Recover zero sized files (malware)

A forum on data recovery using the professional data recovery software R-STUDIO.
xdavidx
Posts: 2
Joined: Sat Sep 24, 2016 10:29 am

Recover zero sized files (malware)

Post by xdavidx » Sat Sep 24, 2016 10:34 am

Hello,

I'm trying to determine if r-studio (or any other products) will allow me to recover thousands of files. Some malware somehow corrupted the files by keeping the filenames the same, but they show as zero bytes in size. If they were simply deleted, I could undelete them, but they do exist, so it doesn't seem like I can do that. I'm not sure what was done to the raw data on disk or which clusters were changed to make the file appear as zero bytes. The damaged happened over an 18 minute period, but due to the number of affected files, I don't think it overwrote all the raw data, because I don't think it would have had time.

Does anyone have any ideas on where I should start and how I might determine if the file contents can still be found on the disk?

Thanks,
David

Alt
Site Moderator
Posts: 3129
Joined: Tue Nov 11, 2008 2:13 pm
Contact:

Re: Recover zero sized files (malware)

Post by Alt » Mon Sep 26, 2016 12:26 pm

Most depends on the kind of the malware. If it simply resets file sizes to zero, you may find the files by searching the disk for Known File Types: Disk Scan. Old and unsophisticated viruses simply delete files. They can be found as deleted.
But most modern malwares encrypt the victim files, and only professional data recovery specialists can help. Quite often even them cannot.

xdavidx
Posts: 2
Joined: Sat Sep 24, 2016 10:29 am

Re: Recover zero sized files (malware)

Post by xdavidx » Mon Sep 26, 2016 1:42 pm

Hello Alt,

Thanks for the reply. Do you know of any literature that can help me determine what the malware did, specifically? I don't think it encrypted them. In at least one case, if I view a .txt file through a disk hex viewer/editor, I can see the original text further down. With other files, I can't. My only guess is that the other files are chained and I don't know which bytes to read to follow the chain. Is there a tutorial for how to do that with the hex viewer that comes with r-studio?

I did do a disk scan and looked at the Raw Files it found. It was all .jpg files, nothing else. However, I went back and clicked on it again and saw that not all the known file types were checked. I checked all known file types and I'm scanning again.

Thanks again for your help.

David

Alt
Site Moderator
Posts: 3129
Joined: Tue Nov 11, 2008 2:13 pm
Contact:

Re: Recover zero sized files (malware)

Post by Alt » Tue Sep 27, 2016 5:09 am

Let us know the scan results.

RICARDOORTEGAO
Posts: 3
Joined: Sun Oct 09, 2016 4:54 pm

Re: Recover zero sized files (malware)

Post by RICARDOORTEGAO » Sun Oct 09, 2016 5:31 pm

Hello. I am suggesting the R-TT Team to see and may be implement the same functionality as Shadow Explorer in http://www.shadowexplorer.com

As you can see, shadow explorer searches, shows and allows to recover previous copies of the files as long as there will be Windows Restoration Points. Obviously it is a Windows Only functionality but remember that all the current ransomware are Windows related.

And by the way, don't forget to try shadow explorer, may be the original lost files were saved in previous restoration points. The current ransomware destroys restoration points but R-Studio can recover. The problem is where to go once restoratioin points were recovered by R-Studio. That is the question now. The only programs I found that understands the structure of restoration points are Windows and shadow explorer & shadow copy view each with pros and cons

Post Reply