Recovery after potential crime
Posted: 04 Aug 2018, 08:44
Greetings Testdisk-Community,
A friend of mine came to me yesterday evening with one of two backup-hdds of a stolen NAS-System.
The guy who (they think) did this, also deleted the backup files on (at least) this backup storage.
As a first action, I mounted the drive into an ubuntu 18.04 VM read only and tried a quick search with no results.
The deep search is still running, but I don't quiet understand the output.
What did he do with the drive? Is it just deleted or really "safely" overwritten?
This HDD should be ext4 as formated by the Synology system's app "Hyper Backup".
Is there anything else I can do before we hand this over to officials, or a very costly data recovery company?
A friend of mine came to me yesterday evening with one of two backup-hdds of a stolen NAS-System.
The guy who (they think) did this, also deleted the backup files on (at least) this backup storage.
As a first action, I mounted the drive into an ubuntu 18.04 VM read only and tried a quick search with no results.
The deep search is still running, but I don't quiet understand the output.
What did he do with the drive? Is it just deleted or really "safely" overwritten?
This HDD should be ext4 as formated by the Synology system's app "Hyper Backup".
Is there anything else I can do before we hand this over to officials, or a very costly data recovery company?
Code: Select all
TestDisk 7.0, Data Recovery Utility, April 2015
Christophe GRENIER <grenier@cgsecurity.org>
http://www.cgsecurity.org
Disk /dev/sdb - 2000 GB / 1862 GiB - CHS 243197 255 63
Analyse cylinder 84896/243196: 34%
MS Data 256 3906959799 3906959544 [1.42.6-23739]
MS Data 254 3906959797 3906959544 [1.42.6-23739]
MS Data 256 3906959799 3906959544 [1.42.6-23739]
MS Data 254 3906959797 3906959544 [1.42.6-23739]
MS Data 256 3906959799 3906959544 [1.42.6-23739]
MS Data 254 3906959797 3906959544 [1.42.6-23739]
MS Data 256 3906959799 3906959544 [1.42.6-23739]
MS Data 254 3906959797 3906959544 [1.42.6-23739]
MS Data 256 3906959799 3906959544 [1.42.6-23739]
MS Data 254 3906959797 3906959544 [1.42.6-23739]
MS Data 256 3906959799 3906959544 [1.42.6-23739]
MS Data 254 3906959797 3906959544 [1.42.6-23739]
MS Data 256 3906959799 3906959544 [1.42.6-23739]
MS Data 254 3906959797 3906959544 [1.42.6-23739]
MS Data 256 3906959799 3906959544 [1.42.6-23739]
MS Data 254 3906959797 3906959544 [1.42.6-23739]
MS Data 256 3906959799 3906959544 [1.42.6-23739]
MS Data 254 3906959797 3906959544 [1.42.6-23739]
MS Data 256 3906959799 3906959544 [1.42.6-23739]
MS Data 254 3906959797 3906959544 [1.42.6-23739]
MS Data 256 3906959799 3906959544 [1.42.6-23739]
MS Data 254 3906959797 3906959544 [1.42.6-23739]
MS Data 256 3906959799 3906959544 [1.42.6-23739]
MS Data 254 3906959797 3906959544 [1.42.6-23739]
MS Data 256 3906959799 3906959544 [1.42.6-23739]
MS Data 254 3906959797 3906959544 [1.42.6-23739]
MS Data 256 3906959799 3906959544 [1.42.6-23739]
MS Data 254 3906959797 3906959544 [1.42.6-23739]
MS Data 256 3906959799 3906959544 [1.42.6-23739]
MS Data 254 3906959797 3906959544 [1.42.6-23739]
MS Data 256 3906959799 3906959544 [1.42.6-23739]
MS Data 254 3906959797 3906959544 [1.42.6-23739]
MS Data 256 3906959799 3906959544 [1.42.6-23739]
MS Data 254 3906959797 3906959544 [1.42.6-23739]
MS Data 256 3906959799 3906959544 [1.42.6-23739]