science. Most power users will know about eraser, and if he is in an IT role you may have no idea how far his knowledge extends.
Still waiting for a response from the IT guy about his tools and methods.
The user is not a power user nor part of IT.
I still find it very odd that the IT guy was able to recover files with some content and when I look at the same drive the folder in question is full of files that only contain zeros. If he only recovered zeros or I recovered files with similar results to his it would not be as puzzling. But I will be looking at the users laptop as soon as I receive it for wiping utilities.
FWIW I do not see an option in Eraser to only use zeros. Although Eraser is not the only program out there.
What was the program that he used to attempt recovery ? It seems to me that this might well be the culprit - certainly it was "present at the scene of the crime" as it were, doing some sort of disk access that was outwith the "normal" operation of the system.
(Sorry, I see reading back that you are still waiting for the answers to this … )
"FWIW I do not see an option in Eraser to only use zeros. Although Eraser is not the only program out there."
Any pattern can be sent in Eraser by selecting Edit>Preferences>Erasing and creating a new write pattern.
And without having researched it, I think Eraser bears a closer look. For a while, I was using Eraser in my (low budget, freeware loving) lab but it frequently would leave behind folders with no files. I never looked at it in hex because it wasn't working for me, but when I hear what you found it rings a bell…
Paul L
Hi,
Greetings!
Maybe the suspect(user) deleted all the files and folders from his profile, and then he created the same files and folders with the same Names, however without any data.
just my .02!
Thanks