Trying to restore encrypted files by ransomware using Data Carving.

L

LabZero

Thread author
I would like to share a possible solution to try to recover at least a good part of the files encrypted by ransomware for which there is no other solution.

This technique sure is not new but many users don't know it or don't know how it works.

By simplifying the concept, Data Carving technique scans the data area of the hard disk that is not overwritten, restoring predefined types of files, grouping them by extension: .JPG, .XLS, .DOC .XLSX, .DOCX, MDB, etc...

It is not, however, possible to retrieve the name and original location of the files and not being a File System reference, it is not possible to perform an automatic validity check. The technique allows to achieve good results, especially if the part of the used capacity of the hard disk, is less than 50% compared to the total capacity.

For example, considering HDD by 500GB capacity, if used space is
0 to 10%, the recovery ability is excellent.

From 10 to 40% good
From 40 to 50% poor
From 50 to 60 % very poor
From 60 to 99% unlikely


As described above represents only a hypothesis, and it uses the special features of the operating systems do not write sequentially files, but to allocate them in different zones of the data area. For example, if any of the files encrypted by the ransomware before, was also present in the allocations of the data area that is different from the last position (Eg : the file has been moved from one folder to another), then it is possible that it will be recovered intact.

Of course, to have the certainty if the files are recoverable, you need to run a scan using a software.

Data carving software accesses a device by scrolling byte-to-byte, all of the content. When the software encounters a byte sequence that coincides with one of the header stored in its configuration file, it starts the extraction of bytes from that header until the first occurrence of bytes coincident with the known footer. If a particular file should not be equipped with the footer, the carver stops after a number of bytes by arbitrarily default.
Header and footer are a sequence of bits at the beginning and at the end of the sequence of data, required to define the format where the data is stored.

PS: before using PhotoRec obviously you need to get rid of the ransomware with a deep antimalware scan.

TestDisk & PhotoRec is an Opensource software that allows you to perform data carving:

PhotoRec Data Carving - CGSecurity

TestDisk Download - CGSecurity


As I said above, no result is guaranteed, but try has not cost.
Keep in mind that prevention with a good backup plan, is better than cure.
 
Last edited by a moderator:

Dirk41

Level 17
Verified
Top Poster
Well-known
Mar 17, 2016
797
I want to highlight that you should install photorec on another hd and recover the files also on another hd, otherwise you risk to overwrite the files you are trying to recover .
 

About us

  • MalwareTips is a community-driven platform providing the latest information and resources on malware and cyber threats. Our team of experienced professionals and passionate volunteers work to keep the internet safe and secure. We provide accurate, up-to-date information and strive to build a strong and supportive community dedicated to cybersecurity.

User Menu

Follow us

Follow us on Facebook or Twitter to know first about the latest cybersecurity incidents and malware threats.

Top