Post by Paul Post by philo
A friend gave me their Windows 10 hard drive so I could try a data recovery.
I have gparted and gpart installed and it sees the data partition as NTFS
When I attempt to recover the data, it simply says : No file system
I did a file system check and all is OK
How the heck can I get it to work...or is there a better GUI based
file recovery app for Linux
In Windows, use HxD and your "calibrated eyeball" to suss
what's on there. (You should be working on the disk drive using
Windows 10 for the moment, just in case you succeed in
decrypting it. Hxd works there.)
Select "Run as administrator" when running Hxd. This
gives permission for accessing the disk drive at
sector level. There is a menu item on the right, for
opening disk drives at the sector level.
I'm unaware of any Linux hex editor, worth using for this.
No, doing octal dumps is not a substitute :-/
If you're good at maths, you can work out the offset,
and use the Goto to go directly to the correct
address. If an NTFS file system is there, the very
first sector has binary looking stuff, but there
is a text string part way down "NTFS" to assure
you you're on the money.
If the first sector (by math) is scrambled and NTFS
is not present, then the other posters suggestion
of BitLocker is a good possibility.
The Windows 10 Bitlocker is slightly different
than the Windows 7 Bitlocker. The W7 one uses
the Elephant Diffuser, which in crypto, is a way
to put more entropy into smearing the data around.
The feds probably had too much trouble cracking that,
so the Windows 10 version has Elephant Diffuser removed.
Another thing, is that the Windows 10 version will
defer to hardware encryption if available. If the
drive supports full disk encryption, instead of using
Bitlocker, it uses the hardware feature instead.
Don't ask me what happens with the Bitlocker recovery
floppy in that situation, as hardware FDE does not
rely on key discs, but relies on a password
instead. I presume the password can be really really
long, and could be a Bitlocker inspired kind of
passphrase (salted/scrambled etc). The Bitlocker
disc/key might still be required in such a situation.
Even though the drive does the encrypting.
What I don't know, is whether hardware FDE supports
sector ranges. So only one partition can be
encrypted at a time. FDE implies the whole disk,
and that makes it "unmanageable" for Microsoft
(nothing to boot from). Microsoft could only use it,
if it supports sector ranges.