0

I have a hard drive from a desktop PC, which had debian and windows 10 installed. In windows 10 I had disabled automatic updates and the firewall and one day a blue screen appeared, I saw on the internet that the information could be recovered , as long as the option of self-repair of windows, the firewall and automatic updates are enabled. But since I have them disabled, so I couldn't do anything. Then I logged into my linux partition, and my surprise is that after a few minutes, my pc shut down. When I tried to turn it on, I just turned on the power button, the fans started and then stopped, the bios screen did not even appear, that is, without any signal on the screen, the power source emitted a strange sound. So I deduced that the power source stopped working. I removed my hard drive and bought an adapter to convert my internal hard drive to an external one, I connected it to my laptop with windows 10 but the computer doesn't recognize it, I researched on the internet, but according to what it says, you have to format the hard drive to make it work. recognized by windows, now I also comment that I don't remember what type of files linux and windows install. What can I do to recover information from my 2 partitions without formatting?

kevin david Mark
  • 17
  • 1
  • Please clarify your specific problem or provide additional details to highlight exactly what you need. As it's currently written, it's hard to tell exactly what you're asking. – Community Jul 04 '23 at 18:05
  • This seems like a hardware problem with your PC. Try to salvage the disk in another PC (no format required) and take the PC to a repair-shop. – harrymc Jul 04 '23 at 18:50
  • You may wish to take the disk immediately to a recovery agency to see if they can recover data. – John Jul 04 '23 at 19:18

1 Answers1

-1

Hopefully, you don't need to pay anyone to do this. If the data is still intact and your hard drive is operational, you can follow a few easy steps to see what's possible.

You will need another fully operational computer with both Windows and Linux installed.

Step 1: Create an image of your drive (Linux).

Open up a Linux terminal and connect your drive (do not mount). You should see the drive registered under devices, something like /dev/sda or /dev/sdb, etc. Let's assume it's /dev/sdb.

To make an image use:

dd if=/dev/sdb of=/path/to/save/data.dd conv=fsync bs=1M

Step 2: Get Autopsy from here. (Windows)

I can't predict what you will encounter, so it's hard to give you a complete answer with all possibilities. However, once you have Autopsy installed, open your data.dd file and let the tool scan and process it.

Since the tool is designed for law enforcement, there's a lot of stuff that won't apply for you. I don't think you really need any ingest modules, but feel free to see if any apply.

Autopsy has a lot of information available online. I would start here.

Very important: do not use your potentially broken drive after you have imaged it. This will help preserve any data that is still accessible (if any).

aqf
  • 67
  • 3
  • I have not tried it, but from the looks and from what I read it lacks in the data recovery department. – Joep van Steen Jul 04 '23 at 22:06
  • Also, I want to point out that performing Steps 1-2 takes very little time depending on your env setup, and atleast you will get a quick assessment of the state of your data: "open your data.dd file and let the tool scan and process it." – aqf Jul 04 '23 at 22:42
  • Carving should be regarded last hope if all other options exhausted. often we can recover complete folder/file tree. This is what I mean. PhotoRec is an excellent carver but not something I'd try first. – Joep van Steen Jul 04 '23 at 22:43
  • Yeah, I *know* what dd is. And although forensics and data recovery have overlaps, there's far better tools for *data recovery*. You bring up carving, not me. Like I said, I don't know autopsy and neither do I know any data recovery specialist (and I know a few dozen of those) that uses it. – Joep van Steen Jul 04 '23 at 23:55
  • Forget about carving, it is not needed. All that is needed is to do is Step 1-2 above. If the filesystem is readable and registers in Autopsy the data can be extracted easily through a file tree view of the filesystem by right-clicking and selecting extract and choosing a location. Pretty simple in my opinion and no carving required. https://www.section.io/engineering-education/how-to-recover-data-from-digital-storage-media-using-autopsy/ – aqf Jul 05 '23 at 03:11
  • Okay. Downloaded + installed. My advice is to steer away from autopsy for data recovery. I am telling you as someone who does data recovery every day. Overly large, complex and missing the point of too many points. End of discussion as far as I am concerned. – Joep van Steen Jul 05 '23 at 09:27
  • I would love to know what limitations of Autopsy you are referring to. While I'm sure your experience is great, I have used The Sleuth Kit (TSK) to write engines that extract all artifacts in all supported filesystems of a national DF lab. Autopsy is the GUI for TSK. Please provide a reference. – aqf Jul 05 '23 at 13:20