cgsecurity.org

Hello,

I'm not sure which is the best forum on this site for this question, so if another one is better, please point me in the right direction.

Some malware went through 3 hard drives on my computer (5 partitions) and left me with many files that have the same filename, but are zero bytes in size. I don't believe the entire contents were written over on disk, as the program only ran for 18 minutes and due to the number and size of files, I think whatever it did was done with minimal writing. I don't know if that means the files were deleted and then recreated in the same location as empty, or if it modified the cluster chain in such a way that the OS just doesn't know where to find the data, but knows the filename.

1) Is there any option in PhotoRec or TestDisk that will be able to recover these files?

2) Is there any feature in the software (or any other software) that would allow me to manually follow the links and reconstruct the files?

Thanks for any help you can provide. These are family photos and videos as well as many other document files.

David

Try PhotoRec on the free space of the filesystem. Be careful to store recovered files on another partition.

Thanks for the reply.

Would running it on just the free space help me get more than what I could get with the full scan, or is it just that the full scan is going to show the currently available files as well as those that it found in the free space, with the currently available files not being useful in photorec, since I can access them directly in Explorer?

Thanks again for the help, and obviously, for the software.

David