I have a situation where a XP home machine has all nearly all word, excel, outlook pst and even pdf's showing either all Squares or won't even open saying it is an unrecognizable format. You can not copy or paste any of these squares and trying to change fonts just make more garble. The word documents have pages and pages of this stuff.
Scandisk and Spinrite find nothing wrong and newly created documents are fine but on May 18th at 6:49 PM a whole bunch of files were modified to make them unreadable including PDF's.
An employee left under less than ideal circumstances and we obviosly suspect him. There are no viruses or spyware etc.
Is there any way to recover this vital data??

System restore a no go.

Thanks\
BA

Is it possible he renamed files or changed the extensions so that these files are not what they appear to be?
Perhaps a universal quick-view program would open them and give you some idea of what file type they really are.
Seems to me they are actually some kind of program files.
These squares are what I see if I open an exe file with a text viewer.
Try right-clicking on a file and choosing Quick View.
If you can determine the true file type and its true extension you could rename it with the correct extension.

Do you have a recent [image] backup of the partition contents?

Do you have a recent [image] backup of the partition contents?

This is the real answer. If you have a business and don't have a good backup system in place now would be the time to put one in place before an employee really screws up your system or a power failure occurs or some other unforseen event.

They have already sheepishly agreed to that idea!!
I downloaded Quickview plus and tried to look at the documents and they are simply blank. When I look at it in Hex it is all zeros so the guy did a number. Any ideas on how he did this as it seems the data is toast. The files look like normals files with the proper names and extensions. doc, .xls, .pdf

"The files look like normals files with the proper names and extensions. doc, .xls, .pdf"
He could have renamed [vital?] program files with new 3-letter extensions so that they'd no longer work.
The trick is to find out what kind of files they really are.
They could be dll's, or exe, or com files.
I suppose you could take a file and try changing the extension to exe or com and see if it will run.
Try right-clicking a file and choosing "Properties" [for clues].
Any clues from the file locations?
Are they in the Windows folder, or program folders or what?
I wonder if you could scan for orphan registry settings [that point to files that appear not to exist because they've been renamed].
Did he just change the extension and leave the name unchanged?

Well the latest is that in a 3 minute period a disaffected employee wrote a resignation letter and within a few minutes 1400+ word, excel acrobat and outlook data files were effectively "zeroed out".
When I use Quick view plus by Stellent ( latest version 8) to try to view the files the are simply blank. The square zeros are apparently Unicode.
When you view the page in hex and ASCII they are likewise all zeros. No data.
The file names and extensions and icons etc. are all as they should be and no system files were modified in this 3 minute time frame.
This was obviously done selectively and deliberately using some software tool or automated process.
Does anyone have any idea how this guy accomplished this?
Spinrite 6 on level 5 and Microscope 2000 batch file disc tests confirm no disc errors or corruption at all. No viruses or spyware.
How???

BA

It looks as if the files were opened with a hex editor and every byte of the file then filled with or replaced with zeroes. It wouldn't be that hard to have a batch process to accomplish this with multiple chosen files and since the files would still be occupying the same exact areas of the hard drive recovery would be impossible. The script probably first searched for files with those specific file extensions and then replaced all the bytes with zeroes.

Check out the attributes carefully to see if they are modifications of original files by examining their creation dates and particularly their file sizes. If a file is overwritten with a new file (same name but of a different size for example) then the original may be recoverable using a program such as GetDataBack from www.runtime.org (http://www.runtime.org) or WinHex from www.x-ways.net (http://www.x-ways.net) since the original is likely to be elsewhere on the hard drive, existing there as a deleted file.

Use a good hex editor such as WinHex to check that the headers (the first few bytes of each file) are truly zeroes and indeed that the whole file is all zeroes.

My guess is that a batch file using debug (http://info.wsisiz.edu.pl/%7Ebse26236/batutil/help/sed/COM2TXT.HTM) could have been how the deed was accomplished. After all there are viruses that can do this sort of thing so a specific non-replicating executable should not be that hard to write for a programmer.

PS
The square zeros are apparently Unicode. If a hex editor shows all zeroes then there is no unicode involved. The little squares would be non-printing characters (eg zeroes) that word etc cannot decipher as characters and so squares are used in their place.

Thanks so much and I think you are right! I will try those programs and keep you posted on developments.

BA