Questions

Stumped experienced Tech...Files Mysteriously Deleted?

Tags:
+
0 Votes
Locked

Stumped experienced Tech...Files Mysteriously Deleted?

service
Greetings all. I love tech challenges but this one has me stumped!

So basically I have a laptop that that???s running Windows Vista Basic and all my documents, favorites, pictures, etc got deleted mysteriously. My main concern is recovering the files.

Few Google hits yielded that I may have corrupt user profiles so I attempted to restore the user profile and created a new one and the same thing happened with the new user profile that I created! All the files on the desktop started to delete one by one in front of my eyes.

First thought I might have a really nasty virus so I hooked the drive up to an external enclosure and scanned it on another PC with AVG, Malware Bytes, Ad-Aware and not a single virus!

Secondly I tried to use data recovery software R-Studio, Easus Professional and was able to see that the documents were indeed deleted so I recovered them to find that they were all corrupted.

I???m just about all out of options and I???m thinking about throwing the towel in unless someone has any suggestions? I would greatly appreciate it!
  • +
    0 Votes
    seanferd

    The first thing to do would be to not use the drive at all and slave it to another machine, or boot from live media, before poking around. A raw disk image backup would be even better. If you use the OS at all, especially using the internet or installing anything, you are likely to render deleted items unrecoverable.

    So, not knowing how you approached recovery, I might only suggest that you may have corrupted the files which were only deleted before.

    Have you tested the drive itself with the vendor's utility? It could have some bad sectors, or it could be failing. A chkdsk might also tell you if something is wrong with the filesystem.

    Indeed, it is odd that your user files but nothing else were killed. That sounds like a drag and drop accident more than anything else. But as you note, the files disappeared before your eyes, so maybe there is ransomware involved, and you should be scanning for malware with some different tools, best done with the OS offline, or at least in Safe Mode. (But installing anything on the drive itself lowers any chances of file recovery.)

    +
    0 Votes
    service

    Thanks for your reply. The drive tests all checked out in addition to chkdsk so I don???t think it???s a faulty hard drive causing the problem. All applications are functioning normally.

    Do you have any suggestions on any other programs I can utilize to scan the hard drive for ransomware? The computer with the issue is running Kaspersky and nothing was found in the scan. Also another important note I left out was that the user who first noticed the problem was opening a zip file from a Mac computer and then noticed the file deletion.

    +
    0 Votes
    OH Smeg

    I personally like the Trinity Rescue Kit here

    http://trinityhome.org/Home/index.php?front_id=12&wpid=5

    F Secure

    http://www.f-secure.com/en/web/home_global/support/installers

    I have had great success with these in the past but there are numerous others available.

    Michael Kassner wrote an article on Rescue CD's and how to use them a while ago but I currently can not find it after the site redesign. The only one I can find is this one which was prior I believe.

    http://www.techrepublic.com/blog/security/rescue-cds-tips-for-fighting-malware/3803

    Col

    +
    0 Votes
    Chi-7

    As mentioned above, the first thing is to take the drive off line and via external enclosure or USB to SATA / IDE adapter mount it as read only and make a "bit copy" of the drive, this copy becomes the surgical subject, preserving the original.

    In my world of Linux "Sleuth Kit / Autopsy" would be the tool of choice to examine the slack space which is where files deleted from the file allocation table are assigned, the fear is once anything is written to the drive the slack space has been altered, the more fragmented the drive, the more widespread the possibility of file corruption.

    As previously mentioned could be a drag and drop incident, ransom ware or deleted / corrupted user profile which would destroy the file permission, definitely a 64 oz. coffee and possibly pint of "old #7" project.

    best of luck!

    +
    0 Votes
    bni1369

    Have you checked the permissions on that drive? Sometimes, files will not show up unless you take 'ownership' of that drive. Just a thought.

  • +
    0 Votes
    seanferd

    The first thing to do would be to not use the drive at all and slave it to another machine, or boot from live media, before poking around. A raw disk image backup would be even better. If you use the OS at all, especially using the internet or installing anything, you are likely to render deleted items unrecoverable.

    So, not knowing how you approached recovery, I might only suggest that you may have corrupted the files which were only deleted before.

    Have you tested the drive itself with the vendor's utility? It could have some bad sectors, or it could be failing. A chkdsk might also tell you if something is wrong with the filesystem.

    Indeed, it is odd that your user files but nothing else were killed. That sounds like a drag and drop accident more than anything else. But as you note, the files disappeared before your eyes, so maybe there is ransomware involved, and you should be scanning for malware with some different tools, best done with the OS offline, or at least in Safe Mode. (But installing anything on the drive itself lowers any chances of file recovery.)

    +
    0 Votes
    service

    Thanks for your reply. The drive tests all checked out in addition to chkdsk so I don???t think it???s a faulty hard drive causing the problem. All applications are functioning normally.

    Do you have any suggestions on any other programs I can utilize to scan the hard drive for ransomware? The computer with the issue is running Kaspersky and nothing was found in the scan. Also another important note I left out was that the user who first noticed the problem was opening a zip file from a Mac computer and then noticed the file deletion.

    +
    0 Votes
    OH Smeg

    I personally like the Trinity Rescue Kit here

    http://trinityhome.org/Home/index.php?front_id=12&wpid=5

    F Secure

    http://www.f-secure.com/en/web/home_global/support/installers

    I have had great success with these in the past but there are numerous others available.

    Michael Kassner wrote an article on Rescue CD's and how to use them a while ago but I currently can not find it after the site redesign. The only one I can find is this one which was prior I believe.

    http://www.techrepublic.com/blog/security/rescue-cds-tips-for-fighting-malware/3803

    Col

    +
    0 Votes
    Chi-7

    As mentioned above, the first thing is to take the drive off line and via external enclosure or USB to SATA / IDE adapter mount it as read only and make a "bit copy" of the drive, this copy becomes the surgical subject, preserving the original.

    In my world of Linux "Sleuth Kit / Autopsy" would be the tool of choice to examine the slack space which is where files deleted from the file allocation table are assigned, the fear is once anything is written to the drive the slack space has been altered, the more fragmented the drive, the more widespread the possibility of file corruption.

    As previously mentioned could be a drag and drop incident, ransom ware or deleted / corrupted user profile which would destroy the file permission, definitely a 64 oz. coffee and possibly pint of "old #7" project.

    best of luck!

    +
    0 Votes
    bni1369

    Have you checked the permissions on that drive? Sometimes, files will not show up unless you take 'ownership' of that drive. Just a thought.