How to recover files from the home directory that malware removed on OS X 10.10.5 Yosemite?
Solution 1:
After some deep investigations we come to the preliminary conclusion that the culprit wasn't any malware but an unhappy coincidence involving org.macosforge.xquartz.startx.plist, .bashrc and an xrd --merge ~/.Xdefaults
command. Since all those files were deleted, we don't have hard evidence though.
Said .bashrc is derived from a (Linux-)precursor. It was heavily adapted to work with OS X.
The XQuartz service started to delete files with rm
in the root folder after reading in the ~/.bashrc triggered by the xrd command. Most rms weren't successful because of missing user permissions. Most of the user data was deleted though.
After creating a recovery thumb drive with Data Rescue 4 (the Bootwell feature) a deep scan found a lot of deleted files. The most important files couldn't be recovered.