Thursday, September 24, 2015

Profiles in PC Poisoning, Part 7

Recuva is the first entry in Tim Fisher's "19 Free Data Recovery Software Tools" survey. The second entry is a program called Puran File Recovery, for which Tim points out:
One particular thing to note - Puran File Recovery identified more files on my test machine than most other tools so be sure to give this one a shot in addition to Recuva if it didn't find what you were looking for.
I was p-r-e-t-t-y c-l-o-s-e to throwing in the towel with respect to recovering the CTB-Locker-encrypted My Documents\ .wps files on my father's computer but decided as a last-ditch effort of sorts to see if Puran File Recovery could help me out. So I go to this download page and download the PuranFileRecoverySetup.exe installer executable and then run the installer to install Puran File Recovery.

Help

When launched, Puran File Recovery first displays a Select a Language window.



As the window menu's English default option is what I want, I click the button. Puran File Recovery next displays two windows:
(1) a raised Things you should know... window



provides a summary of the program's capabilities and
(2) an underlying Puran File Recovery - For Home Users only window



serves as a work area.

The latter window's title bar features a button (to the left of the Minimize button) that when clicked launches a help wizard with relevant screenshots for the program.



The wizard may be viewed separately at C:\Program Files\Puran File Recovery\Help\File_Recovery.chm: its material is not on the Web as far as I am aware.

Quick

Upon scrolling to its bottom the Things you should know... window recommends:
In all you should try Quick Scan first, if deleted file is not found, you should go with Deep Scan + Find Lost Files + Scan Custom List and if still not found, go for Full Scan as well.
So let's start with a quick scan, which simply scans the file system. Accordingly, I select the Recovery (D:) drive and click the button in the work area window. My quick scan takes about 10 seconds and returns 6,222 files. To the right of the button is a Search... text input-menu in which I can type *.wps so as to (after hitting the Enter key) filter the results for .wps files: nothing comes up when I do so.

Deep 1

According to the Using Puran File Recovery → Scan page of the help wizard:
Deep Scan    When you are not able to recover your files with Quick Scan, you should try Deep Scan. This option performs a Quick Scan plus scans entire free space of the selected drive byte by byte and tries to find following format files -

JPG BMP PNG GIF MP3 WAV OGG WMA WMV DOC XLS PPT DOCX XLSX PPTX PDF ZIP RAR MP4 AVI CAB RTF NEF CR2 DNG PST OST MPG ODT ODS ODP ODB ODG ODF
Hmmm, I don't see WPS up there, do you? But let's try a deep scan anyway. I reselect the Recovery (D:) drive, clear the Search... field, and check the Deep Scan checkbox in the work area window. Checking the Deep Scan checkbox
(a) enables but does not check the Full Scan checkbox,
(b) enables and checks the Find lost files checkbox, and
(c) enables and checks the Scan Custom List checkbox.



As regards the Find lost files action, the Using Puran File Recovery → Scan page says:
In addition, if Find Lost Files Option is selected, Deep Scan also detects the file records that were lost. This ensures that where ever possible you get the file name and in many cases file path too. Also, since files are listed as per the information in the record, recovery is mostly more accurate.
This certainly seems like something we want, doesn't it? As regards the Scan Custom List action, I'll have lots more to say about it in the next section. I go ahead and click the button. My deep scan takes about 20 minutes and returns 8,097 files. A *.wps filter again returns nothing. However, there's no need to run to a full scan just yet...

Customize it

Puran File Recovery has an all-important feature that Recuva does not have: it enables the user to extend the range of the file types it searches for.

As noted above, a deep scan searches for a core set of file types; if the Scan Custom List checkbox is checked, then the core set is augmented with a second, custom set of file types that are detailed in an Edit Custom Scan List window



that is displayed when the work area window's button is clicked. You may add more file types to the custom set if you so choose.

As you would intuit from the preceding screenshot, a deep/full scan searches for file types via profiles maintained by the program for those file types: at a minimum each profile contains a file signature (a.k.a. a file magic number) and the position of the signature in the file byte stream; a profile may also contain an indication of file size and/or a characteristic end-byte pattern.

We can search for .wps files by adding a corresponding .wps profile to the custom set database. Toward this end, I first click the button in the Edit Custom Scan List window. Up pops an Add Custom Scan Entry window.



• I find the .wps magic number and its position in the byte stream at this page. The .wps magic number is an 8-byte D0 CF 11 E0 A1 B1 1A E1 hexadecimal pattern and its "offset" is 0 bytes, i.e., it appears at the very beginning of the byte stream. I accordingly type D0CF11E0A1B11AE1 in the Start Bytes field - per the help wizard's Using Puran File Recovery → Custom Scan List page, there should not be any space between the Start Bytes characters; meanwhile, the Start Bytes Hex radio button is checked by default - and set the Offset Bytes field to None.

• The Size Type field is a selection list comprising Direct Size, Size at Offset, and Look for End Bytes options; I leave it at the Direct Size default as the other two options do not apply to .wps files to the best of my knowledge.

• Having selected a Direct Size Size Type, I set the Direct Size field to 10000 KB as the largest pre-CTB-Locker My Documents\ .wps file was a 9,570 KB Dogs Apr 06.wps file. (I'll have more to say about the Direct Size setting after we run our search.)

• The Extension is of course wps; for the Name I use the MSWorks text document Description on the aforecited .wps magic number page.

After clicking the button we are ready to roll.



Not quite so magic

According to the Using Puran File Recovery → Scan page, a deep/full scan can find .doc files and .xls files and .ppt files (vide supra); however, these file types have the same start-of-stream D0 CF 11 E0 A1 B1 1A E1 signature that .wps files have. Evidently one or more other criteria come into play when distinguishing .doc/.xls/.ppt files - my guess is that they contain other characteristic byte patterns via which they can be told apart - in any case we are going ahead with the above .wps profile and we'll rerun the deep search therewith at the beginning of the following entry.

Thursday, September 10, 2015

Profiles in PC Poisoning, Part 6

Having introduced the Recuva file recovery program in the previous post, it's time to get down to brass tacks and see what we can rescue therewith.

On the Recuva Documentation's "Recuva FAQ (Frequently Asked Questions)" page, a Fragmentation bullet point notes:
If a file is fragmented, you can recover it from an NTFS-formatted drive, but it may be less likely to be recovered.
I accordingly begin by re-defragmenting the D:\ volume. FYI, I am now able to launch the Disk Defragmenter utility via the Start menu:
Start → Programs → Accessories → System Tools → Disk Defragmenter.

Regular

Subsequently, a regular scan of the D:\ volume finds 6,221 potentially recoverable files. In the advanced mode,
(a) a *.wps filter returns 0 files,
(b) a *.jpg filter returns 20 files, and
(c) a *.pdf filter returns 0 files.

All of the *.jpg hits are preceded by a circle indicating that their recovery is unlikely.



See the Recuva Documentation's "Undelete and the Recycle Bin in Windows" page for a brief explanation of the Dd#.jpg name format.

Horizontally scrolling the results field brings into view a State column that pronounces the Filename files "Unrecoverable" and a Comment column that provides a
This file is overwritten with "D:\pathname\filename.ext"
message for each file.



According to the Path column, the Filename files are located in the D:\RECYCLER\ directory, more specifically a D:\RECYCLER\5-1-5-21-527237240-299502267-725345543-1003\ directory. A RECYCLER\ directory is normally hidden but can be visibilized by checking the

Show hidden files and folders

radio button AND unchecking the

Hide protected operating system files (Recommended)

checkbox in the Advanced settings: menu on the View tab of the My Computer → Tools → Folder Options window.



A visit to the D:\RECYCLER\5...1003\ directory confirms that the Dd#.jpg files are well and truly gone - your guess is as good as mine as to why they turn up in the first place. I nonetheless try to recover a couple of them:

(1) I check the test files' checkboxes on the left-hand side of the results window; checking the checkboxes enables the currently disabled button in the window's southeast corner.

(2-3) I click the button: up pops a Browse For Folder window (see below for a screenshot), via which I place the files in the C:\ volume.

Double-clicking the recovered files' icons does launch the Windows Picture and Fax Viewer but all I see therein is a
No preview available
message vis-à-vis a rendered image.

Deep

The wizard-mode Thank you, Recuva is now ready to search for your files window tells us that we should run a "deep scan" if previous scans have failed to find your files. For a deep scan, Recuva look[s] through your drive bit by bit, more specifically, it searches every cluster (block) of the drive to find file headers indicating the start of a file. Let's get a deep scan under way, then, shall we? We can enable a deep scan (toggle from a regular scan to a deep scan) by either
(a) checking the

Enable Deep Scan

checkbox in the wizard-mode Thank you... window or
(b) checking the

Deep Scan (increases scan time)

checkbox on the Actions tab of the advanced-mode Options window.



A deep scan of the D:\ volume (which takes ≈ 20 minutes vis-à-vis ≈ 12 seconds for a regular scan) finds 7,516 potentially recoverable files. In the advanced mode,
(a) a *.wps filter returns 0 files,
(b) a *.jpg filter returns 425 files, and
(c) a *.pdf filter returns 21 files.

The Recuva Documentation's "Deep Scan option" page specifies those file (extension) types that can be identified by a deep scan and .wps isn't one of them, so it's not such a surprise that our search didn't return any .wps files.

Regarding the *.jpg hits, the Dd#.jpg files are still there but now we also have 405 files that are linked to a ?\ directory and whose prospect of recovery is excellent: they're preceded by a circle, the State column pronounces them "Excellent", and their Comment column messages read No overwritten clusters detected. For almost all of the files, clicking a file name displays an image preview on the Preview tab on the right-hand side of the results window.



The files have a [#].jpg name format because, per the aforecited "Deep Scan option" page, a deep scan can only recover files, not [original] file names.

It gets better: I am able to pick out 64 files that contain photos belonging to my father's pre-CTB-Locker collection of My Documents\ .jpg photos. (The OptionsView mode → Thumbnails View is helpful in this regard.) I check the files' checkboxes and click the button. In the Browse For Folder window I go to the C:\ volume and then click the button, which creates a New Folder\ directory, which I rename Recuva rescued images\.



I click the button and then go to
My Computer → Local Disk (C:) → Recuva rescued images
to see how it all came out: quite gratifyingly, the recovered files are good to go.

So, 64 out of 100 - not quite Meat Loaf's standard but I'll take it. Mitigating circumstances regarding the missing files:
• I don't know what state those files were in to begin with.
• Their .jpg extension notwithstanding, I don't know if they really were .jpg images versus some other image format (e.g., .bmp, .gif) or, for that matter, if they really were 'pure' images versus documents that commingled images and text.
• Some of the original photos were duplicates.
• Finally, I can't rule out that I didn't pick out all of the relevant Recuva results.

As for the *.pdf hits, their prospect of recovery is excellent as well; they don't give previews so I recover the entire lot as described above (I put them in a Recuva rescued documents\ directory). They're OK too, and all of them belong to my father's pre-CTB-Locker set of My Documents\ .pdf files.

I am able to recover some of the original .wps files via a different file recovery program and I'll tell you all about it in the following entry.