Recover zero byte files (malware)

Using PhotoRec to recover lost data
Forum rules
When asking for technical support:
- Search for posts on the same topic before posting a new question.
- Give clear, specific information in the title of your post.
- Include as many details as you can, MOST POSTS WILL GET ONLY ONE OR TWO ANSWERS.
- Post a follow up with a "Thank you" or "This worked!"
- When you learn something, use that knowledge to HELP ANOTHER USER LATER.
Before posting, please read https://www.cgsecurity.org/testdisk.pdf
Locked
Message
Author
xdavidx
Posts: 2
Joined: 24 Sep 2016, 23:11

Recover zero byte files (malware)

#1 Post by xdavidx »

Hello,

I'm not sure which is the best forum on this site for this question, so if another one is better, please point me in the right direction.

Some malware went through 3 hard drives on my computer (5 partitions) and left me with many files that have the same filename, but are zero bytes in size. I don't believe the entire contents were written over on disk, as the program only ran for 18 minutes and due to the number and size of files, I think whatever it did was done with minimal writing. I don't know if that means the files were deleted and then recreated in the same location as empty, or if it modified the cluster chain in such a way that the OS just doesn't know where to find the data, but knows the filename.

1) Is there any option in PhotoRec or TestDisk that will be able to recover these files?

2) Is there any feature in the software (or any other software) that would allow me to manually follow the links and reconstruct the files?

Thanks for any help you can provide. These are family photos and videos as well as many other document files.

David

User avatar
cgrenier
Site Admin
Posts: 5432
Joined: 18 Feb 2012, 15:08
Location: Le Perreux Sur Marne, France
Contact:

Re: Recover zero byte files (malware)

#2 Post by cgrenier »

Try PhotoRec on the free space of the filesystem. Be careful to store recovered files on another partition.

xdavidx
Posts: 2
Joined: 24 Sep 2016, 23:11

Re: Recover zero byte files (malware)

#3 Post by xdavidx »

Thanks for the reply.

Would running it on just the free space help me get more than what I could get with the full scan, or is it just that the full scan is going to show the currently available files as well as those that it found in the free space, with the currently available files not being useful in photorec, since I can access them directly in Explorer?

Thanks again for the help, and obviously, for the software. :-)

David

Locked