Hi,
I started using PhotoRec over a decade ago, but this is one of the first times I've run it on a modern NVMe SSD.
The device in question was mistakenly reinstalled by a repair shop asked to remove a "virus" by the device owner. Given that the device is a budget laptop, I do not think Bitlocker was in place.
I asked Photorec to recover any files in the NTFS free space. When Photorec stopped finding files shortly after starting, I thought maybe TRIM was used on the whole disk during installation or something similar. But when it was finished, I noticed that there was a 200+GB .xml file, from a 256GB SSD. Additionally, the only files Photorec found looked like "Windows files" (no personal documents, photos, etc.) Obviously, I see the 200GB "XML" file (which *does* seem to begin with valid XML data), and I think there's probably some recoverable data inside, if we can just... ignore the XML file after x bytes.
Photorec was run again, but after toggling XML files off in file options. I believe I've found a bug in Photorec, because it still dutifully wrote out the large XML files. Clearing *all* file extensions and only selecting some document and photo/video formats, however, did skip the XML file, but didn't find any additional documents.
Right now, I'm running Photorec again, on a "mounted" block device representing the XML file, on recovery media.
My questions are: 1) Is there anything to my idea that TRIM or some other "wipe" command may have been issued to the SSD during Windows installation, automatically rendering my efforts worthless? 2) Is there anything I can do better to extract any useful information from this 200+GB "XML" file?
Thanks in advance!
200+GB XML File
Forum rules
When asking for technical support:
- Search for posts on the same topic before posting a new question.
- Give clear, specific information in the title of your post.
- Include as many details as you can, MOST POSTS WILL GET ONLY ONE OR TWO ANSWERS.
- Post a follow up with a "Thank you" or "This worked!"
- When you learn something, use that knowledge to HELP ANOTHER USER LATER.
Before posting, please read https://www.cgsecurity.org/testdisk.pdf
When asking for technical support:
- Search for posts on the same topic before posting a new question.
- Give clear, specific information in the title of your post.
- Include as many details as you can, MOST POSTS WILL GET ONLY ONE OR TWO ANSWERS.
- Post a follow up with a "Thank you" or "This worked!"
- When you learn something, use that knowledge to HELP ANOTHER USER LATER.
Before posting, please read https://www.cgsecurity.org/testdisk.pdf
-
- Posts: 2735
- Joined: 04 Jan 2019, 09:48
- Location: Hannover, Deutschland (Germany, Allemagne)
Re: 200+GB XML File
That could well be. But you would need to ask the shop how they reinstalled the operating system. If the device owner suspects a virus being on his disk I would have expected the shop to complete zero the disk even when a simple installation on existing partitions would have destroyed the ability for the virus to be executed.LiquidRory wrote: ↑01 Oct 2022, 18:59 Hi,
I started using PhotoRec over a decade ago, but this is one of the first times I've run it on a modern NVMe SSD.
The device in question was mistakenly reinstalled by a repair shop asked to remove a "virus" by the device owner. Given that the device is a budget laptop, I do not think Bitlocker was in place.
I asked Photorec to recover any files in the NTFS free space. When Photorec stopped finding files shortly after starting, I thought maybe TRIM was used on the whole disk during installation or something similar. But when it was finished, I noticed that there was a 200+GB .xml file, from a 256GB SSD. Additionally, the only files Photorec found looked like "Windows files" (no personal documents, photos, etc.) Obviously, I see the 200GB "XML" file (which *does* seem to begin with valid XML data), and I think there's probably some recoverable data inside, if we can just... ignore the XML file after x bytes.
Photorec was run again, but after toggling XML files off in file options. I believe I've found a bug in Photorec, because it still dutifully wrote out the large XML files. Clearing *all* file extensions and only selecting some document and photo/video formats, however, did skip the XML file, but didn't find any additional documents.
Right now, I'm running Photorec again, on a "mounted" block device representing the XML file, on recovery media.
My questions are: 1) Is there anything to my idea that TRIM or some other "wipe" command may have been issued to the SSD during Windows installation, automatically rendering my efforts worthless?
You could examine the device with a hex editor but please do not expect me to interpret anything.
2) Is there anything I can do better to extract any useful information from this 200+GB "XML" file?