Recovering artifact...
 
Notifications
Clear all

Recovering artifacts from encrypted hard drive

5 Posts
2 Users
0 Likes
472 Views
(@foggy)
Posts: 6
Active Member
Topic starter
 

I'm testing recovering artifacts from a sata drive and would like to see if anyone could disprove my result.

The drive is a 3 Tb sata drive that had to be changed from MBR to GPT to get it to allow the use of the full 3 Tb instead of 746 Gb.

I formatted the drive, encrypted the drive with VC as a non-system drive and then formatted again.

I then ran photorec on it but just got false positives and found nothing of the data located on the drive before the first format.

1 can anyone disprove my test right away?
2 Would other software find more than false positives?

 
Posted : 29/06/2019 5:37 pm
jaclaz
(@jaclaz)
Posts: 5133
Illustrious Member
 

Not enough info to prove or disprove, mainly because I don't understand the scope of the test.

If you formatted the disk (actually one on more volumes on the disk) under Windows Vista or later without using the /q switch (or checking the quick format checkbox if using GUI) the format operation has wiped (written all zeroes) to the volume(s), so - independently from "VC" (which I presume is VeraCrypt) you won't find any artifact.

Besides, if a filesystem is encrypted, it is encrypted.

You won't find any (meaningful) artifacts on an encrypted volume with photorec, again no matter if you format it (full or quick).

That is - more or less - the whole point of encrypting a volume, unless it is decrypted, all you can find on it (with phoitorec or with any other tool) will be "digital garbage".

Maybe you can explain the scope of the test, and clarify the details on the way it was carried, but essentially
1) No
2) No

jaclaz

 
Posted : 29/06/2019 7:26 pm
(@foggy)
Posts: 6
Active Member
Topic starter
 

Been out of the loop for too long, therefor my somewhat erratic post.

Thanks for the reply, I've have some recollection of the possibility of restoring data even after it has been wiped several times, but that might just be possible in very specific situations.

 
Posted : 29/06/2019 7:33 pm
jaclaz
(@jaclaz)
Posts: 5133
Illustrious Member
 

I've have some recollection of the possibility of restoring data even after it has been wiped several times, but that might just be possible in very specific situations.

Well, that has always been false in the last - say - almost 25 years, the myth of the multiple passes derives from a wrong reading of a (IMHO also actually intentionally poorly/unclearly written) article by Professor Gutmann in 1996.
https://en.wikipedia.org/wiki/Gutmann_method
https://www.cs.auckland.ac.nz/~pgut001/pubs/secure_del.html

jaclaz

 
Posted : 29/06/2019 7:45 pm
(@foggy)
Posts: 6
Active Member
Topic starter
 

Thanks. I'll let this thread fall silent and be forgotten by the end of the month.. D

 
Posted : 29/06/2019 7:58 pm
Share: