Recovery after potential crime

Using TestDisk to undelete files
Forum rules
When asking for technical support:
- Search for posts on the same topic before posting a new question.
- Give clear, specific information in the title of your post.
- Include as many details as you can, MOST POSTS WILL GET ONLY ONE OR TWO ANSWERS.
- Post a follow up with a "Thank you" or "This worked!"
- When you learn something, use that knowledge to HELP ANOTHER USER LATER.
Before posting, please read https://www.cgsecurity.org/testdisk.pdf
Locked
Message
Author
tomz
Posts: 1
Joined: 04 Aug 2018, 08:36

Recovery after potential crime

#1 Post by tomz »

Greetings Testdisk-Community,

A friend of mine came to me yesterday evening with one of two backup-hdds of a stolen NAS-System.
The guy who (they think) did this, also deleted the backup files on (at least) this backup storage.

As a first action, I mounted the drive into an ubuntu 18.04 VM read only and tried a quick search with no results.
The deep search is still running, but I don't quiet understand the output.

What did he do with the drive? Is it just deleted or really "safely" overwritten?

This HDD should be ext4 as formated by the Synology system's app "Hyper Backup".

Is there anything else I can do before we hand this over to officials, or a very costly data recovery company?

Code: Select all

TestDisk 7.0, Data Recovery Utility, April 2015
Christophe GRENIER <grenier@cgsecurity.org>
http://www.cgsecurity.org

Disk /dev/sdb - 2000 GB / 1862 GiB - CHS 243197 255 63
Analyse cylinder 84896/243196: 34%


  MS Data                      256 3906959799 3906959544 [1.42.6-23739]
  MS Data                      254 3906959797 3906959544 [1.42.6-23739]
  MS Data                      256 3906959799 3906959544 [1.42.6-23739]
  MS Data                      254 3906959797 3906959544 [1.42.6-23739]
  MS Data                      256 3906959799 3906959544 [1.42.6-23739]
  MS Data                      254 3906959797 3906959544 [1.42.6-23739]
  MS Data                      256 3906959799 3906959544 [1.42.6-23739]
  MS Data                      254 3906959797 3906959544 [1.42.6-23739]
  MS Data                      256 3906959799 3906959544 [1.42.6-23739]
  MS Data                      254 3906959797 3906959544 [1.42.6-23739]
  MS Data                      256 3906959799 3906959544 [1.42.6-23739]
  MS Data                      254 3906959797 3906959544 [1.42.6-23739]
  MS Data                      256 3906959799 3906959544 [1.42.6-23739]
  MS Data                      254 3906959797 3906959544 [1.42.6-23739]
  MS Data                      256 3906959799 3906959544 [1.42.6-23739]
  MS Data                      254 3906959797 3906959544 [1.42.6-23739]
  MS Data                      256 3906959799 3906959544 [1.42.6-23739]
  MS Data                      254 3906959797 3906959544 [1.42.6-23739]
  MS Data                      256 3906959799 3906959544 [1.42.6-23739]
  MS Data                      254 3906959797 3906959544 [1.42.6-23739]
  MS Data                      256 3906959799 3906959544 [1.42.6-23739]
  MS Data                      254 3906959797 3906959544 [1.42.6-23739]
  MS Data                      256 3906959799 3906959544 [1.42.6-23739]
  MS Data                      254 3906959797 3906959544 [1.42.6-23739]
  MS Data                      256 3906959799 3906959544 [1.42.6-23739]
  MS Data                      254 3906959797 3906959544 [1.42.6-23739]
  MS Data                      256 3906959799 3906959544 [1.42.6-23739]
  MS Data                      254 3906959797 3906959544 [1.42.6-23739]
  MS Data                      256 3906959799 3906959544 [1.42.6-23739]
  MS Data                      254 3906959797 3906959544 [1.42.6-23739]
  MS Data                      256 3906959799 3906959544 [1.42.6-23739]
  MS Data                      254 3906959797 3906959544 [1.42.6-23739]
  MS Data                      256 3906959799 3906959544 [1.42.6-23739]
  MS Data                      254 3906959797 3906959544 [1.42.6-23739]
  MS Data                      256 3906959799 3906959544 [1.42.6-23739]

User avatar
cgrenier
Site Admin
Posts: 5432
Joined: 18 Feb 2012, 15:08
Location: Le Perreux Sur Marne, France
Contact:

Re: Recovery after potential crime

#2 Post by cgrenier »

You should really avoid to modify anything if this disk will be use in an investigation.
Try to list the files from the 2 listed partitions and if needed, you can copy some files.

Locked