Profiles in PC Poisoning, Part 5

If you are new to file recovery (as I was), I encourage you to go through the set of brief articles thereon written by PCSupport.About.com's Tim Fisher, specifically
(1) "How To Recover Deleted Files",
(2) "Will a Data Recovery Program Undelete Anything Ever Deleted?",
(3) "How Long is Too Long Before a File is Unrecoverable?", and
(4) "Why Are Some Deleted Files Not 100% Recoverable?".
Once you've read these guys, check out Tim's "19 Free Data Recovery Software Tools" survey.

---

Interestingly, CTB-Locker does not encrypt the original target files but rather copies thereof.

It’s important to know that CTB Locker creates copies of your files and encrypts them. In the meanwhile, the original files get deleted. There are applications out there that can restore the removed data. ... The newest version of the ransomware under consideration tends to apply secure deletion with several overwrites, but in any case this method is worth a try.
- "CTB Locker removal: how to decrypt files encrypted by CTB Locker virus"

Consequently, a number of the ctb-locker decrypt search pages suggest that a file recovery tool may be able to recover the original target files. The "Some ideas to restore files encrypted by CTB Locker" article from which I quoted last time recommends the Recuva program in this regard. Recuva has both a free version and a "professional" version for $24.95, and the former has pride of place in the aforecited "19 Free Data Recovery Software Tools" survey. Sounds good, let's do this, shall we? So, I go to this download page and download the rcsetup152.exe installer executable and then run the installer to install Recuva.

Recuva comes to us courtesy of Piriform, the same folks who make the CCleaner unnecessary file remover. Piriform maintains help documentation for Recuva here; it's not necessary to read this material to use Recuva, although doing so will give you a more complete (but not completely complete) view of the program.

Recuva run

Recuva has two modes of operation: a "wizard mode" and an "advanced mode". With respect to searching a computer for deleted files, I find that the advanced mode does not in practice do anything that can't be done with the wizard mode, although the former does provide an interface via which search results can be parsed in a value-added way, as we'll see below. When first launched, Recuva starts in the wizard mode.



We can go straight to the advanced mode by clicking the window's button, but let's stay in the wizard mode for the time being. Clicking the button takes us to a second window with a menu of files types that we may want to recover.



The menu's All Files radio button is checked by default; I'd stick with this option as its search results can be easily 'filtered' for specific file types in the advanced mode. Clicking the window's button takes us to a third window with a menu of locations where the files of interest may have been prior to their deletion.



We will target the Recovery (D:) volume in our quest to recover the .wps, .jpg, and .pdf My Documents\ data. Accordingly, we check the menu's In a specific location radio button and enter D:\ into the text input below the radio button label by either
(a) clicking the button and navigating to the Recovery (D:) location in the Browse For Folder window that pops up



and then clicking the button or just
(b) manually typing D:\ in the input.

The D:\ volume gives us a much better shot at recovering our data than does the Local Disk (C:) volume because cleaning up the computer entailed some 'write-heavy activity' - specifically, several software installs - in the latter, and there's a pretty good likelihood that some of the data has been overwritten by that activity: see the Stop using your computer! subsection of the aforecited "How To Recover Deleted Files" article.

Clicking the File location window's button takes us to a Thank you, Recuva is now ready to search for your files window in which we can elect to carry out a "deep scan".



Let's stick with a non-deep scan for now. Clicking the button starts a 3-stage scanning process.
Stage 1 of 3: Scanning drive for deleted files
Stage 2 of 3: Analyzing damage
Stage 3 of 3: Analyzing file contents
When Stage 3 has finished, Recuva displays a window with a list of files that may or may not be recoverable.



Each file name is preceded by a solid circle whose color indicates the likelihood of recovery, which is "excellent" for a ● circle, "acceptable" for a ● circle, or "unlikely" for a ● circle.

Now, a humongous list of >6000 files is not exactly a user-friendly data set; we can directorily organize the list and shed parts of it we don't want in the advanced mode, so let's switch to the advanced mode by clicking the button, which gives the window below:



Shaking the tree

By default, Recuva outputs a list view display for its search results; you can switch the display to a volume- and directory-organized tree view by clicking the button and then selecting the Tree View option in the View mode menu on the General tab of the Options window that pops up:



Clicking the button gives a display window with a single
⊞ D:\
result, whose expansion returns:



My menu is like a sieve

Between the button-menu and the button, the advanced-mode display window features a text input-menu via which the search results can be filtered by file type.



The Pictures, Music, Documents, Video, Compressed, and Emails file categories are defined for the wizard mode here; I'm pretty sure (but not 100% sure) that these definitions also apply to an advanced-mode non-deep scan.

Moreover, we can enter an *.ext1|*.ext2... expression into the input to zero in on files with specific extensions: à la the syntax of regular expressions, * matches zero or more file name characters and | serves as a boolean OR operator; for example, we can isolate the results' .wps, .jpg, and .pdf files by typing *.wps|*.jpg|*.pdf in the input.

---

Hmmm, ten screenshots, that's enough for one post, wouldn't you say? We'll continue our Recuva conversation in the following entry.

Profiles in PC Poisoning, Part 4

Before we get rolling, I have an addition to make to the Undamaged section of the previous post: somewhat surprisingly, CTB-Locker didn't encrypt any of the 1,850 .gif images on my father's computer - my guess is they weren't targeted because most (>95%) of them lie outside the C:\Documents and Settings\ directory.

---

So, what are we going to do about those .jkffbil.xyz, .bqtuzhl.xyz, and .xyz files? Is there any chance of recovering the original .wps, .jpg, and .pdf data in the My Documents\ folder?

A ctb-locker decrypt Google search brings up a number of pages that dole out advice for dealing with the aftermath of a CTB-Locker infection, and there is general agreement that restoring files from an external backup is the optimal response thereto. In the words of the Kaspersky guys themselves:

The best line of defense against this and other threats is to have backed up your machine yesterday (and to back it up again next week).

However, my father has never copied his My Documents\ data to an external medium of any type even though blank CD-Rs are cheap - you can buy a 50-disk spindle of 'em at Walmart for $10 - and copying stuff to a CD with his system is as easy as one, two, ... twelve.

Burnin' for you

A copy files to a cd windows xp Google search returns about a page's worth of pages with instructions for burning files and folders to a CD on a Windows XP machine. Because none of these pages quite describes what I do and what happens when I burn a CD on my father's computer, I thought I would give you my own little procedure in this regard.

(1) I begin by inserting a blank CD into the slot-loading CD-RW (F:) drive, which is the lower of the two optical drives held by the PC tower. (Above the F: drive is an E: drive for DVDs.)

(2) Up pops a CD Drive (F:) window that contains a menu of Windows actions for the CD.



The copy files to a cd windows xp search pages say that you should click on the Open writable CD folder using Windows Explorer option although I find that the Take no action option is also serviceable. I don't know anything about the Nero Express and Nero StartSmart programs: whatever they are, they're not necessary.

(3) Via the My Computer icon or the My Documents icon on the desktop, I navigate to the file or folder that I want to write to the CD and select it (click on it once). Holding down the Shift key allows me to select a range of consecutive items in the same directory; holding down the Ctrl key allows me to select nonconsecutive items in the same directory.

(4) I go to the Edit menu and choose the Copy To Folder... command.



(5) A Copy Items window containing a menu of places to copy the item(s) pops up.



I select the CD Drive (F:) option and then click the button at the bottom of the window.

(6) Depending on how much stuff I am copying, I may at this point see a Copying... window that displays an animation of the to-be-copied item(s) moving from folder to folder along a parabolic path.

(7) A tooltip-like speech balloon pops up in the lower-right-hand corner of the screen. The balloon points to a little CD icon in the taskbar and bears a message that reads:

You have files waiting to be written to the CD.
To see the files now, click this balloon.



(8) Clicking the balloon (vs. the icon it's pointing to) displays another CD Drive (F:) window.



Below the window's Standard Buttons toolbar
(a) a Files Ready to Be Written to the CD right pane lists the item(s) to be copied and
(b) a Write these files to CD command appears in a CD Writing Tasks menu in the left pane.

(9) Selecting the right-pane item(s) and clicking the Write these files to CD command launches the Windows CD Writing Wizard.



(10) By default, the CD name is set to the current date in a 3-letter-month-abbr DD YYYY format: you may fill in a different name if this is not to your liking.

(11) Clicking the button starts the burning process.



(12) When the burning is finished, the CD is ejected and a separate window announcing You have successfully written your files to the CD pops up.



Click the button and that's all she wrote.

One more point about screenshots

By default, Paint saves a screenshot as a (24-bit) .bmp image, which is uncompressed and therefore has a much larger memory footprint than, say, a .png image: you can and should save a screenshot as the latter via the Save as type: menu at the bottom of the Save As window.



Dark shadows

In the absence of an external backup, the ctb-locker decrypt search pages suggest two other courses of action for retrieving files encrypted by CTB-Locker:

(1) See if Windows' Volume Shadow Copy Service (VSS) has saved previous versions of the files.

Solution 3: Use the Volume Shadow Copy​
In case you didn't know, the operating system creates so-called volume shadow copies of each file if the Windows System Restore is enabled on the computer. In this way the restore points are created at specified intervals, with snapshots of the files as they appear at the moment that are generated at the same time. This method does not guarantee the recovery of the latest versions of the files but is certainly appropriate to carry out a test anyway.
- "Some ideas to restore files encrypted by CTB Locker"

The Volume Shadow Copy Service was first implemented in Windows XP but the volume snapshots it creates with Windows XP are only temporary; persistent snapshots began with the Vista version of Windows. Undeterred - and seeing a vssvc.exe executable in the C:\WINDOWS\system32\ directory - I launched the Windows Command Prompt (Start → Programs → Accessories → Command Prompt) and ran vssadmin list shadows on the command line: No shadow copies present in the system. So much for that idea.

(2) See if the original files can be recovered via a file recovery tool -
we'll get into this next time.