Hope this question is not beside the topic.
I've encountered different ransomware on different occasions for my clients. Sometimes able to get files back using shadow explorer, sometimes by paying :-( and on 2 seperate accounts using rescueprograms to restore the deleted original files (at least some) - and at last of course let it all go ....
With a client computer last week I tried something new, to restore the shadow volum copies from "System Volum Information" - using GetDataBack - for those who know the program it also tells about the state of the file (damaged/partly damaged/fine/. I found 4-5 points, 2 which where "fine"- saved for the time being on USB-HD. Tried to copy one large one, predating the infection back to SVI and run Shadow Explorer (and system restore) without finding it. Does anyone know if it is at all possible to open/extract anything from such file outside it's normal environment?
There where also other files residing in SVI, maybe one or more if this files are necessary - logfiles/db-files - for System Restore to be able to "spot" the shadow copy.
Would be glad if any takers could point me in the right direction.
Edited by peernilsen, 14 May 2016 - 12:51 PM.