One particular thing to note - Puran File Recovery identified more files on my test machine than most other tools so be sure to give this one a shot in addition to Recuva if it didn't find what you were looking for.I was p-r-e-t-t-y c-l-o-s-e to throwing in the towel with respect to recovering the CTB-Locker-encrypted My Documents\ .wps files on my father's computer but decided as a last-ditch effort of sorts to see if Puran File Recovery could help me out. So I go to this download page and download the PuranFileRecoverySetup.exe installer executable and then run the installer to install Puran File Recovery.
Help
When launched, Puran File Recovery first displays a Select a Language window.
As the window menu's English default option is what I want, I click the button. Puran File Recovery next displays two windows:
(1) a raised Things you should know... window
provides a summary of the program's capabilities and
(2) an underlying Puran File Recovery - For Home Users only window
serves as a work area.
The latter window's title bar features a button (to the left of the Minimize button) that when clicked launches a help wizard with relevant screenshots for the program.
The wizard may be viewed separately at C:\Program Files\Puran File Recovery\Help\File_Recovery.chm: its material is not on the Web as far as I am aware.
Quick
Upon scrolling to its bottom the Things you should know... window recommends:
In all you should try Quick Scan first, if deleted file is not found, you should go with Deep Scan + Find Lost Files + Scan Custom List and if still not found, go for Full Scan as well.So let's start with a quick scan, which
simply scans the file system. Accordingly, I select the Recovery (D:) drive and click the button in the work area window. My quick scan takes about 10 seconds and returns 6,222 files. To the right of the button is a Search... text input-menu in which I can type *.wps so as to (after hitting the Enter key) filter the results for .wps files: nothing comes up when I do so.
Deep 1
According to the Using Puran File Recovery → Scan page of the help wizard:
Deep Scan When you are not able to recover your files with Quick Scan, you should try Deep Scan. This option performs a Quick Scan plus scans entire free space of the selected drive byte by byte and tries to find following format files -Hmmm, I don't see WPS up there, do you? But let's try a deep scan anyway. I reselect the Recovery (D:) drive, clear the Search... field, and check the Deep Scan checkbox in the work area window. Checking the Deep Scan checkbox
JPG BMP PNG GIF MP3 WAV OGG WMA WMV DOC XLS PPT DOCX XLSX PPTX PDF ZIP RAR MP4 AVI CAB RTF NEF CR2 DNG PST OST MPG ODT ODS ODP ODB ODG ODF
(a) enables but does not check the Full Scan checkbox,
(b) enables and checks the Find lost files checkbox, and
(c) enables and checks the Scan Custom List checkbox.
As regards the Find lost files action, the Using Puran File Recovery → Scan page says:
In addition, if Find Lost Files Option is selected, Deep Scan also detects the file records that were lost. This ensures that where ever possible you get the file name and in many cases file path too. Also, since files are listed as per the information in the record, recovery is mostly more accurate.This certainly seems like something we want, doesn't it? As regards the Scan Custom List action, I'll have lots more to say about it in the next section. I go ahead and click the button. My deep scan takes about 20 minutes and returns 8,097 files. A *.wps filter again returns nothing. However, there's no need to run to a full scan just yet...
Customize it
Puran File Recovery has an all-important feature that Recuva does not have: it enables the user to extend the range of the file types it searches for.
As noted above, a deep scan searches for a core set of file types; if the Scan Custom List checkbox is checked, then the core set is augmented with a second, custom set of file types that are detailed in an Edit Custom Scan List window
that is displayed when the work area window's button is clicked. You may add more file types to the custom set if you so choose.
As you would intuit from the preceding screenshot, a deep/full scan searches for file types via profiles maintained by the program for those file types: at a minimum each profile contains a file signature (a.k.a. a file magic number) and the position of the signature in the file byte stream; a profile may also contain an indication of file size and/or a characteristic end-byte pattern.
We can search for .wps files by adding a corresponding .wps profile to the custom set database. Toward this end, I first click the button in the Edit Custom Scan List window. Up pops an Add Custom Scan Entry window.
• I find the .wps magic number and its position in the byte stream at this page. The .wps magic number is an 8-byte D0 CF 11 E0 A1 B1 1A E1 hexadecimal pattern and its "offset" is 0 bytes, i.e., it appears at the very beginning of the byte stream. I accordingly type D0CF11E0A1B11AE1 in the Start Bytes field - per the help wizard's Using Puran File Recovery → Custom Scan List page,
there should not be any spacebetween the Start Bytes characters; meanwhile, the Start Bytes Hex radio button is checked by default - and set the Offset Bytes field to None.
• The Size Type field is a selection list comprising Direct Size, Size at Offset, and Look for End Bytes options; I leave it at the Direct Size default as the other two options do not apply to .wps files to the best of my knowledge.
• Having selected a Direct Size Size Type, I set the Direct Size field to 10000 KB as the largest pre-CTB-Locker My Documents\ .wps file was a 9,570 KB Dogs Apr 06.wps file. (I'll have more to say about the Direct Size setting after we run our search.)
• The Extension is of course wps; for the Name I use the MSWorks text document Description on the aforecited .wps magic number page.
After clicking the button we are ready to roll.
Not quite so magic
According to the Using Puran File Recovery → Scan page, a deep/full scan can find .doc files and .xls files and .ppt files (vide supra); however, these file types have the same start-of-stream D0 CF 11 E0 A1 B1 1A E1 signature that .wps files have. Evidently one or more other criteria come into play when distinguishing .doc/.xls/.ppt files - my guess is that they contain other characteristic byte patterns via which they can be told apart - in any case we are going ahead with the above .wps profile and we'll rerun the deep search therewith at the beginning of the following entry.
No comments:
Post a Comment