Laptop PC stuck at startup, formatted, now data unrecoverable, looks encrypted

1

Someone asked me to recover data from a laptop computer (Sony Vaio), after a Windows reinstall (Windows 8) through the startup recovery procedure.

Prior to that, the computer was malfunctioning : it was stuck on startup, at the login screen, never reached the desktop, even after a whole day. The owner asked her father to fix it, which he did by using the factory restore procedure, since the computer was completely unresponsive. She had not told him that she had personal files on it which were not backed up.

Usually, in such a case, most of the former data can be still retrieved. I scanned the whole drive with R-Studio, then Photorec, but both reputable data recovery softwares found absolutely nothing beyond the current Windows install and the associated softwares, not a single trace of the personal pictures that she had stored on it for instance (the only pictures found are stock pictures from Windows or the installed softwares).

Then I opened the drive with WinHex, to see if it had been completely wiped by a “low level” format : but, second surprise, the main partition was far from empty and appeared full of seemingly random data. (So random in fact that it is not compressible at all : as a test, I extracted three chunks of 1048576 bytes (1MB), compressed them with WinRAR and 7Zip, the resulting compressed files had exactly the same sizes, depending on the compressor used, and slightly larger than the source, 1048844 for the 7Z files, 1048816 for the RAR files – whereas even JPEG or MP3 files for instance can be slightly compressed, by 1-2% on average, despite being already highly compressed.) There's more than 400GB of it, there's not a single sector in “free space” which appears empty, or with any recognizable pattern, this is really puzzling.

So what can it be ? Some kind of drive encryption ? Some kind of virus, maybe a ransomware attack ? The owner uses computers on a basic level, and doesn't remember ever setting up an encryption of any kind. Could the computer have been sold with an encryption system already activated ? Could a security software (a McAfee product is installed as part of the basic install) have implemented it by asking the user a vague question like “do you want to protect your files”, eliciting a clueless “yes” ? If it was a ransomware attack, a “gotcha!” screen would have appeared at some point, at the end of the encryption process, right ? Does that sound like a known issue ? Is what I'm observing (a continuous stream of completely random data) consistent with what encryption normally looks like ? Do ransomware attacks encrypt individual files, or can some of them encrypt a whole partition ? Are there some tests that I could do at this point to determine if this is actually an encryption, and what type thereof ? Is there any chance of recovering anything at this point ?

I asked about that weird issue on HDDGuru, but didn't receive much in terms of useful insights :
http://forum.hddguru.com/viewtopic.php?f=1&t=36574
(That particular issue is adressed starting from the 9th post, the earlier posts are not relevant – at first I had doubts that the drive itself could be faulty, but it's perfectly fine.)

Thanks.

EDIT : Here's a screenshot of R-Studio showing the partitioning scheme of a complete image from that computer's 500GB HDD. enter image description here So there's only one user partition, the 438GB one ; the others are reserved system or recovery partitions. Only the 438GB one is full of seemingly random or encrypted data. The 301MB and 38GB partitions are not displayed by WinHex.

Here's a screenshot of WinHex showing random bytes instead of free space. enter image description here

GabrielB

Posted 2018-04-01T02:37:41.773

Reputation: 598

@DavidPostill Wait, why was it marked as “duplicate” ? The linked question only contains very general guidelines for different scenarios of data recovery, nothing relevant to that particular case... Please read beyond the second paragraph. – GabrielB – 2018-04-01T20:36:10.230

If is not a duplicate then it is too broad. – DavidPostill – 2018-04-01T20:37:27.707

1@DavidPostill What do you mean, too broad ? I asked a series of specific questions, added a link to a thread on another forum, I'm trying to diagnose what went wrong with this drive, I don't have more information than what I provided. What could possibly encrypt a whole partition unbeknownst to the user ? And is there a way to determine what these 400+ GB of random data are, now that about 30GB at the begining have been overwritten by the system restore ? Of course now that it is marked as “duplicate” (which it is not) noone will bother trying to investigate the issue, thank you... – GabrielB – 2018-04-02T05:54:39.680

I've reopened it. Good luck with your question. – DavidPostill – 2018-04-02T06:35:10.100

Answers

0

What version of Windows 8 is this? Bitlocker is the Windows encryption system:

BitLocker is available to anyone who has a machine running Windows Vista or 7 Ultimate, Windows Vista or 7 Enterprise, Windows 8.1 Pro, Windows 8.1 Enterprise, or Windows 10 Pro.

So you need a Pro version of Windows, and most people have a Home version on their personal laptop. Enterprise is for big business.

There are several alternatives to bitlocker, but I don't know any that can encrypt an entire drive including the Windows system files. You write that the recovery software found nothing but Windows system files. Do you mean the system files from the new installation, or does it find system files from the old installation? This is an important distinction. If it found old files, it means that maybe only the user folders were encrypted. And then there are several alternatives to Bitlocker.

Ransomware is a possible explanation, but I don't find it likely. I think they only encrypt files. That's a lot easier to do, and the goal is the same. Encrypting a complete partition doesn't add anything to their goal. They want to earn money, so they encrypt files, then send a message to you, and after you pay you get a key to decrypt. They don't want to mess with your system anymore than that. If word gets out that after paying you still have problems, people might stop paying, and that is not in their best interest.

If the data is important you should make a bit-for-bit image of the harddisk as it is, right now, even after the recovery action, then work on that disk. If she needs the laptop, you can replace the disk and do a fresh install of Windows 8 or 10.

I've used Photorec once. That laptop had Ubuntu installed, and after reformatting and installing Windows, I still was able to find hundreds images, word documents and thousands of Windows system files.

SPRBRN

Posted 2018-04-01T02:37:41.773

Reputation: 5 185

It just says “Windows 8”, can't find a specific edition except “version 6.2.9200”. Model is SVF1521A6EW. Yes, I mean the current Windows install. I made a complete image right away with ddrescue, before any recovery attempt (as I was suspecting hardware issues), but I don't know what else I can do with it. Photorec only found about 25GB of files (out of that 437GB partition full of “something”) ; R-Studio did not find any former folder (usually even after a format/reinstall there are many remnants of MFT records which can be parsed). – GabrielB – 2018-04-02T17:41:10.393

Asked: 2018-04-01T02:37:41.773

Viewed: 112 times

Active: 2019-06-15T17:52:04.217