200+GB XML File

Using PhotoRec to recover lost data
Forum rules
When asking for technical support:
- Search for posts on the same topic before posting a new question.
- Give clear, specific information in the title of your post.
- Include as many details as you can, MOST POSTS WILL GET ONLY ONE OR TWO ANSWERS.
- Post a follow up with a "Thank you" or "This worked!"
- When you learn something, use that knowledge to HELP ANOTHER USER LATER.
Before posting, please read https://www.cgsecurity.org/testdisk.pdf
Locked
Message
Author
LiquidRory
Posts: 1
Joined: 01 Oct 2022, 18:45

200+GB XML File

#1 Post by LiquidRory »

Hi,

I started using PhotoRec over a decade ago, but this is one of the first times I've run it on a modern NVMe SSD.

The device in question was mistakenly reinstalled by a repair shop asked to remove a "virus" by the device owner. Given that the device is a budget laptop, I do not think Bitlocker was in place.

I asked Photorec to recover any files in the NTFS free space. When Photorec stopped finding files shortly after starting, I thought maybe TRIM was used on the whole disk during installation or something similar. But when it was finished, I noticed that there was a 200+GB .xml file, from a 256GB SSD. Additionally, the only files Photorec found looked like "Windows files" (no personal documents, photos, etc.) Obviously, I see the 200GB "XML" file (which *does* seem to begin with valid XML data), and I think there's probably some recoverable data inside, if we can just... ignore the XML file after x bytes.

Photorec was run again, but after toggling XML files off in file options. I believe I've found a bug in Photorec, because it still dutifully wrote out the large XML files. Clearing *all* file extensions and only selecting some document and photo/video formats, however, did skip the XML file, but didn't find any additional documents.

Right now, I'm running Photorec again, on a "mounted" block device representing the XML file, on recovery media.

My questions are: 1) Is there anything to my idea that TRIM or some other "wipe" command may have been issued to the SSD during Windows installation, automatically rendering my efforts worthless? 2) Is there anything I can do better to extract any useful information from this 200+GB "XML" file?

Thanks in advance!

recuperation
Posts: 2721
Joined: 04 Jan 2019, 09:48
Location: Hannover, Deutschland (Germany, Allemagne)

Re: 200+GB XML File

#2 Post by recuperation »

LiquidRory wrote: 01 Oct 2022, 18:59 Hi,

I started using PhotoRec over a decade ago, but this is one of the first times I've run it on a modern NVMe SSD.

The device in question was mistakenly reinstalled by a repair shop asked to remove a "virus" by the device owner. Given that the device is a budget laptop, I do not think Bitlocker was in place.

I asked Photorec to recover any files in the NTFS free space. When Photorec stopped finding files shortly after starting, I thought maybe TRIM was used on the whole disk during installation or something similar. But when it was finished, I noticed that there was a 200+GB .xml file, from a 256GB SSD. Additionally, the only files Photorec found looked like "Windows files" (no personal documents, photos, etc.) Obviously, I see the 200GB "XML" file (which *does* seem to begin with valid XML data), and I think there's probably some recoverable data inside, if we can just... ignore the XML file after x bytes.

Photorec was run again, but after toggling XML files off in file options. I believe I've found a bug in Photorec, because it still dutifully wrote out the large XML files. Clearing *all* file extensions and only selecting some document and photo/video formats, however, did skip the XML file, but didn't find any additional documents.

Right now, I'm running Photorec again, on a "mounted" block device representing the XML file, on recovery media.

My questions are: 1) Is there anything to my idea that TRIM or some other "wipe" command may have been issued to the SSD during Windows installation, automatically rendering my efforts worthless?
That could well be. But you would need to ask the shop how they reinstalled the operating system. If the device owner suspects a virus being on his disk I would have expected the shop to complete zero the disk even when a simple installation on existing partitions would have destroyed the ability for the virus to be executed.

2) Is there anything I can do better to extract any useful information from this 200+GB "XML" file?
You could examine the device with a hex editor but please do not expect me to interpret anything.

Locked