Data recovery and disk repair questions and discussions related to old-fashioned SATA, SAS, SCSI, IDE, MFM hard drives - any type of storage device that has moving parts
January 23rd, 2021, 4:26
I have got large no. files from one of my customer. All data is present in his laptop and is showing right size / extensions as well.
It does not seems to be infected by ransomware as there is no note and extension is unchanged.
How to low level analyse these files ? Client was unable to give any details how suddenly files got corrupted.
Here are few sample files
https://drive.google.com/file/d/1EDZxsZ ... sp=sharing
January 24th, 2021, 16:15
What do you mean by low level analyze a file? The JPEG is only JPEG in name, nothing inside the file is 'jpegish'. No JPEG meta data and entropy is lower than what you expect for actual JPEG data. Indeed it does not look like ransomware either.
Situations in which I have seen this it mainly involves FAT based file system where to a degree directory structure is intact but file allocation table is not. If this is his primary drive I expect file system isn't a flavor of FAT, NTFS is more likely.
You need the drive rather than individual files and see if you can figure out a problem with file system. In a worst case you may still be able to carve files.
January 25th, 2021, 1:52
Thanks Arch Stanton
I will ask customer to give original crashed media for thorough analysis.
As you said this could be severe file system corruption. In this case file system was NTFS.
Powered by phpBB © phpBB Group.