The infamous cryptowall has encrypted a large number of my files/folders. While I have restored most of my files from backup, I am now looking for a way to scan the remaining encrypted files scattered across my local and network drives.
Is there a way of generating a list of those encrypted files ? (by scanninng the file header / or verifying file integrity). Is it possible in command line or with a specific software ?
Cheers, Florian
CryptoWall store in windows registry the list of all files encrypted. Once restored some files may have been missed and might still be encrypted.
Looking at the modified file attribute gives a short list of files that have likely been and remain encrypted. Using Recuva (Windows recovery tool), I have notice that encrypted file magic numbers are random, while for a normal file those magic numbers (first four bytes) are the same per file type. JPEG : FF D8 FF E0
EDIT : I have found this handy unix command named "file". It is available on Linux, Cygwin, and OS X.
With a quick script to scan every files in the system, the unknown filetype are likely to be the remaining encrypted files.
Comparing those magic numbers with the file extension is scriptable and should allow to determine what is encrypted/corrupted. Yet I have not find such a tool able to perform this and compare to a well known database of magic numbers (first four bytes).