Ok, so I have a situation where one of our computers was infected with a ransomwere virus and it encrypted all the files.... No problems with the data, we had shadow copies setup and so I ran a restore from there. BUT here is the problem. I now have 2 copies of each file. One encrypted and the other is the good copy. Now, I know for sure that not all the files have been restored and I don't want to delete every encrypted file becasue it's best we leave that copy so at the very least we know what's missing if the shadowcopy didn't restore a valid version of the file. So I'm left with trying to do a search for every file with it's encrypted counterpart so that I can delete the encrypted file, but ONLY if the non-encrypted file is present within the same folder. An example of a couple of some files would look like this:
C:\somefolder\somefile.txt (non-encrypted file)
c:\somefolder\somefile.txt.id-000000.some@address.com.xtbl (encrypted file)
C:\somefilder\someotherfile.txt.id-000000.some@address.com.xtbl (encrypted file but no non-encrypted counterpart)
I need a search that will search and show me at first, the encrypted with the non encrypted matching results and then one with just the ecrypted files so I can run a delete.
Thanks in advance for your help, much appreciated.
Damian.
Search term help
Re: Search term help
Are the files sizes of encrypted/non-encrypted the same?
So is the size of somefile.txt = somefile.text.id.*?
So is the size of somefile.txt = somefile.text.id.*?
-
- Posts: 4
- Joined: Tue Nov 01, 2016 10:06 pm
Re: Search term help
No, unfortunately not. The file sizes changed, so did the dates.
Here's what we do have in common to isolate.
1. The beginning of the encrypted and non-encrypted files are identical. It's not a constant type or number of characters so it's still a variable, but only on an individual basis.
2. The ending of the encrypted files is always the same.
3. The path of each file is the same for this particular search. We only want files that match residing withing the same folder.
In my own broken English the search term I'm looking for would look something like this:
duplicates: %path%\%filename.base%.%filename.ext% EQUALS %path%\%filename.base%.%filename.ext%.id-000000.some@address.com.xtbl
Here's what we do have in common to isolate.
1. The beginning of the encrypted and non-encrypted files are identical. It's not a constant type or number of characters so it's still a variable, but only on an individual basis.
2. The ending of the encrypted files is always the same.
3. The path of each file is the same for this particular search. We only want files that match residing withing the same folder.
In my own broken English the search term I'm looking for would look something like this:
duplicates: %path%\%filename.base%.%filename.ext% EQUALS %path%\%filename.base%.%filename.ext%.id-000000.some@address.com.xtbl
Last edited by damian.lavalle on Wed Nov 02, 2016 12:47 am, edited 1 time in total.
-
- Posts: 4
- Joined: Tue Nov 01, 2016 10:06 pm
Re: Search term help
Another approach I was looking at was using concatenation. Since all the infected files end with ".id-000000.some@address.com.xtbl" then we can just say to cut the file names by 32 characters first and then compare for duplicates.
I could probably use Everything to just give me a whole list and then use Excel to do the cuts, compares and sorting, but I was hoping this software had that kind of flexibility.
I'm going to take a wild guess and say that the reason this search isn't so common or popular is that there is a universal rule or assumption that two files in the same place cannot have the same name. But I'm just guessing.
I could probably use Everything to just give me a whole list and then use Excel to do the cuts, compares and sorting, but I was hoping this software had that kind of flexibility.
I'm going to take a wild guess and say that the reason this search isn't so common or popular is that there is a universal rule or assumption that two files in the same place cannot have the same name. But I'm just guessing.
-
- Posts: 4
- Joined: Tue Nov 01, 2016 10:06 pm
Re: Search term help
This seems to produce some results, but it's still including files that don't have a non encrypted match.
dupe: path: regex:^.*.id-000000
Damn, I really though I was going to get schooled on this one. It seems like a simple question and I come accross this all the time.
dupe: path: regex:^.*.id-000000
Damn, I really though I was going to get schooled on this one. It seems like a simple question and I come accross this all the time.
Re: Search term help
How about exporting all .id-000000.some@address.com.xtbl files to a text file, removing the .id-000000.some@address.com.xtbl part and then searching for a list of files?
Please try searching in Everything for:
.id-000000.some@address.com.xtbl
From the file menu, click Export.
Change save as type to txt
Choose a filename and hit OK.
Open the txt file with notepad.
Replace .id-000000.some@address.com.xtbl with an empty string (thus removing .id-000000.some@address.com.xtbl)
Save changes and return to Everything.
From the Search menu, click Advanced search.
Scroll right to the bottom and click Browse for Search for a list of filenames.
Select your text file and click OK.
Click OK.
You should now have a list of all the files you are after.
Note: if you have 1000s of files, the filelist / search edit box may appear empty, when it is not.
Please try searching in Everything for:
.id-000000.some@address.com.xtbl
From the file menu, click Export.
Change save as type to txt
Choose a filename and hit OK.
Open the txt file with notepad.
Replace .id-000000.some@address.com.xtbl with an empty string (thus removing .id-000000.some@address.com.xtbl)
Save changes and return to Everything.
From the Search menu, click Advanced search.
Scroll right to the bottom and click Browse for Search for a list of filenames.
Select your text file and click OK.
Click OK.
You should now have a list of all the files you are after.
Note: if you have 1000s of files, the filelist / search edit box may appear empty, when it is not.
Re: Search term help
Do the file pairs need to be in the same directory?
As in if you recover the file to a different directory tree?
Or move the encrypted files into an ENCRYPTED directory?
Either flat or retaining the directory structure as the case may dictate.
From there, rename the encrypted files, in mass, by simply truncating the " .id-000000.some@address.com.xtbl" part (Everything Rename, or a file renamer).
Then Everything (dupe:) or a duplicate file finder (Alldup or Duplicate Cleaner), should easily find same named files (in "mass", Everything, or limited to particular directory trees, a DFF) ...
As in if you recover the file to a different directory tree?
Or move the encrypted files into an ENCRYPTED directory?
Either flat or retaining the directory structure as the case may dictate.
From there, rename the encrypted files, in mass, by simply truncating the " .id-000000.some@address.com.xtbl" part (Everything Rename, or a file renamer).
Then Everything (dupe:) or a duplicate file finder (Alldup or Duplicate Cleaner), should easily find same named files (in "mass", Everything, or limited to particular directory trees, a DFF) ...