200+GB XML File
Posted: 01 Oct 2022, 18:59
Hi,
I started using PhotoRec over a decade ago, but this is one of the first times I've run it on a modern NVMe SSD.
The device in question was mistakenly reinstalled by a repair shop asked to remove a "virus" by the device owner. Given that the device is a budget laptop, I do not think Bitlocker was in place.
I asked Photorec to recover any files in the NTFS free space. When Photorec stopped finding files shortly after starting, I thought maybe TRIM was used on the whole disk during installation or something similar. But when it was finished, I noticed that there was a 200+GB .xml file, from a 256GB SSD. Additionally, the only files Photorec found looked like "Windows files" (no personal documents, photos, etc.) Obviously, I see the 200GB "XML" file (which *does* seem to begin with valid XML data), and I think there's probably some recoverable data inside, if we can just... ignore the XML file after x bytes.
Photorec was run again, but after toggling XML files off in file options. I believe I've found a bug in Photorec, because it still dutifully wrote out the large XML files. Clearing *all* file extensions and only selecting some document and photo/video formats, however, did skip the XML file, but didn't find any additional documents.
Right now, I'm running Photorec again, on a "mounted" block device representing the XML file, on recovery media.
My questions are: 1) Is there anything to my idea that TRIM or some other "wipe" command may have been issued to the SSD during Windows installation, automatically rendering my efforts worthless? 2) Is there anything I can do better to extract any useful information from this 200+GB "XML" file?
Thanks in advance!
I started using PhotoRec over a decade ago, but this is one of the first times I've run it on a modern NVMe SSD.
The device in question was mistakenly reinstalled by a repair shop asked to remove a "virus" by the device owner. Given that the device is a budget laptop, I do not think Bitlocker was in place.
I asked Photorec to recover any files in the NTFS free space. When Photorec stopped finding files shortly after starting, I thought maybe TRIM was used on the whole disk during installation or something similar. But when it was finished, I noticed that there was a 200+GB .xml file, from a 256GB SSD. Additionally, the only files Photorec found looked like "Windows files" (no personal documents, photos, etc.) Obviously, I see the 200GB "XML" file (which *does* seem to begin with valid XML data), and I think there's probably some recoverable data inside, if we can just... ignore the XML file after x bytes.
Photorec was run again, but after toggling XML files off in file options. I believe I've found a bug in Photorec, because it still dutifully wrote out the large XML files. Clearing *all* file extensions and only selecting some document and photo/video formats, however, did skip the XML file, but didn't find any additional documents.
Right now, I'm running Photorec again, on a "mounted" block device representing the XML file, on recovery media.
My questions are: 1) Is there anything to my idea that TRIM or some other "wipe" command may have been issued to the SSD during Windows installation, automatically rendering my efforts worthless? 2) Is there anything I can do better to extract any useful information from this 200+GB "XML" file?
Thanks in advance!