Recovery post ramsonware

Forum on data recovery, file unerase, disk unformat, and RAID reconstruction.
Forum rules
Discussion on the R-Studio, R-Studio for Mac, R-Studio for Linux, R-Linux, and R-Undelete software

Recovery post ramsonware

Postby MatMur95 » Thu Dec 08, 2016 6:29 am

Hello to all,
sorry for my English lousy,
some days I'm trying to retrieve data from a hard drive infected with ramsonware, if I make a normal recovery all files are corrupted or can not be opened, but all work in RAW. you can recover files from raw but use the file system tree?

Mattia
MatMur95
 
Posts: 2
Joined: Thu Dec 08, 2016 6:23 am

Re: Recovery post ramsonware

Postby Corsari » Thu Dec 08, 2016 9:28 am

Hello Mattia

Ciao

No non puoi, quelli che trovi sono I files temporanei.

Il processo esegue

- copia del file originale in un file temporaneo
- cripta il file temporaneo
- lo copia di ritorno sovrascrivendo quello originale
- cancella il file temporaneo

Li troverai e non tutti solo in RAW

----- English Version ----

No you can't. The files you find in RAW mode are temporary files.

The process does

- copy the original file into a temp file
- encrypt the temp file
- copy back the temp file overwriting the original one
- delete the temp file

You'll find them and not all of them in RAW mode only

Ciao
Robert
Technical Manager @ Recupero Dati RAID FAsTec (Italy)

USEFUL RULES and GUIDELINES
1) What to check BEFORE begin a disk image/clone process [link]
2) Disks that are too slow while imaging/cloning them [link]
3) All my posts on this forum [link]
Corsari
 
Posts: 127
Joined: Wed Aug 14, 2013 4:18 am

Re: Recovery post ramsonware

Postby MatMur95 » Thu Dec 08, 2016 9:42 am

però ad esempio ne sto facendo uno in questo momento, tramite raw riesco a risalire ad alcuni files che il cliente mi dice che erano sul desktop. avendo io l'albero "decriptato" ma con i files illegibili chiedevo se ci fosse un modo per fare un match ad esempio per estensione e dimensione ed andare a sostituire i files non leggibili.

Mattia

****English version****

But for example I'm doing one right now, I can go back through raw to some files that the client tells me that they were on the desktop. as I had the "decrypted" tree but with the unreadable files wondering if there was a way to make such a match by extension and size go and replace the files unreadable.

Mattia
MatMur95
 
Posts: 2
Joined: Thu Dec 08, 2016 6:23 am

Re: Recovery post ramsonware

Postby Corsari » Thu Dec 08, 2016 10:00 am

No way

Customer have to replace and rename them manually

(P.S. per casi di hdd danneggiati RecuperoDati299euro offre un concreto programma di sconti per gli operatori del settore informatico)
Robert
Technical Manager @ Recupero Dati RAID FAsTec (Italy)

USEFUL RULES and GUIDELINES
1) What to check BEFORE begin a disk image/clone process [link]
2) Disks that are too slow while imaging/cloning them [link]
3) All my posts on this forum [link]
Corsari
 
Posts: 127
Joined: Wed Aug 14, 2013 4:18 am

Re: Recovery post ramsonware

Postby Alt » Thu Dec 08, 2016 10:33 am

R-Studio has some means to find the original files: Finding Previous File Versions. But prospects are really really grim.
Alt
Site Moderator
 
Posts: 2199
Joined: Tue Nov 11, 2008 2:13 pm


Return to Data Recovery

Who is online

Users browsing this forum: No registered users and 1 guest