Transcript Save that Data

Save that Data
Computer File and Drive
Protection and Recovery
Resources
Terence Sullivan,
Shiloh/Chrisman Schools
“Save That Data.” Everyone has had that
experience of losing critical documents.
Almost always the data is recoverable for no
cost. A simple USB memory stick can carry
all the free tools needed for recovery of a
single deleted file to a completely trashed
hard drive. A tool-kit with how-to instructions
will be available. (Appropriate for all grade
levels.)
[email protected]
Nice Tool - Bonus
• Internet Explorer History Viewer – “IEVH”
– http://www.nirsoft.net/utils/iehv.html
– Will display Internet History in a complete and
organized format for every user on a
computer
• Session Philosophy – using all free
software or utilities included with OS
Backup and Archive
• Best defense is a good offense
– Recycle Bin – ONLY local drives
– CD/DVD burners
– Onetouch Backup – external drive
– Ntbackup (Windows)
– Syncback
– Cobian Backup
Windows Archiving Tools
•
•
•
•
System Restore – ONLY system files
Volume Shadow Copy (VSC)
NTBackup
Windows Resource Kit Tools
– Robocopy
How Drives Work
• Files are stored magnetically or optically on
the drive.
• Drive is organized in logical parts
– Sectors, Tracks, Cylinders, Partitions
• File is “written” onto the drive and the
LOCATION(s) is recorded in the file tables
• These apply to
– Hard Drive, Floppy Drive, CD, CDV, Flash
Memory, SD Cards, even digital tape drives
How Drives Work
• Examples
– Hard Drive
– Floppy Drive
– CD Rom
Signs that your drive is
damaged or failing
•
•
•
•
•
Strange noises or grinding sound
SLOW to open/save a file or boot
Unresponsiveness
Freezes and locks up.
Blue screen of death
• TIP – check the event logs!
What happens when a file is “lost”
• Erased
– Really just delete the file table so the reference to what
and WHERE is lost
• Overwritten
– Remagnetize the same parts of the drive or redo the
reflective ink on the CD/DVD
• Drive Partition is Lost
– Boot record is corrupted and the beginning/ending
points for the logical drive are lost
• Physical Damage
– Head crash, disk scratched, drive motor issues, drive
controller issues
Recover from Minor Drive Damage
• CD-DVD
– Clean the drive with water and lint free cloth
– Scratches with polisher or toothpaste (fine
abrasive)
– Crack – run it in a SLOW drive (older drive)
• Disk Drive minor corruption
– Included OS Tools
• Chkdsk (Win), FSCK (Linux), Disk Utility Mac
• SFC (system file checker) in Windows
Windows Tools
• If system boots it may be possible to run
and fix from inside Windows
– System Restore to revert and recover system
files if it is corruption damage and not hard
drive failure
– CHKDSK gui or command line
• Chkdsk /R
– SFC command line
• Scf /scannow
• Reference Site - http://ss64.com/
Simple (?) Undelete
• **Convar – PC Inspector 4
– http://www.pcinspector.de/Sites/file_recovery/downloa
d.htm?language=1
• Softperfect File Recovery - fast scanner
– http://www.softperfect.com/products/filerecovery/
(NTFS-FAT, HD, FD, Flash, SD)
• Undelete Plus
– http://www.undelete-plus.com/ (NTFS-FAT, HD, FD,
Flash, SD,…)
• Hiren’s Boot Disk run inside Windows
Portable Apps
• Stand Alone programs which do NOT
require installation to run.
– Small footprint and clean up after themselves
• Can carry and run from Flash drive (or
other media)
• Search for Portable App Project or
Portable Freeware
– http://portableapps.com/
– http://www.portablefreeware.com/
Live CD Tools
• Bart’s PE –WinXP http://www.nu2.nu/pebuilder/
• Dell Linux with Open Management Server tools (OMSA)
– http://linux.dell.com/files/openmanage-contributions/omsa-51-live
• Knoppix - http://www.knoppix.org/
– Disk First Aide with Knoppix
• http://www.shockfamily.net/cedric/knoppix/
• Helix – custom Knoppix - for forensics and recovery
– http://www.e-fense.com/helix/
•
•
•
•
•
Ultimate Boot CD - http://www.ultimatebootcd.com/
SystemRescueCD - http://www.sysresccd.org/
Hiran’s Boot CD
Ubuntu (Live CD – use aptget) - http://www.ubuntu.com/
Ubuntu Rescue Remix - http://ubuntu-rescue-remix.org/
Tricks of the Trade
• Floppy Drive – try in another machine or best
option is to try in a MAC or mounting in a *nix
machine
• Hard Drive – try the “freezer” trick
• SD or flash card readers for direct USB
connection
• USB to ATA/SATA drive universal adapter
– Allows connecting basically any computer or laptop
hard drive to a computer via the USB port
• Preferred Recovery Approach is to IMAGE the
drive with some type of BIT Copier and then work
on the image not the original
Corrupted Files
• Microsoft Word
– File – Open and choose
• “Recover Text from any File”
• in this case, I would try Testdisk or Parted to
restore your partition table. I hope her note
wasn't longer than 512 characters.
•
Source - http://xkcd.com/340/
Serious Corruption
• TEST Disk – recover partitions in most OS
& File Systems (free)
– http://www.cgsecurity.org/wiki/TestDisk_Downl
oad
– Found on many Live CDs
– Often Bundled with PhotoRec
• Restoration (free)
– http://www.snapfiles.com/get/restoration.html
Sluth Kit
• For those so inclinded
• Forensic Tool
– the Sluth Kit and Autopsy graphical interface
– http://www.sleuthkit.org/index.phpS
Commercial
• Gibson Research (Steve Gibson)
• SPINRITE
– http://www.grc.com/spinrite.htm
• Recovery Services
Dead Disk Readers
• Hard Drives, CD, DVD, Floppy, Flash
• http://www.s2services.com/diskreaderfreeware.htm
– Tools for all OS systems
dd variants
• Linux, Debian, OSX
– Linux/Unix history
– File or Drive/Partition recovery tool
• dd – command line
• ddresue – easier user interface
• gddrescue – gnu project ddrescue
Ubuntu Example
• In terminal
– Install gddrescue
$ sudo apt-get install gddrescue
– Run this command and BE PATIENT
$ sudo ddrescue –v /dev/hdc cdr-backup2.iso
/ddrescue.log
Or
$ sudo ddrescue –v /dev/hdd1 /dev/hdc1
/ddrescue.log
$ sudo fsck -C /dev/hdc1
dcfldd
• Linux Tool
– dcfldd best on DEBIAN!
– http://dcfldd.sourceforge.net/#download
Terence Sullivan,
Shiloh/Chrisman Schools
Questions ?
•Presentation
–www.il-edtech.org
–www.shiloh.k12.il.us/presentations
[email protected]