You know that we are living in the world where PCs can be infected with malware. The best-known example is WannaCry which infected many computers in different countries of the world. However, there are many other malware worms which execute on a system and target computer running.
Usually, malware exploits a vulnerability in Microsoft Windows operation system where the NTFS file system is used in most cases. So we would like to give couple examples how Data Extractor can recover NTFS partition which was a target of malware attack.
Initially few theory about NTFS file system structure. Base details you can read here.
In our case, MBR, GPT table, main NTFS boot and several MFT records were erased.
However, most of the NTFS partition and NTFS boot copy escape unharmed and can be imaged like here:
If you are a detective or data recovery specialist then you know that you can use boot copy to get actual information about the whole partition. The option is suited for this case is ‘Quick disk analysis’ which searches file system structures in the beginning and in the end of the drive and tries to build the whole partitions based on found file system structures.
The results after ‘Quick disk analysis’ option look like here:
We are working with the virtual partition in Data Extractor now. And we can recover most files of the partition right now. But if you are a detective or a malware researcher then you maybe want to investigate the evidence of malware actions by another software.
The main problem, in this case, is that you can’t open recovered NTFS partition without Data Extractor (boot is lost). PC-3000 Data Extractor allows to rebuild lost file system structures and you will be able to investigate the evidence of malware actions by another software.
There are two methods do that in Data Extractor:
Make a snapshot of found partition. Right click on the virtual NTFS boot in Explorer and select ‘Make snapshot’:
This method scans all entries of the partition:
And finally, creates another virtual partition which is the snapshot of initial one.
This method has advantages and disadvantages. The main advantage is that you get all available files on this partition. Disadvantages are you can get list of files were on file system, not the filesystem (the snapshot doesn’t include data of sectors out of the file map) and maybe the main disadvantage – it can take a lot of time (just realize that you want to make snapshot of RAID array filesystem with several TB size).
2) The second method is to create a virtual disk for the filesystem. It’s similar procedure of virtual machine mounting in Data Extractor. You open map of the partition:
We get the map of partition and can try to verify that main boot is available now (it was recovered from boot copy):
It’s here!!! Pay attention to the note that sector was modified. (All modifications are performed with copy of the data and you will not lose an evidence of malware actions).
Next step is to mount the map of partition into virtual disk:
And we get the solid disk.
We can mount it in the operation system or extract on another drive to further investigation now