Login

**Partha** · 09-06-2016, 02:34 PM

(09-06-2016, 02:29 PM)GuiltySpark Wrote: I didn't suggest a site.

I was about to say that. Lolz!

**george759** · 09-06-2016, 02:37 PM

(09-06-2016, 02:29 PM)GuiltySpark Wrote: I didn't suggest a site.

My apologies.
I thought " Digital Forensics tool " was a tool to be examined.
Probably I' m mistaken.

**GuiltySpark** · 09-06-2016, 02:41 PM

There are DF tools out there but as I said you need to be very clued up on how to use them. Not for the faint hearted.

**Partha** · (This post was last modified: 09-06-2016, 02:42 PM by Partha.)

(09-06-2016, 02:37 PM)george759 Wrote: My apologies.
I thought " Digital Forensics tool " was a tool to be examined.
Probably I' m mistaken.

No, you are correct about the tool. You said that you hadn't tried the "site" GuiltySpark had suggested but he never suggested any site in the first place

***Britec*** · 09-06-2016, 03:39 PM

I still don't know where this post is going Tongue

are we still talking about data on USB drive? are these files encrypted? if so are you 100% sure it was CRYPTOWALL 3.0. what is the extension of the files in question? does it have a extension like this? can you take a screen shot of the files?

.png

xls_encrypted.png (Size: 87.76 KB / Downloads: 63)

Image Source

**george759** · (This post was last modified: 09-06-2016, 04:01 PM by george759.)

(09-06-2016, 03:39 PM)Britec Wrote: I still don't know where this post is going are we still talking about data on USB drive? are these files encrypted? if so are you 100% sure it was CRYPTOWALL 3.0. what is the extension of the files in question? does it have a extension like this? can you take a screen shot of the files?

Image Source

At first i don't get what your specific smiley meant.

I also believe, that mostly with Partha' s help, we concluded that the files were infected with CRYPTOWALL 3.0 and hece they are encrypted.
The file that I think were concentrated is a single file " Amadeus.accdb " ( MS Access 2010 file), taken from the USB. and we
trying, if somehow, we ill manage to recover it.
The files, that you are asking me about, do not show at all in the home directory. if you still want a screen shot of the directory list where " Amadeus.accdb " is located, I will be more than happy to attach.

**GuiltySpark** · 09-06-2016, 04:20 PM

Did the other site give you a time frame on the file in question?

**Partha** · (This post was last modified: 09-06-2016, 04:46 PM by Partha.)

Let me make this clear for the others to know where we stand. Brian, I think those files were corrupted when the infection happened but at this point, we cannot say with certainty if it was because of CryptoWall

Nevertheless, you made a very important point about the file extensions. It's important to know what the actual extensions of those files are

George, please open your file explorer, select View from the top menu and check the box that says File name extensions, as illustrated below

Once you've done that, check the names of those files and let us know if they have any strange letters or numbers at the end like Brian's post shows

**george759** · (This post was last modified: 09-07-2016, 06:02 AM by george759.)

(09-06-2016, 04:20 PM)GuiltySpark Wrote: Did the other site give you a time frame on the file in question?

Basically they said they would give an answer within 1 hour, after having submitted the file in question.
they are saying in the site, that this 1 hour could be much longer depending on the size of the file and also the degree of corruption.
it has been over 10 Hours, after submitting the file, and it still shows the same message, ie. "File transfer is being verified ".
I will have to check in the morning of what' s happening.

PS Their procedure is that in case of successful retrieval, they supply you with a preview of what they retrieved - with much detail - , and then if you accept their findings , they give you a price ( for a file about 10 MB, they charge approximately about 30 GBP), which you pay and then you get the download. If you do not accept, you owe nothing and here you go. I think the whole procedure looks very logical, in contradiction with other companies, that you have to pay around $ 100 just before sending the file to them and with not being sure they will retrieve the contents. Of course you will have to pay much more upon successful completion.

(09-06-2016, 04:38 PM)Partha Wrote: Let me make this clear for the others to know where we stand. Brian, I think those files were corrupted when the infection happened but at this point, we cannot say with certainty if it was because of CryptoWall

Nevertheless, you made a very important point about the file extensions. It's important to know what the actual extensions of those files are

George, please open your file explorer, select View from the top menu and check the box that says File name extensions, as illustrated below

Once you've done that, check the names of those files and let us know if they have any strange letters or numbers at the end like Brian's post shows

iI am sorry if \i do not understand completely, what you are saying.
In windows explorer I always have the option to ' show file extension ' always ticked, and strange file names (like Brian suggested) NEVER came across to my attention. The catalog of the directories e.g. ' AMADEUS', never had such strange names.
Now if I do not understand something, this is a whole different matter. I am all ears.

**Partha** · (This post was last modified: 09-07-2016, 01:37 PM by Partha.)

Those letters at the end usually appear when the encryption takes place, and we just wanted to check if that was the case.