virtualbox.org

Hello

On a WIN XP SP3 guest machine, the following situation occurred

While I was working I had 3 opened windows as usual - Browser, notepad for writing notes in a txt file, and a PDF (thats what i use 90% of the time when in this guest). While I was working and was in active window in the browser ALL OF a sudden the notepad window and the PDF viewer window closed, I minimized the browser to see whats happening, and saw that 70% of the stuff that was on my desktop has disappeared (ALL .TXT files ALL .PDF and some .png). I have checked folders and saw that every file with extension txt and pdf was deleted. I have immediately shutdown the system to prevent any data changes which can rewrite the deleted files and make problems further with retrieval. There arent really any programs in this guest as I use it only for browsing, viewing PDF and writing a lot of stuff in the plain text files, it doesnt even have java or flash installed. I dont have snapshots.

I have tried 2 methods to retrieve data.
1. attached the VMDK to another virtual machine as a slave. On that other virtual machine i have previously installed Recuva and then scanned the attached disk.
It showed me that all that data was truly erased and I can retrieve everything except the plain text files .txt . And there is the problem, I need those .txt files badly as they are of the big importance not the PDFs. Recuva showed the names of all the .txt files but it says they are 0 bytes and unrecoverable.

2. I mounted that VMDK into ZAR(zero assumption recovery). It scanned it, but the same results. It too cant recover the .txt files.

I know that the txt files have to be there and arent rewritten because when the deletion happened I have turned off the machine in about 2-3 minutes without making any changes to anything. I have made a backup copy of the entire VMDK before performing those 2 operations above.
The container is fixed 20 GB but only has 9.8GB used.

How can I recover those plain text files as they are very important for me and there arent any backups except in that drive.

VirtualBox itself does not delete files on the guest for any reason. The only thing that would cause this is a virus, disk corruption or improperly shut down ( imitate a plug pull ).

Perryg wrote:VirtualBox itself does not delete files on the guest for any reason. The only thing that would cause this is a virus, disk corruption or improperly shut down ( imitate a plug pull ).

I know, i think its some type of malfunction in some software or disk corruption. Because there was no improper shut down, it erased the stuff while i was working, and the system didnt crash or else, it continued working as nothing happened, then i turned it off normally with shutdown. Virus is less likely because I am the only user that has access to this and I havent ever opened any sites or downloaded any suspicious files (porn, pirate software or whatever of this kind). I have only opened legit sites on which I have work and mostly downloaded PDFs and write in my text files, I really try to avoid downloading ANY exe's, thats why its a very simple system as I said.
I wont use that guest again for whatever was the reason, i will create a new fresh one but I need those text files.

Important files should be recoverable from your backup. As for exe's there are plenty of viruses in pdf files. Other than that you would create a new guest and then attach the old one as a second drive, but be warned. The virus or corruption could still transfer to the new guest. It works just like a real machine in that regards, and the files probably are gone anyway.

Perryg wrote:Important files should be recoverable from your backup. As for exe's there are plenty of viruses in pdf files. Other than that you would create a new guest and then attach the old one as a second drive, but be warned. The virus or corruption could still transfer to the new guest. It works just like a real machine in that regards, and the files probably are gone anyway.

You misunderstood me, I dont have a backup of the VMDK in which the text files are NOT deleted. I made a backup after I shutdown the machine so when I start recovery software if it corrupts something I could just try another software or method of recovery in the backup. I don't have backups of the text files. Thats why I need to extract them somehow from the VMDK
Also there werent ANY exe files deleted and everything in the system was working perfect after the sudden delete of the txt and pdfs. I could start programs and close them etc.

I am not sure what you want me to say. I know it is not something you want to hear but if there were no backups and the files are gone. Nothing but magic will make them appear and I don't believe in magic.

Maybe a variant of CryptoLocker. You could try making a copy of the VM and then starting it up and let it run to see if you get the ransom demand.

Perryg wrote:I am not sure what you want me to say. I know it is not something you want to hear but if there were no backups and the files are gone. Nothing but magic will make them appear and I don't believe in magic.

Im not talking about magic, I know that when something is deleted from Windows it doesnt disappear but it is marked from the system to be overwritten by something else. Thats why I havent touched anything when they were deleted. They have to be in there still I just have to access them, and I red that with plain text files things stay a bit different thats why those 2 programs I already described cant retrieve me those .txt files but can retrieve me everything else

I don't understand the CryptoLocker method, how will it help me? Also where can I find a variant of cryptolocker

swueng.hai wrote:I don't understand the CryptoLocker method, how will it help me? Also where can I find a variant of cryptolocker

CryptoLocker is ransomware that will encrypt your files and force you to pay via Bitcoin in order to get the decryption key. rpmurray was suggesting your files might have disappeared because of it or a variant of it.

I've never heard of file recovery within a VM but I don't see why it wouldn't be possible.
http://pcsupport.about.com/od/filerecov ... ograms.htm

VickersNick wrote:

swueng.hai wrote:I don't understand the CryptoLocker method, how will it help me? Also where can I find a variant of cryptolocker

CryptoLocker is ransomware that will encrypt your files and force you to pay via Bitcoin in order to get the decryption key. rpmurray was suggesting your files might have disappeared because of it or a variant of it.

No, not infected with it. I have started the system after backing it up to see will it load. And it loaded perfectly, also there is nothing encrypted, I managed to recover the PDFs and everything else that IS NOT PLAIN TEXT .txt file. Only .txt are giving me headaches because they are the only thing I need and with the 2 methods that i described system cant find theyre written content only theyre names.

Plain text files are normally the easiest file type to recover because they tend to be small and have the simplest possible internal structure - a flat array of bytes. I don't know what uninformed advice you've been reading, but plain text files are not a difficult or special case.

Are you sure you didn't revert a snapshot? Or reboot a VM that had been running as a live CD? Etc etc. There is no way that 2000 files just disappear off a running PC that isn't prodded in some way.

As Perry is too polite to say: events like these are how people learn that backups are important.

mpack wrote:Plain text files are normally the easiest file type to recover because they tend to be small and have the simplest possible internal structure - a flat array of bytes. I don't know what uninformed advice you've been reading, but plain text files are not a difficult or special case.

Are you sure you didn't revert a snapshot? Or reboot a VM that had been running as a live CD? Etc etc. There is no way that 2000 files just disappear off a running PC that isn't prodded in some way.

As Perry is too polite to say: events like these are how people learn that backups are important.

Been working on the subject for 2 days now. And the situation is a lot different..

It appears that truly some of the PDFs were infected and I was a part of a botnet. While I was working those 2000 files werent deleted but the hacker started a procedure of RARing them thats why they disappeared. The next day when i logged in the virtualbox and I turned on the internet for like 2 hours.. 1txt file appeared in my C disk and Desktop.Inside there was this "If you want your documents back contact some email and tell case number xxx-xxx-xx."

When I contacted that email the hacker told me that he wanted 10 bitcoins for the passwords of my RARs and he gave 1 password for 1 rar to show me that he has them.

I have cleared the virus out of my system. But the problem is that I cant find any of those RARs in my system. When they disappeared while I was working as I said i turned off the system after like 4-5 mins to save data. But I think that fast shut down broke the process of RARing them or I don't know. Because really I used search to find ALL rars in the system including hidden an etc. and there was nothing.

I used then photorec to recover deleted data and I recovered like 10 Rars some of them 0.5 GB big. It looked like those rars were deleted for some reason and even normal backup recovery programs like Recuva and Pandora recovery couldnt see them. Only Photorec recovered them with some default names by the program and no other info.

Is there a way I could recover those Rar's in theyre original form? Because the way photorec works they might be corrupted although when I open them it asks for password and doesnt say they are corrupted. But they are from 50-500 mb big and from what I red photorec might retrieve corrupted data for so big files

Why mess around? Delete the VM. Surely that was the point of you running it as a VM in the first place?

p.s. A PDF is data, not an executable. It isn't possible for a PDF to be infected. What you probably had was a something.pdf.exe, i.e. it's a trap set for those who are dumb enough to let Windows run with it's "Hide extensions for known file types" option still enabled. Hopefully someday Microsoft will get a class action lawsuit for that one.

This has nothing to do with VirtualBox and as harsh as it is there is nothing that we can do to help you with this. You need to contact a virus expert to see if they know what to do.

mpack wrote:p.s. A PDF is data, not an executable. It isn't possible for a PDF to be infected. What you probably had was a something.pdf.exe, i.e. it's a trap set for those who are dumb enough to let Windows run with it's "Hide extensions for known file types" option still enabled. Hopefully someday Microsoft will get a class action lawsuit for that one.

It is indeed possible, if the used PDF Reader has security holes. Same for other data types if the viewer / editor program is vulnerable. Same for Windows itself.