Hi there,
I've been trying to recover a family members files after they fell victim to the new .locky Ransomware - After managing to recover some files using Recuva I went looking for some further reading on the subject.
I came across the page linked below and on it a commenter said:
"Windows 7 has shadow files. Too bad those files are corrupt because of the LOCKY virus ... but ... we were able to recover those files with RECUVA, restore them and start SHADOWEXPLORER and go back 6 days to recover a shadowcopy from the lost data folder. In the end we recovered about 99% of lost files !"
Someone replied with:
"That's great news. So to be clear, you use recuva to restore an old SVC and then used that to restore the files?"
It was this that had me interested and confused...Anyone know what the SVC is?
This of course was on a page pertaining to networks and could be something to do with that and therefore has no relevance to home users.
Thanks in advance.
Possibly Shadow Volume Copy. (AKA Restore Point) Not really sure. But the way they are talking, files can be restored individually by "mounting" a restore point and picking thru with Explorer. A program I have used to explore a Restore Point (Shadow Copy) is System Restore Explorer. Download System Restore Explorer - MajorGeeksHi there,
I've been trying to recover a family members files after they fell victim to the new .locky Ransomware - After managing to recover some files using Recuva I went looking for some further reading on the subject.
"Windows 7 has shadow files. Too bad those files are corrupt because of the LOCKY virus ... but ... we were able to recover those files with RECUVA, restore them and start SHADOWEXPLORER and go back 6 days to recover a shadowcopy from the lost data folder. In the end we recovered about 99% of lost files !"
Someone replied with:
"That's great news. So to be clear, you use recuva to restore an old SVC and then used that to restore the files?"
It was this that had me interested and confused...Anyone know what the SVC is?
This of course was on a page pertaining to networks and could be something to do with that and therefore has no relevance to home users.
Thanks in advance.
Thanks for the reply!Possibly Shadow Volume Copy. (AKA Restore Point) Not really sure. But the way they are talking, files can be restored individually by "mounting" a restore point and picking thru with Explorer. A program I have used to explore a Restore Point (Shadow Copy) is System Restore Explorer. Download System Restore Explorer - MajorGeeks
Yeah, its what I thought - it seems not to directly correspond to anything. I'm currently searching the System Volume information folder using the \localhostC$ address and having used the 'take ownership' reg edit to grant access to the folder.
I'm finishing an inital Recuva deep scan for the files not overwritten. I then plan to use Recuva to try and recover the System Volume information folder as I suspect that .locky has corrupted it as well - I suspect this because (as you mentioned) Shadow Explorer is showing 'shadows' all dated the same. I did however manage to find dated shadows using 'Z-VSScopy'
Unfortunatley these files are still locked. I am unsure when Locky got into the PC.
I will restore to a previous point after using recuva on the System volume information folder and try again.
Thanks again
L
