Partial recovery of information after Petya (ExPetr) / SurprizingFacts

on June 27, 2017, for those who do not backup to removable media, was the blackest day when the virus-viper Petya, for some half an hour of his work, A week, and someone has 10-12 years of experience, an archive of valuable files, databases and other things. Forcing to start life from scratch. However, there is a chance to save at least Outlook archives and photos. Details under the cut.
The virus worked in two stages: it encrypted files (not all and not all), then initiated a reboot and after the reboot encrypted the hard disk's loader (MBR). As a result, the hard drive turned into a conditional "pumpkin", from which nothing to pull.
In the event that the PC survived only the first stage, then after the restoration of the MBR it is possible to fully continue working for the PC and observe the consequences of the file encryption and search for those that survived. If the PC has gone through two stages, it's much worse and even just pulling out files is much more difficult.

There is practically no information search in RuNet on how to save information from such a hard disk, so I had to experimentally select the optimal strategy for finding and restoring the fact that Could survive. Approximately ten programs for restoring information were tested, but most of the information was extracted using the R-Studio program, which will be discussed next, describing the sequence of actions for rescue (all actions will be performed under Windows 7, but I think it does not matter which version of windows You just have to start R-studio.)

I'll say right away – you can get almost all the files, but they will be encrypted, except files that were not encrypted, usually photos and videos. Some files can be restored if there are utilities that the developers of the corresponding file format have provided. For the example below, we'll look at how to save the archive file from Outlook.

So the sequence of actions:

1. We connect an unformatted encrypted disk (this is a key requirement, if the disk was formatted or the OS was reinstalled, then the chances of recovering something are tending to zero), which passed 2 stages of encryption with loss of the file system, to a PC running Windows (you can connect Directly to the motherboard via sata / ide ports and via USB adapters, to whom it is more convenient). And after downloading the PC, we receive a message about the need to format the newly connected drive (in my case it's drive G).


We press the cancellation. We make sure that our disk is really damaged, in the disk manager it will be detected with the RAW file system:


2. Run the program R-Studio (I used version 8.2) and watch the discs found. Our experimental 320 GB hard drive was connected via a USB 3.0 docking station and defined as JMicron Tech 023 under the letter "G".


Next, double click on the line with the disk "G", as in the picture above, and wait for the disk to finish scanning.

3. We will open the R-Studio window with the scan results (see the figure below):


As a rule, there are very few folders with a clear name, all the most valuable is in the section "Additional files found". Therefore, we proceed to the next step.

4. Select the line "Additional files found" with the mouse and click the "Find / mark" button on the control panel of the program.

5. In the window that opens, select the file extension and specify the pst extension (the file format of the Outlook archive files) and click the "Yes" button.



6. The search will find archival files, they can be many and in different folders. Therefore, we focus on the way in which you have stored the archive files. The following example shows that the search files were in the folder "Outlook Files."


Please note that if you look at the left menu and go up the folder hierarchy, you can see that this folder is located in the user account folder and there are Desktop, Documents, etc. folders. This way you can pull out the photo and other files that the user stored in these folders.


7. Next, tick the search files with the extension pst and click the "Restore checked" button, specify the location for saving the saved files (in my case it's the Recover folder on drive C). We are waiting for the end of the process of copying files.


8. The recovered archive file is usually corrupt and not detected by Outlook. Fortunately for large files, the virus encrypted only the first megabyte, leaving the rest untouched. Therefore, we need to try to restore the structure of the archive, for this there are several ways:

A) Use the SCANPST utility included in the standard MS Office suite. For example, in MS Office 2010, this utility is located in the C: Program Files (x86) Microsoft Office Office14 folder if you have 64-bit Windows and C: Program Files Microsoft Office Office14 when using the 32-bit version of Windows .

B) Use third-party tools. There are many that can be found in the vast expanses of Google.

I used the first option and basically it worked on all PCs that I received for restoration.

I also attach to the post a link to the step-by-step instructions for working with the SCANPST utility.

This is actually all, other files are restored with a similar algorithm, you just need to substitute the desired file extension, or manually scroll through all the folders in the "Additional found files" section and choose what you need to restore.
If someone seems to me to be a "captain" please do not criticize strongly, not everyone has experience in data recovery and proven tools. If you still have more questions, you can write in the LS or here in the comments.