Switch to full style
Anything related to computer forensics (new section!)
Post a reply

Recover zero sized files (malware)

September 24th, 2016, 11:34


I'm trying to determine if any software products will allow me to recover thousands of files. Some malware somehow corrupted the files by keeping the filenames the same, but they show as zero bytes in size. If they were simply deleted, I could undelete them, but they do exist, so it doesn't seem like I can do that. I'm not sure what was done to the raw data on disk or which clusters were changed to make the file appear as zero bytes. The damaged happened over an 18 minute period, but due to the number of affected files, I don't think it overwrote all the raw data, because I don't think it would have had time.

Does anyone have any ideas on where I should start and how I might determine if the file contents can still be found on the disk?

I've run the disks through various programs and can look at the hex of the files, but I'm not sure how to file the file chains, etc. Many of the files are images and videos, but some are text files that I know the contents of (since they are standard configuration files) that I could use to verify if the data is still there.

If this is the wrong forum, please direct me to the correct one.


Re: Recover zero sized files (malware)

December 7th, 2017, 8:35

It's strange that you did not get any help. I hope that you've successfully solved this problem since then !
Otherwise, this topic covered a similar case :
Apparently, running CHKDSK solved the problem in that particular case, but it should be used with great caution, as it's been said and repeated in that topic. Doing a full clone before proceeding is a wise safety measure.
I didn't quite understand what you meant when you wrote that you could “look at the hex of the files” using “various programs” (which ones ?), yet could not actually recover the files.

Re: Recover zero sized files (malware)

December 16th, 2017, 18:27

In windows, try shadow copies

Re: Recover zero sized files (malware)

December 25th, 2017, 11:43

abolibibelot wrote:(...)Apparently, running CHKDSK solved the problem(...)

Start by cloning/imaging the afected drive. Never run CHKDSK on it.

Move the clone to a system that is known as clean / not infected. Make sure that you don't have any malware on the main system and that you can clean the clone as well. You don't want to get infected by some OS Bug / exploit that the malware might be using. Make sure the host is updated to the latest version of your OS and protected.

Now attempt logic recovery on the clone using stuff like R-Studio, Get Data Back, etc.

Also check the 0 size files with hex editor. Make sure the files don't have any content at all.

Maybe the malware did backup the files somewhere first ? Maybe only the file allocation table are affected ?

And of course if data is important send the drive to a specialist....
Post a reply