Questions on PhotoRec (got hit with QNAP Ransomware!)

Using PhotoRec to recover lost data
Forum rules
When asking for technical support:
- Search for posts on the same topic before posting a new question.
- Give clear, specific information in the title of your post.
- Include as many details as you can, MOST POSTS WILL GET ONLY ONE OR TWO ANSWERS.
- Post a follow up with a "Thank you" or "This worked!"
- When you learn something, use that knowledge to HELP ANOTHER USER LATER.
Before posting, please read https://www.cgsecurity.org/testdisk.pdf
Locked
Message
Author
Roach
Posts: 4
Joined: 29 May 2021, 17:05

Questions on PhotoRec (got hit with QNAP Ransomware!)

#1 Post by Roach »

Hello. I was unfortunately part of the recent QLocker hack on QNAP devices and they encrypted 500gigs of my system which I am trying to recover. I am running into an issue in that PhotoRec instructions say to use an external drive the size or larger than the NAS however I have 28tb of stuff on my NAS and no external drives (mainstream anyway) are this size. Do I have any options?

I was thinking there are tons of files like Plex Movies I could offload to another external to get it under 14tb but I fear that moving files around will lessen the chance for recovery. Is that true?
Also I am actually using a custom version of PhotoRec that QNAP incorporated into their own app called QRescue. Even tho my external drive is 14tb I ran in anyway and I figured I could just delete stuff I def dont care about as it restores. Is that okay to do? It involves me constantly monitoring but I could keep it under the 14tb limit that way.

Also I noticed that it was running quick the first 12hrs but now is running quite slow. Is this a normal process? My QNAP dashboard logged out so Im not sure if related. its definitely still running as I see files being generated just at a slower pace. 

Lastly, is there any way to have PhotoRec ONLY recover certain file types? For example, only .jpg files. This might aid in my space issue I mentioned as it will ignore restoring 20gig movie files.

Thanks a bunch!
Stephen

Roach
Posts: 4
Joined: 29 May 2021, 17:05

Re: Questions on PhotoRec (got hit with QNAP Ransomware!)

#2 Post by Roach »

I was reading another forum, what if I took my drives out of my nas (4 x10tb in RAID5) and did one drive at a time? Although I guess I dont know how to run PhotoRec via windows so maybe that wouldnt work either.

recuperation
Posts: 2720
Joined: 04 Jan 2019, 09:48
Location: Hannover, Deutschland (Germany, Allemagne)

Re: Questions on PhotoRec (got hit with QNAP Ransomware!)

#3 Post by recuperation »

Roach wrote: 29 May 2021, 17:11 Hello. I was unfortunately part of the recent QLocker hack on QNAP devices and they encrypted 500gigs of my system which I am trying to recover. I am running into an issue in that PhotoRec instructions say to use an external drive the size or larger than the NAS however I have 28tb of stuff on my NAS and no external drives (mainstream anyway) are this size. Do I have any options?
If your QNAP system has partitions unaffected by the attack you might use them provided that they are sufficiently large to receive the possible outcome of Photorec.
Doing that you are putting the remains of unencrypted files at risk of being overwritten in case you chose the wrong location.
As you decided to keep the storage organisation on your QNAP system a secret, I can't tell you more.

I was thinking there are tons of files like Plex Movies I could offload to another external to get it under 14tb but I fear that moving files around will lessen the chance for recovery. Is that true?
If your movies are located in an affected partition this strategy will increase the chance of failure for Photorec. Moving/Deleting them makes their used space eligible for recovery by Photorec which is definitely to be avoided. Furthermore it carries the risk of unnecessary file extension when reducing the number of file types you are searching for.
Also I am actually using a custom version of PhotoRec that QNAP incorporated into their own app called QRescue. Even tho my external drive is 14tb I ran in anyway and I figured I could just delete stuff
Deleting stuff where?! This is extremely unprecise. Hint: Do not touch/write at the crime location!

I def dont care about as it restores. Is that okay to do? It involves me constantly monitoring but I could keep it under the 14tb limit that way.
Read my generalised advice above. From your unsufficient storage description it is impossible to juge the effects. I don't own a QNAP system and I am not aware of its storage organisation.
Also I noticed that it was running quick the first 12hrs but now is running quite slow. Is this a normal process? My QNAP dashboard logged out so Im not sure if related. its definitely still running as I see files being generated just at a slower pace. 
I personnally find that my car is slow, too. What does that tell you? Be quantitative. As answered in another post check your SMART parameters. That involves checking all affected drives of an encrypted virtual volume. Your QNAP manual should tell you how to handle SMART. Even if SMART parameters are fine the Photorec action might affect sectors that haven't been tried to read long before, so the drive may discover broken sectors. The only reliable way to exclude sector errors is to duplicate everything to a location that is know to be healthy using a tool like ddrescue as described in the manual.
That undertaking is probably more difficult as with a simple disk. I assume that your QNAP station is making virtual devices out of a couple of disk drives.
As I am not familiar with the internal algorithms of Photorec I can't describe a scenario where the transfer speeds degrades below the minimum out of native systained speed of source (QNAP) and target (rescue location).
You might ask fellow QNAP users about their experience here.
Lastly, is there any way to have PhotoRec ONLY recover certain file types? For example, only .jpg files. This might aid in my space issue I mentioned as it will ignore restoring 20gig movie files.
I might answer later - will have to clear up an issue here.

Roach
Posts: 4
Joined: 29 May 2021, 17:05

Re: Questions on PhotoRec (got hit with QNAP Ransomware!)

#4 Post by Roach »

Please be aware I am not very technical when it comes to Linux, NASs, PhotoRec, etc. Just an average joe trying to recover his files that were encrypted by hackers.

With that said. I have 4x10tb drives in RAID5. I am using about 27.5tb of 30tb available. Its on a single partition. I use this for File Repository exclusively, minus streaming Plex movies. So I have a multimedia folder which has a a few hundred nested folders with the data, but all on the same partition.

The QNAP has the ability to test each drive for SMART and all show up as GOOD (green).
Disc Access History IO is also listed as GOOD (green)

The external drive I am using is a WD Book 14tb which I plugged into the NAS and formatted to ext4 format. Hope that helps some. Thanks

recuperation
Posts: 2720
Joined: 04 Jan 2019, 09:48
Location: Hannover, Deutschland (Germany, Allemagne)

Re: Questions on PhotoRec (got hit with QNAP Ransomware!)

#5 Post by recuperation »

Do not touch your source. Your source is your partition that is containg your four 10TB drives.

=> No writing and not deleting here!

If you agree to recover less than 28TB you can delete unneeded recovered stuff on your 14TB drive on purpose to increase the remaining space for recovery.
Roach wrote: 29 May 2021, 17:45 I was reading another forum, what if I took my drives out of my nas (4 x10tb in RAID5) and did one drive at a time? Although I guess I dont know how to run PhotoRec via windows so maybe that wouldnt work either.
That is not a good idea because your file content is striped around 3 or 4 drives (depending on the location of parity information). You might recover some files but as soon as your files exceed the stripe size you will either get nothing or broken files. In your RAID5 configuration the content of your lengthy video files will spread evenly around all drives.
Roach wrote: 29 May 2021, 17:11 Lastly, is there any way to have PhotoRec ONLY recover certain file types? For example, only .jpg files. This might aid in my space issue I mentioned as it will ignore restoring 20gig movie files.
That will fail as only the selected fingerprints are taking into account when trying to determine the file length. As the manual states in "11.5 Selection of files to recover":

Warning: For some file formats, PhotoRec can determine the original filesize from the file header. For the others,
PhotoRec stops appending data to the file it is currently recovering when a new file header is found. So disabling
too many file formats leads to numerous overlarge files.


I don't know if a jpeg file stores its length in its header. Let's assume it does not. Say you only select jpeg files. Photorec will extend your jpeg file until it finds the beginning of another jpeg file. If you have a lengthy video in between the fingerprint of the video will be ignored and the content of the video file will be appended to the jpeg. That contradicts your intentions.

Just a final hint:
It may be very convenient to integrate 4 drives into one virtual volume. But when it comes to recovery though, it largely increases your recovery requirements!

Roach
Posts: 4
Joined: 29 May 2021, 17:05

Re: Questions on PhotoRec (got hit with QNAP Ransomware!)

#6 Post by Roach »

Thank you for the reply. Ive been running QNAPs version of PhotoRec (7.2 I believe but custom made for their QNAP called QRescue) for 4 days now. Its rebuilt about 800GB out of the 28TB. I will use your suggestion and just delete the files from there that I know I dont need (or just move to another drive) to lessen the space used on the 14tb external. Based on the time its taking, it seems to be going very very slow. I wonder if I might be better suited to run PhotoRec manually instead of thru QNAPs version as Im unsure why it has slowed down so much

Locked