Question can I restore data from a crashed operating system?

Page 2 - Seeking answers? Join the Tom's Hardware community: where nearly two million members share solutions and discuss the latest tech.
Oct 2, 2024
10
0
10
My custom built desktop PC of 9 years displayed a graphics card error popup window and then a minute later stopped displaying video completely and permanently, so I took it in to a tech repair shop.
I just called the repair shop yesterday to see what progress they were making, and they said that the reason the video output wasn't working was because the operating system had crashed and become corrupted. They also told me that they were in the middle of re-installing windows 10 to the hard drive. I immediately figured that would mean my hard drive data had been completely wiped, but the employee assured me that the hard drive was "empty" when he first looked at it.
I'm highly suspicious of that statement. From what a brief google search tells me, if an OS crashes or becomes corrupted, you can still restore the data. It makes no sense that the hard drive would be "empty", even if some or all of the data inside was corrupted or partially inaccessible. I never gave the employee permission to re-install the OS, wiping my hard drive in the process. He did it without my prior knowledge or approval.
Also, if the OS crashes, does that mean the computer wouldn't still run? Before I took my computer to the shop, I could still hear the computer running. Also, whenever I would press enter too many times after starting up my computer, the lights on my keyboard would go out. I think that correlates with the "time out" period when I enter the incorrect password too many times to login to windows. If the computer was still running albeit without video, would that disqualify an OS failure as the source of my problem?
 

Misgar

Respectable
Mar 2, 2023
1,926
517
2,590
He had a smirk on his face.
Oops! I do hope you didn't have any sensitive data on that drive, e.g. bank account statements, credit card details, photos, videos, utility bills, etc. If so, it might be a good idea to change your bank account login passwords, email passwords, social media passwords, credit/debit card PINs, etc., ON ANOTHER COMPUTER OR SMARTPHONE.

If the guy in the store was grinning and you escaped without paying, they may have trawled your disk drive and copied all the files for later inspection. It's easy to "clone" an entire drive and make a perfect copy of everything, in less than an hour. Identity theft is real.

I'd also suggest running an anti-virus scan immediately with something like Malwarebytes set to "scan for rootkits" (which can take many hours) just in case they've been really sneaky and installed a RAT (Remote Access Trojan) or Ransomware.
https://www.malwarebytes.com/blog/threats/remote-access-trojan-rat

I don't wish to sound paranoid, but it's better to be safe than sorry.

When you've finished the malware scan, try looking for your deleted files with the free version of Recuva, or any other "undelete" program that forum members can think of.
https://www.ccleaner.com/recuva

Sometimes you get lucky and can recover some old data, but remember, each time you install a new program on the drive, or browse the internet, more of your remaining files' sectors will be over-written.
 

acadia11

Distinguished
Jan 31, 2010
968
31
19,010
Yeah he's <Mod Edit> you it wouldn't be empty. More likely they are just too lazy to put in the effort to resolve said OS crash and just went ahead and re-installed OS. That's pretty messed up at worse you could have bought another drive installed OS on it , and at least had access to your old drive. If you couldn't save the OS.

And on the ID theft ... yup that's also a distinct possibility not only is it real, it's common for that sort of ilk. Get a new drive ...
 
Last edited by a moderator:
there's visual distortion due to the graphics card
"visual distortion";
like the image on the screen was supposed to be corrupted?
or the card itself was physically damaged?

you definitely need to try booting the system and see what occurs & how it may preform.

if the system has been further compromised then it's possible they could end up owning more than the system is even worth.
asked him to demonstrate it in the store, but he couldn't power on the computer
attempted to startup the system in front of you and couldn't?
or just that they didn't want to or were busy with something else?

if they have actually physically damaged the system in some way,
you should definitely be preparing to fight for a replacement and/or sue for some restitution funds.
he basically started lying to me and coming up with all sorts of excuses and contradictory explanations. Some people are scam artists.
if this is a real licensed shop, not just some nobody working from home or similar, then there should have been a contract/some sort of work order in place before you even left the premises when you first dropped the system off.

if you have this write up read the entire thing and see what is mentioned in relation to diagnostics and liability.

if there was no mention of any sort of contractual obligation and no sort of liability declaration;
  • contact them first directly and ask to talk to the owner of the business. explain the situation and find out what sort of compensation they may be willing to offer.
  • threaten legal action.
  • post bad reviews anywhere possible locally, online, and with the BBB making sure to explain what exactly they've done.
 

Misgar

Respectable
Mar 2, 2023
1,926
517
2,590
From what a brief google search tells me, if an OS crashes or becomes corrupted, you can still restore the data.
When you have a user's machine in front of you, not only can you try to retrieve their photos, videos, etc., but you can also attempt to decrypt their user names and passwords stored in various (encrypted) database files.

Google Chrome's SQLite password store can sometimes be decrypted with utilities such as Nirsoft's ChromePass:
https://www.nirsoft.net/utils/chromepass.html

If you manage to boot up the user's machine into Windows, there's this handy guide on Tom's for viewing saved passwords in Chrome:
https://www.tomsguide.com/how-to/how-to-view-saved-passwords-on-chrome

If you use a different web browser like Firefox, Safari, Opera, there's WebPassView from NirSoft:
https://www.nirsoft.net/utils/web_browser_password.html

The web browser companies are aware of such tools and may take steps to prevent them from working, but when you have direct access to a user's machine, a lot of attack vectors are still possible.

If a shady computer repair company "clones" your Windows disk with a utility such as Macrium Reflect, they can create an identical copy of your drive and spend the next few days looking for useful information.

As I said before, if you don't trust these guys, change all your passwords (everywhere) and, when applicable, create a new username for each account too, otherwise you might find your email, social media and bank accounts compromised.

I've not tried this tool from Malwarebytes, which checks to see if your personal data has been exposed, but it might be worth a look:
https://www.malwarebytes.com/digital-footprint

If anyone needs some "light" background reading on web security, check out the articles on Davey Winder's site:
https://happygeek.com/

He's a major proponent of password managers and has been writing security-related articles for a number of technical publications since 1991. I read his page every month in PCPro.