Terry Woods
asked on
Recovering data from a compromised Windows 10 PC
I've been tasked to help recover data from a Windows 10 PC where an elderly user allowed remote access to a scammer.
So far I've had the owner of the machine turn off the machine and reset his important passwords from another machine.
I'm planning to reinstall Windows on it from scratch.
Before I do that, I'm planning to try to recover personal data. I suppose there is a chance some or all of it has been encrypted with a bitlocker type tool, or at least some files are likely to be infected. I intend to get access to the files by booting up with a Linux Mint live DVD, since I'm familiar with Mint.
Q1. Is it going to be reasonably safe to start the PC up without running Windows and try to boot up from DVD (or maybe USB) into Linux Mint?
Q2. I think this machine predates secure boot technology, but I'm not sure what the implications of that are, other than that there is a risk the boot loader has been replaced perhaps? How would I deal with this?
Q3. Would it be safe to add the HDD into my own machine (which is dual boot Windows 10/Linux Mint machine, though I'd use Mint) and access the data that way, provided that I don't open any files? That would probably be quicker than a Mint live DVD. Obviously I wouldn't boot from the compromised disk.
Thanks!
So far I've had the owner of the machine turn off the machine and reset his important passwords from another machine.
I'm planning to reinstall Windows on it from scratch.
Before I do that, I'm planning to try to recover personal data. I suppose there is a chance some or all of it has been encrypted with a bitlocker type tool, or at least some files are likely to be infected. I intend to get access to the files by booting up with a Linux Mint live DVD, since I'm familiar with Mint.
Q1. Is it going to be reasonably safe to start the PC up without running Windows and try to boot up from DVD (or maybe USB) into Linux Mint?
Q2. I think this machine predates secure boot technology, but I'm not sure what the implications of that are, other than that there is a risk the boot loader has been replaced perhaps? How would I deal with this?
Q3. Would it be safe to add the HDD into my own machine (which is dual boot Windows 10/Linux Mint machine, though I'd use Mint) and access the data that way, provided that I don't open any files? That would probably be quicker than a Mint live DVD. Obviously I wouldn't boot from the compromised disk.
Thanks!
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
if the files are encrypted -there's not much you can do to recover them; you need to do a fresh install, and consider data lost
@nobus
Any encryption allows to mount the drive from a different system, at least when it's the same sort of OS (windows/mac/Linux).
Any encryption allows to mount the drive from a different system, at least when it's the same sort of OS (windows/mac/Linux).
i mean encrypted by the scammer
Often if done soon enough, an encrypted file is actually an encrypted copy of the file while the original deleted. So a file recovery might find the deleted originals.......
ASKER
Thanks guys... I will report back in a few days on how it worked out.
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Terry, please continue.
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Apologies for leaving this so long to accept a solution... thanks for all your help!
Using the old drive, you can run data recovery tools such as test-disk copying the recoverable/recovered data to a separate drive
..
The combination will provide you with more options to recover as many documents/files as possible.