Recovery after potential crime

Using TestDisk to undelete files
Forum rules
When asking for technical support:
- Search for posts on the same topic before posting a new question.
- Give clear, specific information in the title of your post.
- Include as many details as you can, MOST POSTS WILL GET ONLY ONE OR TWO ANSWERS.
- Post a follow up with a "Thank you" or "This worked!"
- When you learn something, use that knowledge to HELP ANOTHER USER LATER.
Before posting, please read https://www.cgsecurity.org/testdisk.pdf
Post Reply
Message
Author
tomz
Posts: 1
Joined: 04 Aug 2018, 08:36

Recovery after potential crime

#1 Post by tomz » 04 Aug 2018, 08:44

Greetings Testdisk-Community,

A friend of mine came to me yesterday evening with one of two backup-hdds of a stolen NAS-System.
The guy who (they think) did this, also deleted the backup files on (at least) this backup storage.

As a first action, I mounted the drive into an ubuntu 18.04 VM read only and tried a quick search with no results.
The deep search is still running, but I don't quiet understand the output.

What did he do with the drive? Is it just deleted or really "safely" overwritten?

This HDD should be ext4 as formated by the Synology system's app "Hyper Backup".

Is there anything else I can do before we hand this over to officials, or a very costly data recovery company?

Code: Select all

TestDisk 7.0, Data Recovery Utility, April 2015
Christophe GRENIER <grenier@cgsecurity.org>
http://www.cgsecurity.org

Disk /dev/sdb - 2000 GB / 1862 GiB - CHS 243197 255 63
Analyse cylinder 84896/243196: 34%


  MS Data                      256 3906959799 3906959544 [1.42.6-23739]
  MS Data                      254 3906959797 3906959544 [1.42.6-23739]
  MS Data                      256 3906959799 3906959544 [1.42.6-23739]
  MS Data                      254 3906959797 3906959544 [1.42.6-23739]
  MS Data                      256 3906959799 3906959544 [1.42.6-23739]
  MS Data                      254 3906959797 3906959544 [1.42.6-23739]
  MS Data                      256 3906959799 3906959544 [1.42.6-23739]
  MS Data                      254 3906959797 3906959544 [1.42.6-23739]
  MS Data                      256 3906959799 3906959544 [1.42.6-23739]
  MS Data                      254 3906959797 3906959544 [1.42.6-23739]
  MS Data                      256 3906959799 3906959544 [1.42.6-23739]
  MS Data                      254 3906959797 3906959544 [1.42.6-23739]
  MS Data                      256 3906959799 3906959544 [1.42.6-23739]
  MS Data                      254 3906959797 3906959544 [1.42.6-23739]
  MS Data                      256 3906959799 3906959544 [1.42.6-23739]
  MS Data                      254 3906959797 3906959544 [1.42.6-23739]
  MS Data                      256 3906959799 3906959544 [1.42.6-23739]
  MS Data                      254 3906959797 3906959544 [1.42.6-23739]
  MS Data                      256 3906959799 3906959544 [1.42.6-23739]
  MS Data                      254 3906959797 3906959544 [1.42.6-23739]
  MS Data                      256 3906959799 3906959544 [1.42.6-23739]
  MS Data                      254 3906959797 3906959544 [1.42.6-23739]
  MS Data                      256 3906959799 3906959544 [1.42.6-23739]
  MS Data                      254 3906959797 3906959544 [1.42.6-23739]
  MS Data                      256 3906959799 3906959544 [1.42.6-23739]
  MS Data                      254 3906959797 3906959544 [1.42.6-23739]
  MS Data                      256 3906959799 3906959544 [1.42.6-23739]
  MS Data                      254 3906959797 3906959544 [1.42.6-23739]
  MS Data                      256 3906959799 3906959544 [1.42.6-23739]
  MS Data                      254 3906959797 3906959544 [1.42.6-23739]
  MS Data                      256 3906959799 3906959544 [1.42.6-23739]
  MS Data                      254 3906959797 3906959544 [1.42.6-23739]
  MS Data                      256 3906959799 3906959544 [1.42.6-23739]
  MS Data                      254 3906959797 3906959544 [1.42.6-23739]
  MS Data                      256 3906959799 3906959544 [1.42.6-23739]

Sponsored links

User avatar
cgrenier
Site Admin
Posts: 4510
Joined: 18 Feb 2012, 15:08
Location: Le Perreux Sur Marne, France
Contact:

Re: Recovery after potential crime

#2 Post by cgrenier » 05 Aug 2018, 13:08

You should really avoid to modify anything if this disk will be use in an investigation.
Try to list the files from the 2 listed partitions and if needed, you can copy some files.

Post Reply

Who is online

Users browsing this forum: No registered users and 0 guests