SlideShare ist ein Scribd-Unternehmen logo

Linux Recovery

Víctor Capetillo
Víctor Capetillo

This document discusses using Linux to recover data from failed Windows systems by creating disk images that can be mounted and accessed. Key steps include using dd to create an image file, mounting the image to access files, and copying recovered files to another location or burning to CD. More advanced tools like The Coroner's Toolkit can help if the filesystem is damaged. Safety precautions are advised when dealing with potentially failing drives.

Technologie
1 von 8
Downloaden Sie, um offline zu lesen
Recovering Data from Windows Systems by Using Linux Recovering Data from Windows Systems by Using Linux Published by the Open Source Software Lab at Microsoft. November 2007. Special thanks to Chris Travers, Contributing Author to the Open Source Software Lab. Most current version will be maintained at http://port25.technet.com. . Abstract: We have all run into cases where Windows refuses to load for one reason or another. The problem may be hardware or a software failure, and the problem may seem to be irrecoverable. Yet often Linux can be used to help recover data that otherwise might be lost. http://port25.technet.com Page i
Recovering Data from Windows Systems by Using Linux Information in this document, including URL and other Internet Web site references, is subject to change without notice and is provided for informational purposes only. The entire risk of the use or results from the use of this document remains with the user, and Microsoft Corporation makes no warranties, either express or implied. Unless otherwise noted, the companies, organizations, products, domain names, e- mail addresses, logos, people, places, and events depicted in examples herein are fictitious. No association with any real company, organization, product, domain name, e-mail address, logo, person, place, or event is intended or should be inferred. Complying with all applicable copyright laws is the responsibility of the user. Without limiting the rights under copyright, no part of this document may be reproduced, stored in or introduced into a retrieval system, or transmitted in any form or by any means (electronic, mechanical, photocopying, recording, or otherwise), or for any purpose, without the express written permission of Microsoft Corporation. © 2007 Microsoft Corporation. This work is licensed under the Microsoft Public License. The Microsoft Public License is available here. Microsoft may have patents, patent applications, trademarks, copyrights, or other intellectual property rights covering subject matter in this document. Except as expressly provided in any written license agreement from Microsoft, the furnishing of this document does not give you any license to these patents, trademarks, copyrights, or other intellectual property. Microsoft, Windows, Windows XP, Windows Server, and Windows Vista are either registered trademarks or trademarks of Microsoft Corporation in the United States and/or other countries. All other trademarks are property of their respective owners. http://port25.technet.com Page ii
Recovering Data from Windows Systems by Using Linux 1 Introduction We have all run into cases where Windows refuses to load for one reason or another. The problem may be a hardware or a software failure, and the problem may seem to be irrecoverable. Yet often Linux can be used to help recover data that otherwise might be lost. Another application of using Linux recovery is in the creation of disk images for post-mortem analysis of security breaches. While such images are not created according to forensics standards (which usually requires special hardware) and would not be likely to be of help in legal cases, they are helpful in internal reviews following such incidents. In writing this paper I generally assume that either a Linux workstation is available to accept recovery information or that a USB drive of sufficient size is available to hold the data. Generally, in either case, enough free space should be available to store the entire hard drive as a bit-for-bit file and still have at least 2GB of space free. However, if more space is available, the process of organizing the recovered data is a bit easier. If neither of these is available, the utility of Linux in data recovery will be limited. Finally, if things go badly wrong, additional tools (such as The Coroner’s Toolkit) can be used but they require a great deal more free space to work. Generally, in these cases, you should have enough free space to store the hard drive twice on the same drive. This paper is written with the assumption that the reader is comfortable on the Linux command line, and can perform basic file operations (e.g. mv, cp, navigate the filesystem). In general, the command line is preferred for these types of tasks because it is easier to adapt the commands to specific needs than it would be with a GUI, and because when data is at stake, complete control over the process is often desirable. The commands given in this paper are samples only and can easily be adapted to other circumstances. Although I endeavor to provide enough information to make such modifications clear, complex scenarios may require review of manual pages. 1.1.1 A Few Cautions Before Beginning With data recovery it is important to understand the problem so that further damage is not caused in the process. In cases where drive failure is involved, it is almost always safest to send the drive to dedicated data recovery specialists who can disassemble the drive as needed. However, this process is expensive and must be weighed against the value of the data being recovered. Even if there are no signs of drive failure, the safest solution is to assume that the drive is failing. This is not a common problem but it can be caused by overheating (and the data is more likely to be corrupted by other parts of the system) or by physical damage to key data sectors. Because this does not add much to the complexity of the recovery and adds a great deal of safety, I recommend not reading the drive more than once and avoid any writing. The instructions in this document are believed to be reasonably safe. However, data recovery is a field where there are many points where mistakes can lead to irrecoverable data loss. If you are unfamiliar with a command or what it does, consult the manual page, and please do not use data you need for learning these techniques. If you are unsure of your abilities then hire a data recovery specialist if the data is worth the cost of recovery. http://port25.technet.com Page 3
Recovering Data from Windows Systems by Using Linux Finally, if images are being made for legal purposes, please hire a forensics specialist. There are specific processes which must be followed if one expects evidence to hold up in court. These processes and the hardware devices associated with them are well beyond the scope of this paper. 1.2 Making the Image The first step in performing any data recovery is usually to create an image of each filesystem to be recovered on the drive. The images can be stored on a USB hard drive, the system hard drive, a network file share or somewhere else. By creating an image we allow ourselves to do two things we could not do otherwise. First we allow ourselves to make errors or bad choices and still have a chance to get back to where we started. In cases where the filesystem is damaged is not uncommon. Second we reduce the stress we put on a potentially failing hard drive so that no more data is lost than absolutely necessary. The easiest way to handle this sort of data is to make a separate image file for each of the filesystems to be subject to recovery. 1.2.1 Locating the Drive Linux hard drives are generally found in /dev/ and have the following naming conventions: IDE drive names begin with “hd” (for hard drive) followed by a letter. “”adquot; is the primary master, “hdb” is the primary slave, “hdc” is the secondary master, “hdd” is the secondary slave etc. All other hard drives generally go through the SCSI interface. This includes all SCSI, USB, and SATA drives. In the 2.4 series of the Linux kernel, it was even possible to force an IDE drive to be reported as a SCSI one though this is unlikely to be encountered in a data recovery scenario. 1.2.1.1 Using sfdisk Once a set of drive candidates (for recovery) have been obtained, it is generally a good idea to check them with sfdisk -l. This process is considered safer than using fdisk in part because the commands are simpler and noninteractive. They require root access. bash# /sbin/sfdisk -l /dev/hda The output of this command provides information on the hard drive geometry (heads, sectors and cylinders), and then lists the partition information. Partitions must start and end on cylinder boundaries. Unfortunately many older versions of Windows had trouble with disks which had few heads and a large number of cylinders causing some BIOS implementations and drives to lie about their real geometry. Because Linux tends to read the geometry from the drive and Windows tends to read it from the BIOS problems can occur when the drive-read and BIOS-read geometries don't match. Run against a standard Linux disk, this might output something like: Disk /dev/hda: 9729 cylinders, 255 heads, 63 sectors/track Units = cylinders of 8225280 bytes, blocks of 1024 bytes, counting from 0 http://port25.technet.com Page 4
Recovering Data from Windows Systems by Using Linux Device Boot Start End #cyls #blocks Id System /dev/hda1 * 0+ 12 13- 104391 83 Linux /dev/hda2 13 9728 9716 78043770 8e Linux LVM /dev/hda3 0 - 0 0 0 Empty /dev/hda4 0 - 0 0 0 Empty For a Linux/Windows dual-boot disk, the output might be: Disk /dev/sda: 19457 cylinders, 255 heads, 63 sectors/track Units = cylinders of 8225280 bytes, blocks of 1024 bytes, counting from 0 Device Boot Start End #cyls #blocks Id System /dev/sda1 0+ 891 892- 7164958+ 27 Unknown /dev/sda2 * 892 10196 9305 74742412+ 6 FAT16 /dev/sda3 10197 10209 13 104422+ 83 Linux /dev/sda4 10210 19456 9247 74276527+ 5 Extended /dev/sda5 10210+ 19456 9247- 74276496 8e Linux LVM Note that the FAT16 partition above is actually formatted as NTFS. So one cannot trust the system labels to tell you what the actual filesystem is. However, most Windows partitions will list some recognizable label, such as FAT16, W95 FAT32, NTFS Volume Set or similar. 1.2.2 Creating the Image The basic command to use is: bash# dd if=[device] of=[imagename]conv=noerror dd reads in from one file (“if” for input file), optionally runs a conversion filter, and then writes out to another. If the output file (“of”) is not specified, the data is written to standard output. The “conv=noerror” instructs the program to continue reading in case of an error, which may be necessary if the drive has been damaged. Most data recovery documents come with a standard warning: do not try to make your image in the same filesystem you are recovering from. While I am sure this is self-evident, evidently it happens frequently enough for the warning to be standard and so it is worth mentioning as a reminder. 1.2.2.1 Writing the Image to a File in a Mounted Filesystem The simplest form of the command above might be: bash# dd conv=noerror if=/dev/sda1 of=/root/recovery.img This example copies the contents of /dev/sda1 to /root/recovery.img. The filesystem can then be mounted using a standard loopback device in Linux. 1.2.2.2 Writing to a Filesystem on Another System Because dd can write to standard output, it can be used to write to a file on a remote system using ssh. In order to reduce the network overhead, we can optionally compress the contents and then uncompress them on the other side: http://port25.technet.com Page 5
Recovering Data from Windows Systems by Using Linux bash# dd conv=noerror if=/dev/sda1 | ssh user@host 'cat > recover.img' To compress the stream in transit, we can enter the following (all on one line): bash# dd conv=noerror if=/dev/sda1 | gzip | ssh user@host 'gunzip > recover.img' In general, it is not a good idea to store the image compressed on a hard drive for recovery purposes because one cannot operate directly on it. 1.3 Mounting the Image Once the image has been made make two directories; one for the mountpoint and one for the destination: bash# mkdir recover_src recover_dst Then you can mount the filesystem (as a loopback device) with the following command: bash# mount -t [type] -o loop /path/to/image recover_src For example. assuming the command above was used to create the image in /root/recovery.img, and that it is NTFS, you can use: bash# mount -t ntfs -o loop /root/recovery.img recover_src All FAT filesystems would use the “-t vfat” flag. 1.3.1 A Note about NTFS Drivers and Linux NTFS Support Not all Linux distributions come with NTFS drivers even though read-only drivers are a part of the current Linux source code. Although Knoppix does have such support, Fedora does not. Often you can locate drivers on third party web sites. In general, recompiling the Linux kernel is more trouble than you want to go through for something like this. If you can't find the drivers, use Knoppix. NTFS filesystems can only be read on Linux without compromising safety -- writing to them is still considered dangerous and may result in data corruption or loss. Most of the drivers available only offer read-only support and getting read-write support is well beyond the scope of this paper. 1.4 Recovering the Data to a Safe Place Once the loop image is mounted you can copy files using the cp or similar command into the recover_dst folder for later conversion into CDROM's, and the like. Alternatively, you can use another USB drive formatted using FAT32, mount that drive on recover_dst and continue to recover files in this way. In general I like to archive filesystem images (compressed usually) for a period of time so that I can ensure that everything that I needed to get off them has been saved before I disregard them. 1.5 Quick Notes on mkisofs and cdrecord Often it may be useful to write the backed up files to a CDROM. Doing so requires the use of two important utilities: mkisofs and cdrecord. http://port25.technet.com Page 6
Recovering Data from Windows Systems by Using Linux CDROM's use a filesystem specified in the ISO 9660 standard. This filesystem has very few features and is incredibly limiting (no long file names, no permissions, case insensitivity in file names, etc.). In order to make the filesystem more usable on modern operating systems, two sets of extensions were created: the Joliet extensions used by Windows, and the Rock Ridge extensions usually supported on UNIX. In general, it is recommended that you use both sets of extensions in order to best integrate the CD across platforms. The command to create an iso image named quot;recovery.isoquot; from the contents of the recovery_dst folder (with both Joliet and Rock Ridge extensions) would be: bash# mkisofs -JR -o recovery.iso recovery_dst Once created the image can be burned to a CD-RW drive using the cdrecord program. The simplest form of the cdrecord command might be: bash# cdrecord dev=/dev/cdrom --data recovery.iso If you want more progress information you can add a “-v” argument. When you are done verify the media by mounting it and attempting to read the directory. I have generally found that some CD-R disks do not handle high burn rates well, and burning at the maximum rate may cause the entire disk to be bad. If this occurs, I have found that slowing the burn speed down to 4x usually solves the problem. The similar command for cdrecord, asking for verbose output and a write speed of 4x, is: bash# cdrecord dev=/dev/cdrom speed=4 -v --data recovery.iso 1.6 Tools of Last Resort In some cases, the filesystem may be too badly damaged to get the data out through standard means. Perhaps the disk was formatted, or the drive is failing. Either way, there are a few tools which can help resolve these cases given a fair bit more time, drive space, and patience. 1.6.1 The Coroner's Toolkit The Coroner's Toolkit (TCT) is a somewhat morbidly named set of tools for post-mortem analysis of a UNIX system (after a break-in). It is designed to discover data or programs which may not be visible to the operating system through the normal file interfaces. It is available at http://www.porcupine.org/forensics/tct.html. The Coroner's Toolkit has a few utilities which can come in extremely handy in data recovery. Of these utilities 'lazarus' is the most useful for cross-platform data recovery. This particular utility sorts through a data stream of unknown structure and attempts to reconstruct files from it. Sometimes it will only find fragments which will need to be reassembled later. Often file fragments from deleted files (where parts of the file have not yet been overwritten) may be recovered. While lazarus and the rest of the TCT represent powerful tools for security analysis and data recovery they also require a great deal of time, space, patience, and knowledge to use effectively. Their use is beyond the scope of this paper. http://port25.technet.com Page 7
Recovering Data from Windows Systems by Using Linux 1.6.2 Data Recovery Specialists When a drive appears to be failing or has been physically damages (for example. dropped on the floor) the best course of action if the data is of value is to hire a dedicated data recovery firm. Such firms rely not only on software methods similar to what I have described but generally also have the ability to disassemble the hardware in order to retrieve data from a physically damaged disk. I have other customers who have had the drive heads come off the spindles and grind into the platters, who have had all important data recovered. Unfortunately this option is usually quite expensive and rates can vary significantly from region to region. 1.7 Final Thoughts Data recovery is a huge field, and it is impossible to cover it in any significant depth in a short paper. However, I hope that this provides good information about how to use Linux to recover data from minor to moderate failures. 1.7.1 About the Author Chris Travers owns Metatron Technology Consulting, a company helping customers run open source software on any operating system. He has used these techniques for the last eight years to recover data from floppy http://port25.technet.com Page 8

Empfohlen

Ten Myths About Recovery Deleted Files
Ten Myths About Recovery Deleted FilesTen Myths About Recovery Deleted Files
Ten Myths About Recovery Deleted FilesEnvision Technology Advisors
 
Network external hard drive
Network external hard driveNetwork external hard drive
Network external hard drivessuser1eca7d
 
Mastering your hard drive
Mastering your hard driveMastering your hard drive
Mastering your hard driveJoel May
 
Mounting virtual hard drives
Mounting virtual hard drivesMounting virtual hard drives
Mounting virtual hard drivesCTIN
 
First Responder Course - Session 10 - Static Evidence Collection [2004]
First Responder Course - Session 10 - Static Evidence Collection [2004]First Responder Course - Session 10 - Static Evidence Collection [2004]
First Responder Course - Session 10 - Static Evidence Collection [2004]Phil Huggins FBCS CITP
 
What is dfs name space
What is dfs name spaceWhat is dfs name space
What is dfs name spaceManikandan M
 
Format, Partition, Install OS
Format, Partition, Install OSFormat, Partition, Install OS
Format, Partition, Install OSSef Cambaliza
 
Windows 7 forensics -overview-r3
Windows 7 forensics -overview-r3Windows 7 forensics -overview-r3
Windows 7 forensics -overview-r3CTIN
 

Empfohlen

Ten Myths About Recovery Deleted Files
Ten Myths About Recovery Deleted FilesTen Myths About Recovery Deleted Files
Ten Myths About Recovery Deleted FilesEnvision Technology Advisors
 
Network external hard drive
Network external hard driveNetwork external hard drive
Network external hard drivessuser1eca7d
 
Mastering your hard drive
Mastering your hard driveMastering your hard drive
Mastering your hard driveJoel May
 
Mounting virtual hard drives
Mounting virtual hard drivesMounting virtual hard drives
Mounting virtual hard drivesCTIN
 
First Responder Course - Session 10 - Static Evidence Collection [2004]
First Responder Course - Session 10 - Static Evidence Collection [2004]First Responder Course - Session 10 - Static Evidence Collection [2004]
First Responder Course - Session 10 - Static Evidence Collection [2004]Phil Huggins FBCS CITP
 
What is dfs name space
What is dfs name spaceWhat is dfs name space
What is dfs name spaceManikandan M
 
Format, Partition, Install OS
Format, Partition, Install OSFormat, Partition, Install OS
Format, Partition, Install OSSef Cambaliza
 
Windows 7 forensics -overview-r3
Windows 7 forensics -overview-r3Windows 7 forensics -overview-r3
Windows 7 forensics -overview-r3CTIN
 
Wd usb hdd image un locker pro-inic1607e
Wd usb hdd image un locker pro-inic1607eWd usb hdd image un locker pro-inic1607e
Wd usb hdd image un locker pro-inic1607eDolphin Data Lab
 
Mac Forensics
Mac ForensicsMac Forensics
Mac ForensicsCTIN
 
Windows 8 Forensics & Anti Forensics
Windows 8 Forensics & Anti ForensicsWindows 8 Forensics & Anti Forensics
Windows 8 Forensics & Anti ForensicsMike Spaulding
 
Unitrends Sales Presentation 2010
Unitrends Sales Presentation 2010Unitrends Sales Presentation 2010
Unitrends Sales Presentation 2010lincolng
 
The installing of widows 7
The installing of widows 7The installing of widows 7
The installing of widows 7MCC
 
The Holy Grail of Deployment
The Holy Grail of DeploymentThe Holy Grail of Deployment
The Holy Grail of DeploymentStuart King
 
Windows 8.x Forensics 1.0
Windows 8.x Forensics 1.0Windows 8.x Forensics 1.0
Windows 8.x Forensics 1.0Brent Muir
 
Administering windows xp
Administering windows xpAdministering windows xp
Administering windows xpSamaja
 
Module 2 b_win 7
Module 2 b_win 7Module 2 b_win 7
Module 2 b_win 7Omar Computer Teacher
 
Time Stamp Analysis of Windows Systems
Time Stamp Analysis of Windows SystemsTime Stamp Analysis of Windows Systems
Time Stamp Analysis of Windows SystemsCTIN
 
Tech comm presentation 2014 01-16
Tech comm presentation 2014 01-16Tech comm presentation 2014 01-16
Tech comm presentation 2014 01-16Ken Tucker
 
Hbcd
HbcdHbcd
Hbcdbwryno
 
Windows 11 storage spaces
Windows 11 storage spacesWindows 11 storage spaces
Windows 11 storage spacesssuser1eca7d
 
WinFE: The (Almost) Perfect Triage Tool
WinFE: The (Almost) Perfect Triage ToolWinFE: The (Almost) Perfect Triage Tool
WinFE: The (Almost) Perfect Triage ToolBrent Muir
 
2.1 design hard disk layout v2
2.1 design hard disk layout v22.1 design hard disk layout v2
2.1 design hard disk layout v2Acácio Oliveira
 
Booting an image as a forensically sound vm in virtual box
Booting an image as a forensically sound vm in virtual boxBooting an image as a forensically sound vm in virtual box
Booting an image as a forensically sound vm in virtual boxBrent Muir
 
Linux data recovery
Linux data recoveryLinux data recovery
Linux data recoverylissy taylor
 
Trying to bottle the cloud forensic challenges with cloud computing
Trying to bottle the cloud forensic challenges with cloud computingTrying to bottle the cloud forensic challenges with cloud computing
Trying to bottle the cloud forensic challenges with cloud computingBrent Muir
 
Virtual dj 7 getting started
Virtual dj 7 getting startedVirtual dj 7 getting started
Virtual dj 7 getting startedViviana Villar Lopez
 
Backup and restore in linux
Backup and restore in linux Backup and restore in linux
Backup and restore in linux Mohammed Yazdani
 
linux interview questions and answers
linux interview questions and answerslinux interview questions and answers
linux interview questions and answersGanapathi Raju
 
Devops interview questions
Devops interview questionsDevops interview questions
Devops interview questionsenrollmy training
 

Weitere ähnliche Inhalte

Was ist angesagt?

Wd usb hdd image un locker pro-inic1607e
Wd usb hdd image un locker pro-inic1607eWd usb hdd image un locker pro-inic1607e
Wd usb hdd image un locker pro-inic1607eDolphin Data Lab
 
Mac Forensics
Mac ForensicsMac Forensics
Mac ForensicsCTIN
 
Windows 8 Forensics & Anti Forensics
Windows 8 Forensics & Anti ForensicsWindows 8 Forensics & Anti Forensics
Windows 8 Forensics & Anti ForensicsMike Spaulding
 
Unitrends Sales Presentation 2010
Unitrends Sales Presentation 2010Unitrends Sales Presentation 2010
Unitrends Sales Presentation 2010lincolng
 
The installing of widows 7
The installing of widows 7The installing of widows 7
The installing of widows 7MCC
 
The Holy Grail of Deployment
The Holy Grail of DeploymentThe Holy Grail of Deployment
The Holy Grail of DeploymentStuart King
 
Windows 8.x Forensics 1.0
Windows 8.x Forensics 1.0Windows 8.x Forensics 1.0
Windows 8.x Forensics 1.0Brent Muir
 
Administering windows xp
Administering windows xpAdministering windows xp
Administering windows xpSamaja
 
Time Stamp Analysis of Windows Systems
Time Stamp Analysis of Windows SystemsTime Stamp Analysis of Windows Systems
Time Stamp Analysis of Windows SystemsCTIN
 
Tech comm presentation 2014 01-16
Tech comm presentation 2014 01-16Tech comm presentation 2014 01-16
Tech comm presentation 2014 01-16Ken Tucker
 
Windows 11 storage spaces
Windows 11 storage spacesWindows 11 storage spaces
Windows 11 storage spacesssuser1eca7d
 
WinFE: The (Almost) Perfect Triage Tool
WinFE: The (Almost) Perfect Triage ToolWinFE: The (Almost) Perfect Triage Tool
WinFE: The (Almost) Perfect Triage ToolBrent Muir
 
2.1 design hard disk layout v2
2.1 design hard disk layout v22.1 design hard disk layout v2
2.1 design hard disk layout v2Acácio Oliveira
 
Booting an image as a forensically sound vm in virtual box
Booting an image as a forensically sound vm in virtual boxBooting an image as a forensically sound vm in virtual box
Booting an image as a forensically sound vm in virtual boxBrent Muir
 
Linux data recovery
Linux data recoveryLinux data recovery
Linux data recoverylissy taylor
 
Trying to bottle the cloud forensic challenges with cloud computing
Trying to bottle the cloud forensic challenges with cloud computingTrying to bottle the cloud forensic challenges with cloud computing
Trying to bottle the cloud forensic challenges with cloud computingBrent Muir
 

Was ist angesagt? (19)

Wd usb hdd image un locker pro-inic1607e
Wd usb hdd image un locker pro-inic1607eWd usb hdd image un locker pro-inic1607e
Wd usb hdd image un locker pro-inic1607e
 
Mac Forensics
Mac ForensicsMac Forensics
Mac Forensics
 
Windows 8 Forensics & Anti Forensics
Windows 8 Forensics & Anti ForensicsWindows 8 Forensics & Anti Forensics
Windows 8 Forensics & Anti Forensics
 
Unitrends Sales Presentation 2010
Unitrends Sales Presentation 2010Unitrends Sales Presentation 2010
Unitrends Sales Presentation 2010
 
The installing of widows 7
The installing of widows 7The installing of widows 7
The installing of widows 7
 
The Holy Grail of Deployment
The Holy Grail of DeploymentThe Holy Grail of Deployment
The Holy Grail of Deployment
 
Windows 8.x Forensics 1.0
Windows 8.x Forensics 1.0Windows 8.x Forensics 1.0
Windows 8.x Forensics 1.0
 
Administering windows xp
Administering windows xpAdministering windows xp
Administering windows xp
 
Module 2 b_win 7
Module 2 b_win 7Module 2 b_win 7
Module 2 b_win 7
 
Time Stamp Analysis of Windows Systems
Time Stamp Analysis of Windows SystemsTime Stamp Analysis of Windows Systems
Time Stamp Analysis of Windows Systems
 
Tech comm presentation 2014 01-16
Tech comm presentation 2014 01-16Tech comm presentation 2014 01-16
Tech comm presentation 2014 01-16
 
Hbcd
HbcdHbcd
Hbcd
 
Windows 11 storage spaces
Windows 11 storage spacesWindows 11 storage spaces
Windows 11 storage spaces
 
WinFE: The (Almost) Perfect Triage Tool
WinFE: The (Almost) Perfect Triage ToolWinFE: The (Almost) Perfect Triage Tool
WinFE: The (Almost) Perfect Triage Tool
 
2.1 design hard disk layout v2
2.1 design hard disk layout v22.1 design hard disk layout v2
2.1 design hard disk layout v2
 
Booting an image as a forensically sound vm in virtual box
Booting an image as a forensically sound vm in virtual boxBooting an image as a forensically sound vm in virtual box
Booting an image as a forensically sound vm in virtual box
 
Linux data recovery
Linux data recoveryLinux data recovery
Linux data recovery
 
Trying to bottle the cloud forensic challenges with cloud computing
Trying to bottle the cloud forensic challenges with cloud computingTrying to bottle the cloud forensic challenges with cloud computing
Trying to bottle the cloud forensic challenges with cloud computing
 
Virtual dj 7 getting started
Virtual dj 7 getting startedVirtual dj 7 getting started
Virtual dj 7 getting started
 

Andere mochten auch

Backup and restore in linux
Backup and restore in linux Backup and restore in linux
Backup and restore in linux Mohammed Yazdani
 
linux interview questions and answers
linux interview questions and answerslinux interview questions and answers
linux interview questions and answersGanapathi Raju
 
Linux server world
Linux server worldLinux server world
Linux server worldAkshat Singh
 
Linux System Administration Crash Course
Linux System Administration Crash CourseLinux System Administration Crash Course
Linux System Administration Crash CourseJason Cannon
 
Full system roll-back and systemd in SUSE Linux Enterprise 12
Full system roll-back and systemd in SUSE Linux Enterprise 12Full system roll-back and systemd in SUSE Linux Enterprise 12
Full system roll-back and systemd in SUSE Linux Enterprise 12Gábor Nyers
 
Redhat training &certification
Redhat training &certificationRedhat training &certification
Redhat training &certificationAhmed Abbas Ahmed
 
RHCE FINAL Questions and Answers
RHCE FINAL Questions and AnswersRHCE FINAL Questions and Answers
RHCE FINAL Questions and AnswersRadien software
 
Top 100 Linux Interview Questions and Answers 2014
Top 100 Linux Interview Questions and Answers 2014Top 100 Linux Interview Questions and Answers 2014
Top 100 Linux Interview Questions and Answers 2014iimjobs and hirist
 
Linux admin interview questions
Linux admin interview questionsLinux admin interview questions
Linux admin interview questionsKavya Sri
 

Andere mochten auch (12)

Backup and restore in linux
Backup and restore in linux Backup and restore in linux
Backup and restore in linux
 
linux interview questions and answers
linux interview questions and answerslinux interview questions and answers
linux interview questions and answers
 
Devops interview questions
Devops interview questionsDevops interview questions
Devops interview questions
 
Linux server world
Linux server worldLinux server world
Linux server world
 
Linux System Administration Crash Course
Linux System Administration Crash CourseLinux System Administration Crash Course
Linux System Administration Crash Course
 
Full system roll-back and systemd in SUSE Linux Enterprise 12
Full system roll-back and systemd in SUSE Linux Enterprise 12Full system roll-back and systemd in SUSE Linux Enterprise 12
Full system roll-back and systemd in SUSE Linux Enterprise 12
 
Linux administration classes in mumbai
Linux administration classes in mumbaiLinux administration classes in mumbai
Linux administration classes in mumbai
 
Redhat training &certification
Redhat training &certificationRedhat training &certification
Redhat training &certification
 
RHCE FINAL Questions and Answers
RHCE FINAL Questions and AnswersRHCE FINAL Questions and Answers
RHCE FINAL Questions and Answers
 
Self introduction
Self introductionSelf introduction
Self introduction
 
Top 100 Linux Interview Questions and Answers 2014
Top 100 Linux Interview Questions and Answers 2014Top 100 Linux Interview Questions and Answers 2014
Top 100 Linux Interview Questions and Answers 2014
 
Linux admin interview questions
Linux admin interview questionsLinux admin interview questions
Linux admin interview questions
 

Ähnlich wie Linux Recovery

Chapter 8 Common Forensic ToolsOverviewIn this chapter, youl.docx
Chapter 8 Common Forensic ToolsOverviewIn this chapter, youl.docxChapter 8 Common Forensic ToolsOverviewIn this chapter, youl.docx
Chapter 8 Common Forensic ToolsOverviewIn this chapter, youl.docxchristinemaritza
 
Chapter 1,2,3 & 4_Win Server AD Basics.pptx
Chapter 1,2,3 & 4_Win Server AD Basics.pptxChapter 1,2,3 & 4_Win Server AD Basics.pptx
Chapter 1,2,3 & 4_Win Server AD Basics.pptxPoornimaGhodke3
 
Linux fundamentals Training
Linux fundamentals TrainingLinux fundamentals Training
Linux fundamentals TrainingLove Steven
 
Rh202 q&a-demo-cert magic
Rh202 q&a-demo-cert magicRh202 q&a-demo-cert magic
Rh202 q&a-demo-cert magicEllina Beckman
 
RH-302 Exam-Red Hat Certified Engineer on Redhat Enterprise Linux 4 (Labs)
RH-302 Exam-Red Hat Certified Engineer on Redhat Enterprise Linux 4 (Labs)RH-302 Exam-Red Hat Certified Engineer on Redhat Enterprise Linux 4 (Labs)
RH-302 Exam-Red Hat Certified Engineer on Redhat Enterprise Linux 4 (Labs)Isabella789
 
841- Advanced Computer ForensicsUnix Forensics LabDue Date.docx
841- Advanced Computer ForensicsUnix Forensics LabDue Date.docx841- Advanced Computer ForensicsUnix Forensics LabDue Date.docx
841- Advanced Computer ForensicsUnix Forensics LabDue Date.docxevonnehoggarth79783
 
2022 fixed cant read from source file or disk error
2022 fixed cant read from source file or disk error2022 fixed cant read from source file or disk error
2022 fixed cant read from source file or disk errorZoey Chen
 
Essay About ISS 418 Lab 7 And 8
Essay About ISS 418 Lab 7 And 8Essay About ISS 418 Lab 7 And 8
Essay About ISS 418 Lab 7 And 8Paula Smith
 
EXAM NOTES for DOD Standard 8570 CompTia Advanced Security Practitioner (CASP)
EXAM NOTES for DOD Standard 8570 CompTia Advanced Security Practitioner (CASP)EXAM NOTES for DOD Standard 8570 CompTia Advanced Security Practitioner (CASP)
EXAM NOTES for DOD Standard 8570 CompTia Advanced Security Practitioner (CASP)David Sweigert
 
Linux Disaster Recovery Solutions
Linux Disaster Recovery SolutionsLinux Disaster Recovery Solutions
Linux Disaster Recovery SolutionsGratien D'haese
 
Study notes for CompTIA Certified Advanced Security Practitioner (ver2)
Study notes for CompTIA Certified Advanced Security Practitioner (ver2)Study notes for CompTIA Certified Advanced Security Practitioner (ver2)
Study notes for CompTIA Certified Advanced Security Practitioner (ver2)David Sweigert
 
RH302 Exam-Red Hat Linux Certification
RH302 Exam-Red Hat Linux CertificationRH302 Exam-Red Hat Linux Certification
RH302 Exam-Red Hat Linux CertificationIsabella789
 
RH302 Exam-Red Hat Linux Certification
RH302 Exam-Red Hat Linux CertificationRH302 Exam-Red Hat Linux Certification
RH302 Exam-Red Hat Linux CertificationIsabella789
 
iam giving you entire process of  forensc duplication;the response.pdf
iam giving you entire process of  forensc duplication;the response.pdfiam giving you entire process of  forensc duplication;the response.pdf
iam giving you entire process of  forensc duplication;the response.pdfmukhtaransarcloth
 
Security Walls in Linux Environment: Practice, Experience, and Results
Security Walls in Linux Environment: Practice, Experience, and ResultsSecurity Walls in Linux Environment: Practice, Experience, and Results
Security Walls in Linux Environment: Practice, Experience, and ResultsIgor Beliaiev
 
Department of Defense standard 8570 - CompTia Advanced Security Practitioner
Department of Defense standard 8570 - CompTia Advanced Security Practitioner Department of Defense standard 8570 - CompTia Advanced Security Practitioner
Department of Defense standard 8570 - CompTia Advanced Security Practitioner David Sweigert
 

Ähnlich wie Linux Recovery (20)

Chapter 8 Common Forensic ToolsOverviewIn this chapter, youl.docx
Chapter 8 Common Forensic ToolsOverviewIn this chapter, youl.docxChapter 8 Common Forensic ToolsOverviewIn this chapter, youl.docx
Chapter 8 Common Forensic ToolsOverviewIn this chapter, youl.docx
 
Chapter 1,2,3 & 4_Win Server AD Basics.pptx
Chapter 1,2,3 & 4_Win Server AD Basics.pptxChapter 1,2,3 & 4_Win Server AD Basics.pptx
Chapter 1,2,3 & 4_Win Server AD Basics.pptx
 
Linux fundamentals Training
Linux fundamentals TrainingLinux fundamentals Training
Linux fundamentals Training
 
Rh202 q&a-demo-cert magic
Rh202 q&a-demo-cert magicRh202 q&a-demo-cert magic
Rh202 q&a-demo-cert magic
 
RH-302 Exam-Red Hat Certified Engineer on Redhat Enterprise Linux 4 (Labs)
RH-302 Exam-Red Hat Certified Engineer on Redhat Enterprise Linux 4 (Labs)RH-302 Exam-Red Hat Certified Engineer on Redhat Enterprise Linux 4 (Labs)
RH-302 Exam-Red Hat Certified Engineer on Redhat Enterprise Linux 4 (Labs)
 
841- Advanced Computer ForensicsUnix Forensics LabDue Date.docx
841- Advanced Computer ForensicsUnix Forensics LabDue Date.docx841- Advanced Computer ForensicsUnix Forensics LabDue Date.docx
841- Advanced Computer ForensicsUnix Forensics LabDue Date.docx
 
2022 fixed cant read from source file or disk error
2022 fixed cant read from source file or disk error2022 fixed cant read from source file or disk error
2022 fixed cant read from source file or disk error
 
Essay About ISS 418 Lab 7 And 8
Essay About ISS 418 Lab 7 And 8Essay About ISS 418 Lab 7 And 8
Essay About ISS 418 Lab 7 And 8
 
EXAM NOTES for DOD Standard 8570 CompTia Advanced Security Practitioner (CASP)
EXAM NOTES for DOD Standard 8570 CompTia Advanced Security Practitioner (CASP)EXAM NOTES for DOD Standard 8570 CompTia Advanced Security Practitioner (CASP)
EXAM NOTES for DOD Standard 8570 CompTia Advanced Security Practitioner (CASP)
 
John
JohnJohn
John
 
Lesson 2
Lesson 2Lesson 2
Lesson 2
 
Linux Disaster Recovery Solutions
Linux Disaster Recovery SolutionsLinux Disaster Recovery Solutions
Linux Disaster Recovery Solutions
 
Study notes for CompTIA Certified Advanced Security Practitioner (ver2)
Study notes for CompTIA Certified Advanced Security Practitioner (ver2)Study notes for CompTIA Certified Advanced Security Practitioner (ver2)
Study notes for CompTIA Certified Advanced Security Practitioner (ver2)
 
RH302 Exam-Red Hat Linux Certification
RH302 Exam-Red Hat Linux CertificationRH302 Exam-Red Hat Linux Certification
RH302 Exam-Red Hat Linux Certification
 
RH302 Exam-Red Hat Linux Certification
RH302 Exam-Red Hat Linux CertificationRH302 Exam-Red Hat Linux Certification
RH302 Exam-Red Hat Linux Certification
 
iam giving you entire process of  forensc duplication;the response.pdf
iam giving you entire process of  forensc duplication;the response.pdfiam giving you entire process of  forensc duplication;the response.pdf
iam giving you entire process of  forensc duplication;the response.pdf
 
Security Walls in Linux Environment: Practice, Experience, and Results
Security Walls in Linux Environment: Practice, Experience, and ResultsSecurity Walls in Linux Environment: Practice, Experience, and Results
Security Walls in Linux Environment: Practice, Experience, and Results
 
Edubooktraining
EdubooktrainingEdubooktraining
Edubooktraining
 
Department of Defense standard 8570 - CompTia Advanced Security Practitioner
Department of Defense standard 8570 - CompTia Advanced Security Practitioner Department of Defense standard 8570 - CompTia Advanced Security Practitioner
Department of Defense standard 8570 - CompTia Advanced Security Practitioner
 
Computer Forensic
Computer ForensicComputer Forensic
Computer Forensic
 

Kürzlich hochgeladen

EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptx
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptxEIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptx
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptxEarley Information Science
 
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Miguel Araújo
 
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerThousandEyes
 
🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘RTylerCroy
 
[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdf[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdfhans926745
 
Data Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt RobisonData Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt RobisonAnna Loughnan Colquhoun
 
presentation ICT roal in 21st century education
presentation ICT roal in 21st century educationpresentation ICT roal in 21st century education
presentation ICT roal in 21st century educationjfdjdjcjdnsjd
 
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024The Digital Insurer
 
Evaluating the top large language models.pdf
Evaluating the top large language models.pdfEvaluating the top large language models.pdf
Evaluating the top large language models.pdfChristopherTHyatt
 
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...Igalia
 
Scaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organizationScaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organizationRadu Cotescu
 
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdfThe Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdfEnterprise Knowledge
 
What Are The Drone Anti-jamming Systems Technology?
What Are The Drone Anti-jamming Systems Technology?What Are The Drone Anti-jamming Systems Technology?
What Are The Drone Anti-jamming Systems Technology?Antenna Manufacturer Coco
 
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptxHampshireHUG
 
The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024Rafal Los
 
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...Drew Madelung
 
A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)Gabriella Davis
 
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking MenDelhi Call girls
 
Presentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreterPresentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreternaman860154
 
Histor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slideHistor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slidevu2urc
 

Kürzlich hochgeladen (20)

EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptx
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptxEIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptx
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptx
 
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
 
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected Worker
 
🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘
 
[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdf[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdf
 
Data Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt RobisonData Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt Robison
 
presentation ICT roal in 21st century education
presentation ICT roal in 21st century educationpresentation ICT roal in 21st century education
presentation ICT roal in 21st century education
 
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
 
Evaluating the top large language models.pdf
Evaluating the top large language models.pdfEvaluating the top large language models.pdf
Evaluating the top large language models.pdf
 
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
 
Scaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organizationScaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organization
 
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdfThe Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
 
What Are The Drone Anti-jamming Systems Technology?
What Are The Drone Anti-jamming Systems Technology?What Are The Drone Anti-jamming Systems Technology?
What Are The Drone Anti-jamming Systems Technology?
 
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
 
The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024
 
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
 
A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)
 
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
 
Presentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreterPresentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreter
 
Histor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slideHistor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slide
 

Linux Recovery

  • 1. Recovering Data from Windows Systems by Using Linux Recovering Data from Windows Systems by Using Linux Published by the Open Source Software Lab at Microsoft. November 2007. Special thanks to Chris Travers, Contributing Author to the Open Source Software Lab. Most current version will be maintained at http://port25.technet.com. . Abstract: We have all run into cases where Windows refuses to load for one reason or another. The problem may be hardware or a software failure, and the problem may seem to be irrecoverable. Yet often Linux can be used to help recover data that otherwise might be lost. http://port25.technet.com Page i
  • 2. Recovering Data from Windows Systems by Using Linux Information in this document, including URL and other Internet Web site references, is subject to change without notice and is provided for informational purposes only. The entire risk of the use or results from the use of this document remains with the user, and Microsoft Corporation makes no warranties, either express or implied. Unless otherwise noted, the companies, organizations, products, domain names, e- mail addresses, logos, people, places, and events depicted in examples herein are fictitious. No association with any real company, organization, product, domain name, e-mail address, logo, person, place, or event is intended or should be inferred. Complying with all applicable copyright laws is the responsibility of the user. Without limiting the rights under copyright, no part of this document may be reproduced, stored in or introduced into a retrieval system, or transmitted in any form or by any means (electronic, mechanical, photocopying, recording, or otherwise), or for any purpose, without the express written permission of Microsoft Corporation. © 2007 Microsoft Corporation. This work is licensed under the Microsoft Public License. The Microsoft Public License is available here. Microsoft may have patents, patent applications, trademarks, copyrights, or other intellectual property rights covering subject matter in this document. Except as expressly provided in any written license agreement from Microsoft, the furnishing of this document does not give you any license to these patents, trademarks, copyrights, or other intellectual property. Microsoft, Windows, Windows XP, Windows Server, and Windows Vista are either registered trademarks or trademarks of Microsoft Corporation in the United States and/or other countries. All other trademarks are property of their respective owners. http://port25.technet.com Page ii
  • 3. Recovering Data from Windows Systems by Using Linux 1 Introduction We have all run into cases where Windows refuses to load for one reason or another. The problem may be a hardware or a software failure, and the problem may seem to be irrecoverable. Yet often Linux can be used to help recover data that otherwise might be lost. Another application of using Linux recovery is in the creation of disk images for post-mortem analysis of security breaches. While such images are not created according to forensics standards (which usually requires special hardware) and would not be likely to be of help in legal cases, they are helpful in internal reviews following such incidents. In writing this paper I generally assume that either a Linux workstation is available to accept recovery information or that a USB drive of sufficient size is available to hold the data. Generally, in either case, enough free space should be available to store the entire hard drive as a bit-for-bit file and still have at least 2GB of space free. However, if more space is available, the process of organizing the recovered data is a bit easier. If neither of these is available, the utility of Linux in data recovery will be limited. Finally, if things go badly wrong, additional tools (such as The Coroner’s Toolkit) can be used but they require a great deal more free space to work. Generally, in these cases, you should have enough free space to store the hard drive twice on the same drive. This paper is written with the assumption that the reader is comfortable on the Linux command line, and can perform basic file operations (e.g. mv, cp, navigate the filesystem). In general, the command line is preferred for these types of tasks because it is easier to adapt the commands to specific needs than it would be with a GUI, and because when data is at stake, complete control over the process is often desirable. The commands given in this paper are samples only and can easily be adapted to other circumstances. Although I endeavor to provide enough information to make such modifications clear, complex scenarios may require review of manual pages. 1.1.1 A Few Cautions Before Beginning With data recovery it is important to understand the problem so that further damage is not caused in the process. In cases where drive failure is involved, it is almost always safest to send the drive to dedicated data recovery specialists who can disassemble the drive as needed. However, this process is expensive and must be weighed against the value of the data being recovered. Even if there are no signs of drive failure, the safest solution is to assume that the drive is failing. This is not a common problem but it can be caused by overheating (and the data is more likely to be corrupted by other parts of the system) or by physical damage to key data sectors. Because this does not add much to the complexity of the recovery and adds a great deal of safety, I recommend not reading the drive more than once and avoid any writing. The instructions in this document are believed to be reasonably safe. However, data recovery is a field where there are many points where mistakes can lead to irrecoverable data loss. If you are unfamiliar with a command or what it does, consult the manual page, and please do not use data you need for learning these techniques. If you are unsure of your abilities then hire a data recovery specialist if the data is worth the cost of recovery. http://port25.technet.com Page 3
  • 4. Recovering Data from Windows Systems by Using Linux Finally, if images are being made for legal purposes, please hire a forensics specialist. There are specific processes which must be followed if one expects evidence to hold up in court. These processes and the hardware devices associated with them are well beyond the scope of this paper. 1.2 Making the Image The first step in performing any data recovery is usually to create an image of each filesystem to be recovered on the drive. The images can be stored on a USB hard drive, the system hard drive, a network file share or somewhere else. By creating an image we allow ourselves to do two things we could not do otherwise. First we allow ourselves to make errors or bad choices and still have a chance to get back to where we started. In cases where the filesystem is damaged is not uncommon. Second we reduce the stress we put on a potentially failing hard drive so that no more data is lost than absolutely necessary. The easiest way to handle this sort of data is to make a separate image file for each of the filesystems to be subject to recovery. 1.2.1 Locating the Drive Linux hard drives are generally found in /dev/ and have the following naming conventions: IDE drive names begin with “hd” (for hard drive) followed by a letter. “”adquot; is the primary master, “hdb” is the primary slave, “hdc” is the secondary master, “hdd” is the secondary slave etc. All other hard drives generally go through the SCSI interface. This includes all SCSI, USB, and SATA drives. In the 2.4 series of the Linux kernel, it was even possible to force an IDE drive to be reported as a SCSI one though this is unlikely to be encountered in a data recovery scenario. 1.2.1.1 Using sfdisk Once a set of drive candidates (for recovery) have been obtained, it is generally a good idea to check them with sfdisk -l. This process is considered safer than using fdisk in part because the commands are simpler and noninteractive. They require root access. bash# /sbin/sfdisk -l /dev/hda The output of this command provides information on the hard drive geometry (heads, sectors and cylinders), and then lists the partition information. Partitions must start and end on cylinder boundaries. Unfortunately many older versions of Windows had trouble with disks which had few heads and a large number of cylinders causing some BIOS implementations and drives to lie about their real geometry. Because Linux tends to read the geometry from the drive and Windows tends to read it from the BIOS problems can occur when the drive-read and BIOS-read geometries don't match. Run against a standard Linux disk, this might output something like: Disk /dev/hda: 9729 cylinders, 255 heads, 63 sectors/track Units = cylinders of 8225280 bytes, blocks of 1024 bytes, counting from 0 http://port25.technet.com Page 4
  • 5. Recovering Data from Windows Systems by Using Linux Device Boot Start End #cyls #blocks Id System /dev/hda1 * 0+ 12 13- 104391 83 Linux /dev/hda2 13 9728 9716 78043770 8e Linux LVM /dev/hda3 0 - 0 0 0 Empty /dev/hda4 0 - 0 0 0 Empty For a Linux/Windows dual-boot disk, the output might be: Disk /dev/sda: 19457 cylinders, 255 heads, 63 sectors/track Units = cylinders of 8225280 bytes, blocks of 1024 bytes, counting from 0 Device Boot Start End #cyls #blocks Id System /dev/sda1 0+ 891 892- 7164958+ 27 Unknown /dev/sda2 * 892 10196 9305 74742412+ 6 FAT16 /dev/sda3 10197 10209 13 104422+ 83 Linux /dev/sda4 10210 19456 9247 74276527+ 5 Extended /dev/sda5 10210+ 19456 9247- 74276496 8e Linux LVM Note that the FAT16 partition above is actually formatted as NTFS. So one cannot trust the system labels to tell you what the actual filesystem is. However, most Windows partitions will list some recognizable label, such as FAT16, W95 FAT32, NTFS Volume Set or similar. 1.2.2 Creating the Image The basic command to use is: bash# dd if=[device] of=[imagename]conv=noerror dd reads in from one file (“if” for input file), optionally runs a conversion filter, and then writes out to another. If the output file (“of”) is not specified, the data is written to standard output. The “conv=noerror” instructs the program to continue reading in case of an error, which may be necessary if the drive has been damaged. Most data recovery documents come with a standard warning: do not try to make your image in the same filesystem you are recovering from. While I am sure this is self-evident, evidently it happens frequently enough for the warning to be standard and so it is worth mentioning as a reminder. 1.2.2.1 Writing the Image to a File in a Mounted Filesystem The simplest form of the command above might be: bash# dd conv=noerror if=/dev/sda1 of=/root/recovery.img This example copies the contents of /dev/sda1 to /root/recovery.img. The filesystem can then be mounted using a standard loopback device in Linux. 1.2.2.2 Writing to a Filesystem on Another System Because dd can write to standard output, it can be used to write to a file on a remote system using ssh. In order to reduce the network overhead, we can optionally compress the contents and then uncompress them on the other side: http://port25.technet.com Page 5
  • 6. Recovering Data from Windows Systems by Using Linux bash# dd conv=noerror if=/dev/sda1 | ssh user@host 'cat > recover.img' To compress the stream in transit, we can enter the following (all on one line): bash# dd conv=noerror if=/dev/sda1 | gzip | ssh user@host 'gunzip > recover.img' In general, it is not a good idea to store the image compressed on a hard drive for recovery purposes because one cannot operate directly on it. 1.3 Mounting the Image Once the image has been made make two directories; one for the mountpoint and one for the destination: bash# mkdir recover_src recover_dst Then you can mount the filesystem (as a loopback device) with the following command: bash# mount -t [type] -o loop /path/to/image recover_src For example. assuming the command above was used to create the image in /root/recovery.img, and that it is NTFS, you can use: bash# mount -t ntfs -o loop /root/recovery.img recover_src All FAT filesystems would use the “-t vfat” flag. 1.3.1 A Note about NTFS Drivers and Linux NTFS Support Not all Linux distributions come with NTFS drivers even though read-only drivers are a part of the current Linux source code. Although Knoppix does have such support, Fedora does not. Often you can locate drivers on third party web sites. In general, recompiling the Linux kernel is more trouble than you want to go through for something like this. If you can't find the drivers, use Knoppix. NTFS filesystems can only be read on Linux without compromising safety -- writing to them is still considered dangerous and may result in data corruption or loss. Most of the drivers available only offer read-only support and getting read-write support is well beyond the scope of this paper. 1.4 Recovering the Data to a Safe Place Once the loop image is mounted you can copy files using the cp or similar command into the recover_dst folder for later conversion into CDROM's, and the like. Alternatively, you can use another USB drive formatted using FAT32, mount that drive on recover_dst and continue to recover files in this way. In general I like to archive filesystem images (compressed usually) for a period of time so that I can ensure that everything that I needed to get off them has been saved before I disregard them. 1.5 Quick Notes on mkisofs and cdrecord Often it may be useful to write the backed up files to a CDROM. Doing so requires the use of two important utilities: mkisofs and cdrecord. http://port25.technet.com Page 6
  • 7. Recovering Data from Windows Systems by Using Linux CDROM's use a filesystem specified in the ISO 9660 standard. This filesystem has very few features and is incredibly limiting (no long file names, no permissions, case insensitivity in file names, etc.). In order to make the filesystem more usable on modern operating systems, two sets of extensions were created: the Joliet extensions used by Windows, and the Rock Ridge extensions usually supported on UNIX. In general, it is recommended that you use both sets of extensions in order to best integrate the CD across platforms. The command to create an iso image named quot;recovery.isoquot; from the contents of the recovery_dst folder (with both Joliet and Rock Ridge extensions) would be: bash# mkisofs -JR -o recovery.iso recovery_dst Once created the image can be burned to a CD-RW drive using the cdrecord program. The simplest form of the cdrecord command might be: bash# cdrecord dev=/dev/cdrom --data recovery.iso If you want more progress information you can add a “-v” argument. When you are done verify the media by mounting it and attempting to read the directory. I have generally found that some CD-R disks do not handle high burn rates well, and burning at the maximum rate may cause the entire disk to be bad. If this occurs, I have found that slowing the burn speed down to 4x usually solves the problem. The similar command for cdrecord, asking for verbose output and a write speed of 4x, is: bash# cdrecord dev=/dev/cdrom speed=4 -v --data recovery.iso 1.6 Tools of Last Resort In some cases, the filesystem may be too badly damaged to get the data out through standard means. Perhaps the disk was formatted, or the drive is failing. Either way, there are a few tools which can help resolve these cases given a fair bit more time, drive space, and patience. 1.6.1 The Coroner's Toolkit The Coroner's Toolkit (TCT) is a somewhat morbidly named set of tools for post-mortem analysis of a UNIX system (after a break-in). It is designed to discover data or programs which may not be visible to the operating system through the normal file interfaces. It is available at http://www.porcupine.org/forensics/tct.html. The Coroner's Toolkit has a few utilities which can come in extremely handy in data recovery. Of these utilities 'lazarus' is the most useful for cross-platform data recovery. This particular utility sorts through a data stream of unknown structure and attempts to reconstruct files from it. Sometimes it will only find fragments which will need to be reassembled later. Often file fragments from deleted files (where parts of the file have not yet been overwritten) may be recovered. While lazarus and the rest of the TCT represent powerful tools for security analysis and data recovery they also require a great deal of time, space, patience, and knowledge to use effectively. Their use is beyond the scope of this paper. http://port25.technet.com Page 7
  • 8. Recovering Data from Windows Systems by Using Linux 1.6.2 Data Recovery Specialists When a drive appears to be failing or has been physically damages (for example. dropped on the floor) the best course of action if the data is of value is to hire a dedicated data recovery firm. Such firms rely not only on software methods similar to what I have described but generally also have the ability to disassemble the hardware in order to retrieve data from a physically damaged disk. I have other customers who have had the drive heads come off the spindles and grind into the platters, who have had all important data recovered. Unfortunately this option is usually quite expensive and rates can vary significantly from region to region. 1.7 Final Thoughts Data recovery is a huge field, and it is impossible to cover it in any significant depth in a short paper. However, I hope that this provides good information about how to use Linux to recover data from minor to moderate failures. 1.7.1 About the Author Chris Travers owns Metatron Technology Consulting, a company helping customers run open source software on any operating system. He has used these techniques for the last eight years to recover data from floppy http://port25.technet.com Page 8