Hello,
I am attempting to help a user hit by an encrypting ransom virus. The backup drive was inserted while the virus was active and those files were also encrypted or corrupted. I wonder if I might be able to use photorec to recover deleted copies or drafts of some of the files that were encrypted. The virus has been removed.
The documentation emphasizes damaged drives. Running photorec does not do anything to the drive that you are searching, correct (the scanned drive remains just as it was)? It merely scans for file headers and copies what it finds to the specified directory?
If so, do you also have suggested procedures for dealing with any virus files that may be recovered with the rest?
Thanks for your help,
E
file recovery of drafts, etc. after virus
Forum rules
When asking for technical support:
- Search for posts on the same topic before posting a new question.
- Give clear, specific information in the title of your post.
- Include as many details as you can, MOST POSTS WILL GET ONLY ONE OR TWO ANSWERS.
- Post a follow up with a "Thank you" or "This worked!"
- When you learn something, use that knowledge to HELP ANOTHER USER LATER.
Before posting, please read https://www.cgsecurity.org/testdisk.pdf
When asking for technical support:
- Search for posts on the same topic before posting a new question.
- Give clear, specific information in the title of your post.
- Include as many details as you can, MOST POSTS WILL GET ONLY ONE OR TWO ANSWERS.
- Post a follow up with a "Thank you" or "This worked!"
- When you learn something, use that knowledge to HELP ANOTHER USER LATER.
Before posting, please read https://www.cgsecurity.org/testdisk.pdf