Testing for recoverable data only

Using PhotoRec to recover lost data
Forum rules
When asking for technical support:
- Search for posts on the same topic before posting a new question.
- Give clear, specific information in the title of your post.
- Include as many details as you can, MOST POSTS WILL GET ONLY ONE OR TWO ANSWERS.
- Post a follow up with a "Thank you" or "This worked!"
- When you learn something, use that knowledge to HELP ANOTHER USER LATER.
Before posting, please read https://www.cgsecurity.org/testdisk.pdf
Locked
Message
Author
grognar
Posts: 3
Joined: 13 Sep 2022, 18:02

Testing for recoverable data only

#1 Post by grognar »

Hello!

I am interested in testing drives to know if there is recoverable data left on the drive (after a wipe) without actually recovering the data.

I want to report on the effectiveness of the data wipe without knowing what the data is if recoverable data is found, is this a mode that TestDisk/PhotoRec can work in?

recuperation
Posts: 2721
Joined: 04 Jan 2019, 09:48
Location: Hannover, Deutschland (Germany, Allemagne)

Re: Testing for recoverable data only

#2 Post by recuperation »

No. The recovery results are best guesses and even if Photorec extracts a jpeg file there is no guarantee that its content is readable.
Your intent appears strange. Your approach does not work. Erasing the disk is the solution and erasing the disk does not necessarily mean zeroing the drive.

grognar
Posts: 3
Joined: 13 Sep 2022, 18:02

Re: Testing for recoverable data only

#3 Post by grognar »

Ok, so a little more info might help,

I am being asked to verify the that a wipe program is wiping drives beyond the point of recovering data.

I must use a 3rd party program to verify the drive (the program cannot be the same program that was used to wipe) and the program I use to verify must be a data recovery software designed to scan for and recover lost files.

That last bit, designed to scan for and recover lost files, that is how I found myself looking into photorec as a possible solution.

Now I am trying to reduce the amount of system resource usage while running TestDisk/Photorec.

It occurs to me that I do not need any data to actually be recovered. I can accomplish my mission with only knowing: Was there recoverable data? (Yes/No)

I have run TestDisk on a wiped drive, and after an initial short search, and finding nothing, it goes into a deep search mode. This might be what I am looking for, as TestDisk doesn't actually recover anything.

Is that "Deep Search" in TestDisk looking for recoverable files?

recuperation
Posts: 2721
Joined: 04 Jan 2019, 09:48
Location: Hannover, Deutschland (Germany, Allemagne)

Re: Testing for recoverable data only

#4 Post by recuperation »

Define your wiping process, please.

It might have been a good idea to read the manual first to avoid starting the apple finder when you are really looking for bananas, especially in situations of professional applications. :roll:

grognar
Posts: 3
Joined: 13 Sep 2022, 18:02

Re: Testing for recoverable data only

#5 Post by grognar »

We use KillDisk for wiping with settings set to NIST 800-88 3-pass wipe

recuperation
Posts: 2721
Joined: 04 Jan 2019, 09:48
Location: Hannover, Deutschland (Germany, Allemagne)

Re: Testing for recoverable data only

#6 Post by recuperation »

https://www.killdisk.com/notes.htm

If your disk is filled with random data and you use Photodisk afterwards you might get false positives.
The question is how to deal with the false positives then.

If you added a run which is zeroing the drive Photorec should not recover anything.
You would need to try that out: Wipe a disk, run Photorec against and tell the forum about the disk size and the recovery outcome. Thanks!

Running Photorec on a zeroed disk is a better method as zeros don't fit to any fingerprint.

Locked