?
Solved

Hidden data in unauthorized partition

Posted on 2012-08-31
15
Medium Priority
?
547 Views
Last Modified: 2016-10-27
I'm working on a laptop with Windows 7. The customer received a message that the 320GB hard drive was almost full. I sold them this laptop 14 months ago & it has not been worked on since. The hard drive is partitioned with Drive C only having 68GB. Another partition contains all the free space plus about 10GB of invisible data. It doesn't show anything even after making hidden files visible. I can't delete the data or format the partition even in Command Prompt because it says it is in use even in Safe Mode. I was able to temporarily see some of the data by altering security and saw something to do with Microsoft & graphics, but the data was minimal, redundant & contained no operating files. I deleted 2 folders that contained a word document, but it took a lot of security changing & there were many more folders (but not enough to account for all the space). I tried to expand the partition to include the free space, but the data was between the usable space. I tried converting to dynamic disc to attach the free space, but it wouldn't attach. I never worked on the C: drive except to convert to dynamic. I installed Acronis & tried to create an image of the C: drive so I could wipe the disc & reinstall , but it didn't see the C: drive even though it was currently running. I rebooted & the C: drive disappeared. I'm attempting to recover the partition with Partition Find and Mount, but not having much luck. It won't let me see the data, and it shows the unused partition broken into smaller partitions that do not account for all the space. There is an irreplaceable program installed which is why I want to save the partition, but I might settle for saving data. What could cause this condition? Any suggestions on how to proceed?
0
Comment
Question by:Albatross1953
  • 6
  • 4
  • 4
  • +1
15 Comments
 
LVL 21

Expert Comment

by:jvuz
ID: 38353840
Try to boot with the ubuntu live cd. Once you've booted into the live session (don't install ubuntu), you can open gparted and check the partitions.
0
 
LVL 99

Expert Comment

by:John Hurst
ID: 38353975
One reason (and fairly common as well with Windows 7) for disk space to get used up is a Backup application that may have come with the computer. If the backup is running and it is set by default to create multiple backup sets, it can chew up disk space pretty quickly.

At this point, you may need to recover your data, delete all the partitions and re-install Windows. If you do that, check for backup routines before releasing back to the customer.

I am not sure if you can retreive data from an NTFS partition with Ubuntu or not. You can also use Ultimate Boot CD for this which is Windows based.

.... Thinkpads_User
0
 

Author Comment

by:Albatross1953
ID: 38355294
The disk space isn't used up. It was partitioned off. C drive now has 68GB & D drive has 245GB free space. I'm having trouble recovering the data. Find & Mount will show the user file but won't give me access & won't let me change the security. I tried another PC with XP but it won't open at all. I haven't tried Ubuntu yet.
0
 

Author Comment

by:Albatross1953
ID: 38355477
Ubuntu doesn't work. It says it failed to mount the location of Windows network.
0
 
LVL 99

Expert Comment

by:John Hurst
ID: 38355507
Linux does not read NTFS partitions. You need to try Ultimate Boot CD.

http://www.ultimatebootcd.com/

.... Thinkpads_User
0
 

Author Comment

by:Albatross1953
ID: 38355880
I tried Ultimate Boot CD but it freezes when file tools try to initialize disk.
0
 
LVL 99

Accepted Solution

by:
John Hurst earned 1000 total points
ID: 38355900
The partition may be corrupted, and so you may be out of luck getting data from it.

If the data is critical, you may need to try a recovery service. .... Thinkpads_User
0
 
LVL 47

Expert Comment

by:noxcho
ID: 38356750
You cannot work with this data because it contains your boot files and factory reset stuff imho. Get a copy of paragon rescue kit free and boot from it the machine. There select normal mode and then file transfer wizard. Browse the partition with it and export user data.
0
 

Author Comment

by:Albatross1953
ID: 38357116
I used EASEUS Data Recovery to copy files. I tried several others that wouldn't see the partition or wouldn't copy the data. I would still like to determine the cause. I'm concerned about the 10GB of invisible data in the partition. Could a keylogger work this way? When I tried to recover the partition, it broke into several smaller partitions. I did at one point get a glimpse of a folder that looked like a back-up folder but contained no visible back-up data. The other 250GB of the new partition was empty.
0
 
LVL 47

Expert Comment

by:noxcho
ID: 38357318
What is the model of machine the drive was in?
0
 

Author Comment

by:Albatross1953
ID: 38357445
Dell Inspiron 1564
0
 
LVL 47

Expert Comment

by:noxcho
ID: 38357845
Does the partition have the label? If yes then which?
0
 

Author Comment

by:Albatross1953
ID: 38358049
The OS partition was C. The rest was on D. It's gone now. I wiped the disk & started over.  I was able to recover personal files with Easeus Data Recovery. Three other programs didn't work. Before I close the question, I just want to know if a keylogger could have caused this since the 10GB of data on the 2nd partition was invisible & in constant use.
0
 
LVL 47

Assisted Solution

by:noxcho
noxcho earned 1000 total points
ID: 38358581
No. The keyloggers do not generate such amount of data as their primary purpose is to work the way you would never know it was installed. Most possibly the 10GB was a backup file created by sime dell software.
0
 
LVL 99

Expert Comment

by:John Hurst
ID: 38358663
@Albatross1953 - Thanks. I was pleased to help you, but sorry that finally you could not read the data.  .... Thinkpads_User
0
Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

The Windows functions GetTickCount and timeGetTime retrieve the number of milliseconds since the system was started. However, the value is stored in a DWORD, which means that it wraps around to zero every 49.7 days. This article shows how to solve t…
The recent Petya-like ransomware attack served a big blow to hundreds of banks, corporations and government offices The Acronis blog takes a closer look at this damaging worm to see what’s behind it – and offers up tips on how you can safeguard your…
This Micro Tutorial will give you a basic overview of Windows DVD Burner through its features and interface. This will be demonstrated using Windows 7 operating system.
This Micro Tutorial will give you a introduction in two parts how to utilize Windows Live Movie Maker to its maximum capability. This will be demonstrated using Windows Live Movie Maker on Windows 7 operating system.
Suggested Courses

807 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question