Hello to all,
sorry for my English lousy,
some days I'm trying to retrieve data from a hard drive infected with ramsonware, if I make a normal recovery all files are corrupted or can not be opened, but all work in RAW. you can recover files from raw but use the file system tree?
Mattia
Recovery post ramsonware
Re: Recovery post ramsonware
Hello Mattia
Ciao
No non puoi, quelli che trovi sono I files temporanei.
Il processo esegue
- copia del file originale in un file temporaneo
- cripta il file temporaneo
- lo copia di ritorno sovrascrivendo quello originale
- cancella il file temporaneo
Li troverai e non tutti solo in RAW
----- English Version ----
No you can't. The files you find in RAW mode are temporary files.
The process does
- copy the original file into a temp file
- encrypt the temp file
- copy back the temp file overwriting the original one
- delete the temp file
You'll find them and not all of them in RAW mode only
Ciao
Ciao
No non puoi, quelli che trovi sono I files temporanei.
Il processo esegue
- copia del file originale in un file temporaneo
- cripta il file temporaneo
- lo copia di ritorno sovrascrivendo quello originale
- cancella il file temporaneo
Li troverai e non tutti solo in RAW
----- English Version ----
No you can't. The files you find in RAW mode are temporary files.
The process does
- copy the original file into a temp file
- encrypt the temp file
- copy back the temp file overwriting the original one
- delete the temp file
You'll find them and not all of them in RAW mode only
Ciao
Robert
Technical Manager @ Recupero Dati RAID FAsTec (Italy)
USEFUL RULES and GUIDELINES
1) What to check BEFORE begin a disk image/clone process [link]
2) Disks that are too slow while imaging/cloning them [link]
3) All my posts on this forum [link]
Technical Manager @ Recupero Dati RAID FAsTec (Italy)
USEFUL RULES and GUIDELINES
1) What to check BEFORE begin a disk image/clone process [link]
2) Disks that are too slow while imaging/cloning them [link]
3) All my posts on this forum [link]
Re: Recovery post ramsonware
però ad esempio ne sto facendo uno in questo momento, tramite raw riesco a risalire ad alcuni files che il cliente mi dice che erano sul desktop. avendo io l'albero "decriptato" ma con i files illegibili chiedevo se ci fosse un modo per fare un match ad esempio per estensione e dimensione ed andare a sostituire i files non leggibili.
Mattia
****English version****
But for example I'm doing one right now, I can go back through raw to some files that the client tells me that they were on the desktop. as I had the "decrypted" tree but with the unreadable files wondering if there was a way to make such a match by extension and size go and replace the files unreadable.
Mattia
Mattia
****English version****
But for example I'm doing one right now, I can go back through raw to some files that the client tells me that they were on the desktop. as I had the "decrypted" tree but with the unreadable files wondering if there was a way to make such a match by extension and size go and replace the files unreadable.
Mattia
Re: Recovery post ramsonware
No way
Customer have to replace and rename them manually
(P.S. per casi di hdd danneggiati RecuperoDati299euro offre un concreto programma di sconti per gli operatori del settore informatico)
Customer have to replace and rename them manually
(P.S. per casi di hdd danneggiati RecuperoDati299euro offre un concreto programma di sconti per gli operatori del settore informatico)
Robert
Technical Manager @ Recupero Dati RAID FAsTec (Italy)
USEFUL RULES and GUIDELINES
1) What to check BEFORE begin a disk image/clone process [link]
2) Disks that are too slow while imaging/cloning them [link]
3) All my posts on this forum [link]
Technical Manager @ Recupero Dati RAID FAsTec (Italy)
USEFUL RULES and GUIDELINES
1) What to check BEFORE begin a disk image/clone process [link]
2) Disks that are too slow while imaging/cloning them [link]
3) All my posts on this forum [link]
Re: Recovery post ramsonware
R-Studio has some means to find the original files: Finding Previous File Versions. But prospects are really really grim.