Is "Restore Partition" A Security Hole? Acer Netbook...

[zapp22]

friends
I pulled a drive from a previously stolen acer netbook. I'm trying to help my client get back as much data as possible, and also ascertain whatever I can about what the thief, fence, or final receptor of the netbook actually did.
As best I can guess it, the guy must have enabled the Acer recovery partition.
In the rightful owner's possession, the system had only one user account in its life, and that was password protected.
But from what little I have found about the way the Acer factory restore partition works, it does not look at existing user accts at all.

am I right about this?
Secondly - I'd like to take a look at the Windows System logs for the event of the reinstall and other things I can learn. I have this drive slaved to my lab mule Windows 7 Ultimate system, showing up via usb attach as another drive, and I'm taking ownership of what I need. Is there a way to point the Error/Event log applet under the management snap-in to the logs that are stored on that slaved drive? I can put it back in the netbook easily enough but this would save me a bit of work
thx

z

 

[Alejandro85]

About the first thing, yes, you're right, the recovery partition will simply delete everything on the HD regardless of password and replace with the factory defaults.

But I don't think it's a security hole or menace or anything. It's pretty much expected. After all, user accounts/passwords are just for the OS's own use validation and authentication (and that goes for ANY system, not just Windows). When you boot it, it uses those accounts for access check, but if you never load the system, the check is bypassed. The recovery partition of every laptop is nothing more than an image of the factory default that gets restored, irrespective of the current state of the HD/OS. The very same happens when you reformat the computer or boot a portable OS or put the disk in another box, the original OS password is never checked, because the original OS is never booted.
This isn't a security flaw, it's expected and normal, as the system cannot control anything if it doesn't even starts. It's like going though the front door with all access checks or sneaking though the back door

Because if that, anyone with physical access to the computer or the hard disks, is pretty much free to do whatever he wants with all the data, provided he knows how to use it from another foreign system, as it was possibly your case. Encryption is a good way to prevent that. It will not prevent the data from being stolen, but will prevent anyone who doesn't knows the password from viewing it.