MrBojangles
Member
- Reaction score
- 5
I have a client that got hit with an encryption virus and got all their files are locked up. They sent me the computer to see what I can do to recover. They also sent me an external drive that also got locked up.
So I start by imaging the external drive because it's quite old and failing and I manage to extract about 99% of the data with ddrescue.
But I start the data recovery process with the laptop drive which I DONT image because I know that its pretty new and in good shape (checked health) so I figured imaging is a waste of time. Also it's an SSD of about 240gb. When I use R-Studio to scan the SSD drive I can see the files and here's an example below.
It seems in this case that the virus copied the original file, then deleted it and encrypted the copy. However, when I recover the deleted file I cant open it because its damaged. Also if I try to find a previous version of either file it just lists about 17 unrelated files.
Anyone know if there is anything that can be done here or did the virus totally ruin the original files and make data recovery impossible?
So I start by imaging the external drive because it's quite old and failing and I manage to extract about 99% of the data with ddrescue.
But I start the data recovery process with the laptop drive which I DONT image because I know that its pretty new and in good shape (checked health) so I figured imaging is a waste of time. Also it's an SSD of about 240gb. When I use R-Studio to scan the SSD drive I can see the files and here's an example below.
It seems in this case that the virus copied the original file, then deleted it and encrypted the copy. However, when I recover the deleted file I cant open it because its damaged. Also if I try to find a previous version of either file it just lists about 17 unrelated files.
Anyone know if there is anything that can be done here or did the virus totally ruin the original files and make data recovery impossible?
