Repair damaged jpeg files from ransomware

[dbojan]

I deleted your post because it appears to me as a fake case just to promote some software.
If I had a particular JPEG issue I would try

www.disktuna.com

which is not priced as high as USD 30,- for 30 days of use - the software you are referring to.
I have not used this software but would be willing to give it a try as its USD 30 for an unlimited time.

26.10.2022 20:25 recuperation

[recuperation]

Hi.
I have some file with olfg extension. They are infected with stopdjvu ransomware.

I did not find this file type in the list of suported files:

https://www.cgsecurity.org/wiki/File_Fo ... y_PhotoRec

Test a sample file here:

https://www.cgsecurity.org/photorec/

Is there a way to use photorec to recover partially damaged files form a specified folder?

No, Photorec is a file carver that typically ignores meta data like folder information. In case of the search in unallocated space it has to interpret the content of the file system to get the information about what is unallocated space.

https://www.cgsecurity.org/wiki/PhotoRe ... space_only

I had some success with XXXXXXXXXXXXX , which is not free, and leaves text over recovered images. It uses some heuristics to search files in specified folders, and partially recover images?

Are you XXXXXXXXXXXXX trying to promote your software? If yes, ask Christophe Grenier for permission, please.

I tried creating iso image which contains olfg pictures, and used as cd image, but photorec cannot recover part of jpeg files from iso.

What is the interest of packing "olfg" (an extension I never heard about) pictures into an image file?
Why are you switching between "olfg" files and jpeg files?

Is there a way to create disk image in windows, or linux, and have photorec recover partial jpeg images from it?

There is no need to create disk images, Photorec can search on a disk directly.

Or to point photorec to files with partially encrypted jpeg files?

No, Photorec is a file carver that typically ignores meta data like folder information. In case of the search in unallocated space it has to interpret the content of the file system to get the information about what is unallocated space.

[dbojan]

Ok, perhaps I did not explain properly.
A friend of mine installed program with virus.
His pictures got encrypted with ransomware.
Jpeg files got encrypted. First part of the image got encrypted, and the jpeg file got renamed to olfg.
For example "house.jpg" becomes "house.jpg.olfg."
It cannot be opened in a picture viewer, because part of the picture at the beginning is not valid.
I found some software which can reconstruct open "house.jpg.olfg", scan the file for jpeg data, and save it as a new valid jpeg file. Part of the image might be missing, but part it saved as a new file.

I do not wish to scan the whole disk or partition for deleted files.
What I was hoping is that photorec can in some way be used to scan house.jpg.olfg (or folder with other encrypted pictures), and recover part of the image that is valid and save it as a new valid jpg.

I did not pack images into olfg. Olfg name as itself is not important, it could be any name, there are different versions of the ransomware.
It could be useful to a lot of people to be able to recover pictures after ransomware using high quality program like photorec.

Apparently it cannot be used that way.
Thank you for your response.

Sorry to see you deleted my post. It was not fake. I do not wish to buy the program, that is why I was hoping to use photorec which is free, for the same purpose.
Program I mentioned was recommended in bleeping computer forums, part that deals with ransomware. I also tried disk tuna, but did not succeed to recover files, cause it requiers to have reference file which I do not have.

[dbojan]

here are the encrypted files, if someone wishes to try and repair them, or create a program.
https://1drv.ms/u/s!AoaKwmm7ZUPLaUkDl5y ... I?e=Yusf58
Apparently "The encrypted part is often 153605 bytes"

[recuperation]

Photorec is not decrypting files.

[dbojan]

Not necessarily decrypt them, but recover part of jpeg that is not overwritten.
The way that this ransomware works, is to encrypt part of the file, about 150kb at the beginning of the file apparently, and saves the modified file as jpeg.

The rest of the jpeg file is untouched, and could be recovered and saved with a new header.

That is what the other program does, which is not free.

[recuperation]

Photorec is extracting files from a disk based on fingerprints which are typically located at the beginning of a file. If you encrypt the beginning of a file Photorec won't recognize them anymore.

[cgrenier]

It's not possible to test if it's possible to recover the picture of a jpg if you don't provide an unmodified jpg from the same camera/phone (same resolution) than the jpg you are trying to "repair".

[dbojan]

I had some success with the program I mentioned before. Without the need for the unmodified jpeg from the same camera. About 50% success. If the picture is bigger, the chances are better to recover the picture. The program name was deleted from my first post.

I looked at the github, trying to find some opensource program that does the same. Best I could find was A1337CBS/Jpeg-Carver from github.
it carves out part of jpeg, from disk image with jpeg files (made with dd).
But it does not put jpeg fragments back together to one picture. So you have top 10 pixels, then, maybe 500 pixels of the jpeg, and the rest of the jpeg is missing.

Also does not need the unmodified jpeg from the same camera.
I suppose the chances would be higher, if I did have the it.

[dbojan]

One could maybe use deleted files recovered from the disk of the same pc, as an 'unmodified jpg from the same camera'

tried with https://github.com/matwachich/recover_jpeg, which compares damaged files with unmodified jpgs, but did not have much success so far.