Recover zero sized files (malware)

Forum on data recovery, file unerase, disk unformat, and RAID reconstruction.
Forum rules
Discussion on the R-Studio, R-Studio for Mac, R-Studio for Linux, R-Linux, and R-Undelete software

Recover zero sized files (malware)

Postby xdavidx » Sat Sep 24, 2016 10:34 am

Hello,

I'm trying to determine if r-studio (or any other products) will allow me to recover thousands of files. Some malware somehow corrupted the files by keeping the filenames the same, but they show as zero bytes in size. If they were simply deleted, I could undelete them, but they do exist, so it doesn't seem like I can do that. I'm not sure what was done to the raw data on disk or which clusters were changed to make the file appear as zero bytes. The damaged happened over an 18 minute period, but due to the number of affected files, I don't think it overwrote all the raw data, because I don't think it would have had time.

Does anyone have any ideas on where I should start and how I might determine if the file contents can still be found on the disk?

Thanks,
David
xdavidx
 
Posts: 2
Joined: Sat Sep 24, 2016 10:29 am

Re: Recover zero sized files (malware)

Postby Alt » Mon Sep 26, 2016 12:26 pm

Most depends on the kind of the malware. If it simply resets file sizes to zero, you may find the files by searching the disk for Known File Types: Disk Scan. Old and unsophisticated viruses simply delete files. They can be found as deleted.
But most modern malwares encrypt the victim files, and only professional data recovery specialists can help. Quite often even them cannot.
Alt
Site Moderator
 
Posts: 2199
Joined: Tue Nov 11, 2008 2:13 pm

Re: Recover zero sized files (malware)

Postby xdavidx » Mon Sep 26, 2016 1:42 pm

Hello Alt,

Thanks for the reply. Do you know of any literature that can help me determine what the malware did, specifically? I don't think it encrypted them. In at least one case, if I view a .txt file through a disk hex viewer/editor, I can see the original text further down. With other files, I can't. My only guess is that the other files are chained and I don't know which bytes to read to follow the chain. Is there a tutorial for how to do that with the hex viewer that comes with r-studio?

I did do a disk scan and looked at the Raw Files it found. It was all .jpg files, nothing else. However, I went back and clicked on it again and saw that not all the known file types were checked. I checked all known file types and I'm scanning again.

Thanks again for your help.

David
xdavidx
 
Posts: 2
Joined: Sat Sep 24, 2016 10:29 am

Re: Recover zero sized files (malware)

Postby Alt » Tue Sep 27, 2016 5:09 am

Let us know the scan results.
Alt
Site Moderator
 
Posts: 2199
Joined: Tue Nov 11, 2008 2:13 pm

Re: Recover zero sized files (malware)

Postby RICARDOORTEGAO » Sun Oct 09, 2016 5:31 pm

Hello. I am suggesting the R-TT Team to see and may be implement the same functionality as Shadow Explorer in http://www.shadowexplorer.com

As you can see, shadow explorer searches, shows and allows to recover previous copies of the files as long as there will be Windows Restoration Points. Obviously it is a Windows Only functionality but remember that all the current ransomware are Windows related.

And by the way, don't forget to try shadow explorer, may be the original lost files were saved in previous restoration points. The current ransomware destroys restoration points but R-Studio can recover. The problem is where to go once restoratioin points were recovered by R-Studio. That is the question now. The only programs I found that understands the structure of restoration points are Windows and shadow explorer & shadow copy view each with pros and cons
RICARDOORTEGAO
 
Posts: 3
Joined: Sun Oct 09, 2016 4:54 pm


Return to Data Recovery

Who is online

Users browsing this forum: No registered users and 1 guest