Photorec - erased files search after nwipe run

Using PhotoRec to recover lost data
Forum rules
When asking for technical support:
- Search for posts on the same topic before posting a new question.
- Give clear, specific information in the title of your post.
- Include as many details as you can, MOST POSTS WILL GET ONLY ONE OR TWO ANSWERS.
- Post a follow up with a "Thank you" or "This worked!"
- When you learn something, use that knowledge to HELP ANOTHER USER LATER.
Before posting, please read https://www.cgsecurity.org/testdisk.pdf
Locked
Message
Author
pinotto
Posts: 6
Joined: 20 Sep 2014, 20:57

Photorec - erased files search after nwipe run

#1 Post by pinotto »

I have some old hard disks to be scrapped. Because they contains confidential up to top secret data, I did run nwipe with the method DoD 5220.22-M. After that I checked, whether all the data have been erased.
Testdisk did not find any data.
Photorec did find a lot of files, but very strange: on the basis of both the file names and their date listed , they could not be on the erased hard disk, because they are created and/or modified long time after I put off the hard disk from PC. Rather it is possible, they could belong to another current active drive.
Is it regular, that Photorec runs in this way?


OS: openSUSE Leap 15.1
Nwipe, vers. 0.22
Testdisk, vers. 7.0
Photorec, vers. 7.0

recuperation
Posts: 2720
Joined: 04 Jan 2019, 09:48
Location: Hannover, Deutschland (Germany, Allemagne)

Re: Photorec - erased files search after nwipe run

#2 Post by recuperation »

pinotto wrote: 16 Apr 2020, 19:36 I have some old hard disks to be scrapped. Because they contains confidential up to top secret data, I did run nwipe with the method DoD 5220.22-M. After that I checked, whether all the data have been erased.
Testdisk did not find any data.
Photorec did find a lot of files, but very strange: on the basis of both the file names and their date listed , they could not be on the erased hard disk, because they are created and/or modified long time after I put off the hard disk from PC. Rather it is possible, they could belong to another current active drive.
Is it regular, that Photorec runs in this way?
Absolutely. Photorec uncovers everything. But without any documenting screenshots of your top secret data - how should one help you? :mrgreen:
Physical destruction is by far the best wiping method, especially for Majestic-12 secrets, you know.
Nwipe has been developed by the NSA to facilitate recovery. Now you now the dirty secret!

If you already checked whether all data has been erased how could Photorec then find anything? :?:
If you pretend having deleted drive A and let Photorec run on drive B there is a good chance of finding anything.

You really did not document the key issues, but anyway this forum is about using Testdisk and Photorec for data recovery.

pinotto
Posts: 6
Joined: 20 Sep 2014, 20:57

Re: Photorec - erased files search after nwipe run

#3 Post by pinotto »

Hi recuparation,

thank you for the replay!

First of all one precision: I did run photorec, only to check if nwipe really destroyed all the data on the drive. I did not want to recover them.
And as I saw, Photorec lists files, that are never been on the erased disk, I thought, it would be better to give this information in the forum.

I am agree with all, what you have written, but I am a little confused about this:
I asked:
Is it regular, that Photorec runs in this way?
And you answered:
Absolutely. Photorec uncovers everything.
Now I think: almost files, which are not on the selected hard drive?

Anyway, you are all right: without documenting screenshots it is difficult to give accurate answers!
So, here they are:

Screenshot 1: the highlighted row shows the hard drive to be checked: /dev/sdc - it was already "erased" by nwipe
Screenshot_20200418_090315.png
Screenshot_20200418_090315.png (45.11 KiB) Viewed 2977 times

Screenshot 2: Photorec does not find any partition on the disk: that's ok!
Screenshot_20200418_090424.png
Screenshot_20200418_090424.png (27.07 KiB) Viewed 2977 times

Screenshot 3: At first I let it search in possible existent ext-partitions. Here the result listed.
Screenshot_20200418_091655_ext_parts.png
Screenshot_20200418_091655_ext_parts.png (93.69 KiB) Viewed 2977 times
Not very probable but almost possible, that directories and files modified bevore 2019 are on the searched drive.
The others surely NOT! This drive was no more attached at a PC in the last 2 years!!

I suppose instead these files belong to the the drive mounted as /dev/sda. I did not checked it.
BTW: you'll get exactly the same result, if you let search in other kind of partitions (FAT, etc.)

Thanks again for your suggestion to destroy physically the drives !!!
Bye

recuperation
Posts: 2720
Joined: 04 Jan 2019, 09:48
Location: Hannover, Deutschland (Germany, Allemagne)

Re: Photorec - erased files search after nwipe run

#4 Post by recuperation »

The rest is in German language as the user is obviously speaking German according to the screenshots.
He simply confused the dialogue to select the location to store rescued files with the rescued files themselves.
It's another good example of the effects of lack of documentation on the user side. :(

Nein, das ist nicht das Ergebnis der Arbeit von Photorec. Das ist der Dialog zur Auswahl eines Speicherorts!
Da steht doch in der dritten Bildschirmzeile: "Please select a destination..."

So wird das nichts mit der Arbeit als Hobbyforensiker. :)

Für alle anderen Mitleser:
Wer seine Probleme mies dokumentiert, hat kaum Rettungschancen.
Bitte alles mundgerecht servieren und vielleicht mal einen Freund drüber gucken lassen!
Wieso sollte ich mir die Mühe machen und alle nötigen Infos mit zwanzig Fragen scheibchenweise abfragen?

pinotto
Posts: 6
Joined: 20 Sep 2014, 20:57

Re: Photorec - erased files search after nwipe run

#5 Post by pinotto »

recuperation wrote:
The rest is in German language as the user is obviously speaking German according to the screenshots.
He simply confused the dialogue to select the location to store rescued files with the rescued files themselves.
It's another good example of the effects of lack of documentation on the user side. :(

Nein, das ist nicht das Ergebnis der Arbeit von Photorec. Das ist der Dialog zur Auswahl eines Speicherorts!
Da steht doch in der dritten Bildschirmzeile: "Please select a destination..."
quite correct ...
I was very stupid, not to read the text above the choice options !!

Now Photorec is scanning another erased hard disk.

Locked