How to find the signature "DEADBOLT" in files via binary ASCII or HEX search?

[notacoder]

First off: THIS TOOL IS AMAZING! I can't believe how fast it indexes when I first installed it, and had it index a test folder!

Now to my problem: I got hit with a Deadbolt NAS attack a few years back, and thought I stopped it before anything could happen to my files. Today I found out that I couldn't access some of my jpg files on my NAS. These are family pictures, and are very dear to me. I might also have mp4 or other files that got hit, not just those jpgs.

When I looked at them with a HEX-editor, I found the term "DEADBOLT" (hex: 4144424F4C54) near the end of the file. (Not AT the end, so "endwith" won't work)

I now would like to scan all my files for that signature to find those I need to restore from an old backup.

Before posting this I spent hours reading up and "playing" with the suggestions I found for others who asked about binary files and HEX-code. I tried all kind of combinations for hex, binary, binarycontent etc., but I'm not getting anywhere. Not being a REGEX or database-search programmer doesn't help

I created a test folder with corrupt files on my NAS, and added that folder to Everything for indexing. Maybe that was my first mistake? I read somewhere about direct streaming vs. indexing.

I'm also not sure what settings I have to use as far as the "Match Case" is concerned (Case, Whole Word, Path, Diacritics).

Is there anybody here willing to guide me in the right direction? I so would love to find out which files got locked. I don't care if the search runs for days, since I know that the majority of my files are intact.

Thanks in advance for any help in figuring this out.

[void]

A simple

*.jpg ansicontent:DEADBOLT

search should work.

ansicontent:



Is the DEADBOLT offset from the end always the same?
If so, try content-offset: and content-max-size:

Something like:

*.mp4 content-offset:-512 content-max-size:8 ansicontent:DEADBOLT

If the offset does vary, try searching the last 64k of the large files:

*.mp4 content-offset:-65536 ansicontent:DEADBOLT

[notacoder]

WOW!!!

A simple *.jpg ansicontent:DEADBOLT search should work.

That immediately worked! I can now start to restore my family pics/videos - THANK YOU!

And, no, the offset is different ever time. But since this worked, I can now go to bed and let your tool index my NAS. Tomorrow I can then see how bad the damage actually is.

I still can't believe how quickly you replied, and how fast your tool is!

I hope that many users will find you now that I used SEO terms like "DEADBOLT"

Thanks again for your help!

[notacoder]

This morning I saw that Everything successfully scanned my 10TB of data OVER 1mio files in only a few hours!!!) I was SO happy. I had to shut my laptop down and just wanted to run the suggested query on the files it found.

When I reopened Everything, the results were gone, and I noticed how Everything started scanning my NAS again

I checked the options, and I had the rescan for that folder set to "never rescan" to avoid this from accidentally happening. I also checked the database file, which was only 1kB, but with lats night's time stamp from when I started the initial scan.

Can you please tell me if I did something wrong? I'm NOT saying that this is a bug! I'm just wondering what other setting I need to disable to keep my found files should I have to shut down/restart Everything in the future.

Thank you!

UPDATE: it just finished scanning, but the database size is still only 1kB with last night's date. Maybe I'm misunderstanding how this is supposed to work. Will it query the indexed files when entering a search, or does it run it live against the whole drive, ignoring the previously indexed items? Do I need to save the found items somehow?

And after querying for a while, I received the out of memory error as shown in the attachment. Is there a setting I can change somewhere, or allocate more memory to the app?

I'm sorry to bother you with all this, but I'm not sure if I'm missing something here? User error? Too many files (just over 1mio) to scan in an external NAS folder?

UPDATE 2: I just downloaded the 1.5 ALPHA to see if it makes any difference. It's running a scan now.

BTW, I tried the code that looks at only the last 64k of the file, but it didn't give any results. I'm sure that would speed up things.

[void]

Everything doesn't cache content.
If you close the window or change the search, the search will start from scratch.



The Everything index is store in memory (not on disk)
The index is saved to disk when you exit Everything (File -> Exit)

And after querying for a while, I received the out of memory error as shown in the attachment. Is there a setting I can change somewhere, or allocate more memory to the app?

Everything might be having trouble accessing the content of a certain file.
See if the Everything 1.5 alpha is more stable.