Hi.
I have a suspected Windows computer with RestorePoints, hibernation turned off.
All the data has been wiped with Eraser (Heidi's). All free space has been erased on disc c.
Any chances to recover these files?
What tools could you recommend for imaging/analysis?
Any comments appreciated.
Cassandra.
Cassandra
If files have been wiped then there is no way I know of to magically make the 1's and 0's that formed the original data reappear.
If the files had merely been deleted then you might have had a chance to recover them because the data might have still been there.
The bottom line…
Files wiped, free space wiped; you are on a bit of a loser I'm afraid.
Any forensic tool will confirm this situation, ranging from the free (open source) tools to the VERY expensive.
Paul
If the Eraser has done a secure delete, ie overwritten the area that the file was stored, then all is lost. The chances of receoverng data from an overwriten sector is probably similar to winning the lottery(big prize) two weeks in a row with a single ticket.
Does Eraser clear down small files that are normally stored in an MFT entry?
The only suggestion would be to scan the the disk for any backup files that have not been deleted. You could also scan for signatures, or keywords, just in case. Don't hold your breath!
Files wiped, free space wiped; you are on a bit of a loser I'm afraid.
Yes )
Does Eraser clear down small files that are normally stored in an MFT entry?
How to check it?
Funny story
On an accusation, the FBI asked to look at my hard drive. Since I had confidently used the Eraser program at the highest level, I foolishly agreed. I sat and watched the agent put in a "forensic recovery disk" and was shocked to see him pull up every single item I had "Erased!!" I was lucky and was not charged or prosecuted, but duly "warned" by them. If I had paid anything for this crap make-believe program, you better believe I would have sued the hell out of this fly-by-night company peddling this crud. You've been warned- I will even leave you my email address to help you believe I am being completely honest! DO NOT PUT YOUR FAITH IN THIS PROGRAM, IT WILL NOT SAVE YOU WHEN YOU NEED IT THE MOST.
– From someone who learned the hard way. trekdoxie@gmail.com
sourcehttp//
And antoher questionis it safe to clear "pagefile.sys" on shutdown?Could it will be recovered?
Does Eraser clear down small files that are normally stored in an MFT entry?
How to check it?
Get a small USB stick and format it with NTFS. Create a file small enough to be resident in the MFT on the USB device, find its location in the MFT, delete it with Eraser, then look at that location to see what persists.
By the way, some wiping software, including earlier versions of Eraser (I'm not certain about the current version), only wipe files that have been deleted via Windows explorer and only after the wiping software has been installed. Previously deleted files may not be wiped, although utilities like cipher will handle that.
Bottom line is that you need to check for yourself.
And antoher questionis it safe to clear "pagefile.sys" on shutdown?Could it will be recovered?
Clearing the pagefile should result in it being completely overwritten with 0's (at the expense of a long shutdown). This, of course, assumes that the machine was completely shutdown before being powered off. As the entire pagefile space is allocated at OS install time (on the boot disk), it shouldn't move and, therefore, should not be recoverable using standard forensic techniques.
Greetings,
Testing this on a USB stick may give you different results than on a normal hard drive due to wear leveling.
-David
Wear leveling on a memory stick is invisible - unless device drivers are used to specially control wear leveling.
The bottom line is that logical sector 0x123 must always be logical sector 0x123, where ever the memory stick decides to physically save it
Hi.
I have a suspected Windows computer with RestorePoints, hibernation turned off.
All the data has been wiped with Eraser (Heidi's). All free space has been erased on disc c.
Any chances to recover these files?
What files?
If hibernation was 'turned off', was it ever enabled? Same with the Restore Points…
What tools could you recommend for imaging/analysis?
For imaging…the same ones that you always use. I don't recommend that you use anything you're not familiar with. Same with analysis.
In short, I'm just not clear what you're asking…
He is asking for a miracle.
There is a process to recover data from a whipped drive however I can't remember what it's called. Maybe someone here knows? The 0's and 1's are still detectable from the left over wobble of the magnetic frequency which can remain on the disc. It's got a long winded scientific name.
I wouldn't mind reading into it further too.