Can an SSD "miss some data"

T

Thedog

Active Member
Reaction score
56
A client said his computer wont start and it seems to be broken. I try to recover data by plugging the harddrive into an USB-cabinet, the drive is an M2 SSD and I put it in an S-ATA adapter. I plugged it into a Mac and this is how the partition looks:

Skärmavbild 2020-12-10 kl. 20.47.14.png

As you can see there is no Users folder, documents and settings or anything. Not even a Windows folder and this is the partition called OS. Usually you can't read drives at all but this is strange, everything I can see on the drives reads perfectly but there seems that a lot of data is missing. Is this some kind of SSD thing?
 
glennd said:
Not an SSD thing so much as a Trojan thing. Google "RannohDecryptor". The customer got hit big time. Looks like all is lost. N&P, a decent anti-malware and a little customer education I would think.
Click to expand...
Those are old files and it doesn't make sense. Sure if he got encrypted I would see encrypted files.... Never seen an trojan delete a Windows folder...
 
First-off.. try on another Windows PC.. Second, yes, "Viruses" have and will delete Windows folders and other goodies... part of their M.O., really.

If the RannohDecryptor is "old", when was it removed? If removed, how do you know it isn't still there? And no, you will not necessarily see the encrypted files.. some of these things do some tricky hard drive tricks like encrypt the files and delete - to be restored from "free space" upon payment.
 
phaZed said:
First-off.. try on another Windows PC.. Second, yes, "Viruses" have and will delete Windows folders and other goodies... part of their M.O., really.

If the RannohDecryptor is "old", when was it removed? If removed, how do you know it isn't still there? And no, you will not necessarily see the encrypted files.. some of these things do some tricky hard drive tricks like encrypt the files and delete - to be restored from "free space" upon payment.
Click to expand...
PC Won't even read it, It shows 2 partitions but not how much space etc and when you try to look at properties etc it just times out. The computer doesn't power on at all so I don't suspect a virus rather some hardware failure but I am curious on if for example a power surge could render some data away on an SSD while keeping other. Files in for example Program (x86) folder reads perfectly on Mac so it's very odd.

I haven't ran into any encryption viruses for a few years but last I remember it always just encrypted files, you could still boot Windows etc
 
If write-cache is enabled on the SSD then data loss/corruption is much more likely in the event of a sudden power-off. If, not, SSD's are certainly not infallible. What's the brand of the SSD? There have been SSD's with controller firmware issues, that's for sure. I guess you could be looking at a mem chip failure, too... but usually the controller would freak out and not mount.
 
phaZed said:
If write-cache is enabled on the SSD then data loss/corruption is much more likely in the event of a sudden power-off. If, not, SSD's are certainly not infallible. What's the brand of the SSD? There have been SSD's with controller firmware issues, that's for sure. I guess you could be looking at a mem chip failure, too... but usually the controller would freak out and not mount.
Click to expand...
Sandisk:
www.ebay.com

SanDisk 256GB SSD mSATA Solid State SD5SE2-256G-1002E for ASUS Taichi 21 11.6" | eBay

SANDISK 256GB SSD mSATA. Compatible with mSATA SSD. Interface mSATA. Storage Capacity 256 GB SSD. Form Factor N/A.
www.ebay.com
 
I mean, it could be that drive for sure... 1Q 2014 - and it's one of those 'half-sized' ones... usually only OEM's that go for that. 2014 was still pretty early in the SSD game. Wouldn't surprise me to see it failed if that's what it is.
 
I've seen SSDs corrupt individual files, but never had them lose an entire folder. I suppose it is possible, after all technically the folder entry is just another file. It's just not nearly as commonly written to.

Also, every crypto I've gotten has destroyed Windows.
 
Sky-Knight said:
I've seen SSDs corrupt individual files, but never had them lose an entire folder. I suppose it is possible, after all technically the folder entry is just another file. It's just not nearly as commonly written to.

Also, every crypto I've gotten has destroyed Windows.
Click to expand...

Do you know the logic as to why Mac can read the harddrive 1 second after plugging it in while PC can't read it at at all, times out etc. NTFS of course
 
Probably a corrupted partition lead, Windows is trying to get the SIDs and GUIDS out of the volume to enforce permissions, *nix platforms like a Mac won't care about that stuff.
 
As the very first thing to do in a data loss situation is to clone the patient drive, how did that process go? Any read errors or areas of slow down?

1. If the drive is starting to fail, it will likely get worse
2. If files were deleted, TRIM is likely erasing the sectors
 
lcoughey said:
As the very first thing to do in a data loss situation is to clone the patient drive, how did that process go? Any read errors or areas of slow down?

1. If the drive is starting to fail, it will likely get worse
2. If files were deleted, TRIM is likely erasing the sectors
Click to expand...
Exactly, while the rest was conducting a wild goose chase.
 
You must log in or register to reply here.

Similar threads

Big Jim
Secure data destruction with an SSD
2
Replies
24
Views
1K
Markverhyden
Markverhyden
300DDR
I made a page detailing our data recovery statistics from January, 2024. Learn which models are failing most, which are most recoverable, etc.
Replies
17
Views
600
300DDR
300DDR
thecomputerguy
Why all the sudden I can't move a folder to a different team?
Replies
3
Views
275
Sky-Knight
Sky-Knight
Big Jim
iMac not booting
Replies
7
Views
576
Big Jim
Big Jim
thecomputerguy
Cut/Copy/Paste folders by date while retaining the folder structure?
Replies
5
Views
501
SAFCasper
SAFCasper
Back
Top