cgsecurity.org

Hi,

I'm recently hit by the Synolocker ransomware and I'm trying to use PhotoRec to recover my files. I had pretty good success recovering jpegs, but I have issues with PDFs. What I observed when recovering PDFs is that PhotoRec would sometimes create, as recovered files, very large files (~1GB), then after a while, these large files are deleted, and PhotoRec would retrogress on the sectors read. After the deletion, PhotoRec usually creates a new recovered file (usually much smaller, sometimes with readable content, sometimes not). It seems that initially PhotoRec didn't know where the file would end, so it kept on reading and writing, and then at some point it realized it has read too much/or encountered some kind of error, and bailed out.

As a result of this behaviour (writing large files and deleting them, and retrogressing), the recovery process becomes excruciatingly long (thousands of hours ETA, and who knows how long it would actually take!) on a 3TB disk

Can anyone shed some light on what's happening behind the scene, and what I can do to speed up the process??

Thank you!!

Jia

The pdf filesize is determined from the beginning of the file for linearized pdf.
For the other pdf, PhotoRec stops the recovery of the current file when a new file is found and search the "%EOF" signature to identify the end of the file. If the recovered file is valid, PhotoRec delete it and try to recover the new file.
If the new file is valid, PhotoRec will try again to recover the previous file if it isn't separated by more than 1GB and 10 fragments.

If you still have the problem, send me an email with your OS details. I will send you a modified version of PhotoRec which will limit the backsearch.

Thanks Chris for the clarification. I sent you an email, and yes, please send me a modified version