Save that Data

Save that Data

Computer File and Drive

Protection and Recovery Resources

Terence Sullivan, Shiloh/Chrisman Schools

“Save That Data.” Everyone has had that experience of losing critical documents.

Almost always the data is recoverable for no cost. A simple USB memory stick can carry all the free tools needed for recovery of a single deleted file to a completely trashed

hard drive. A tool-kit with how-to instructions will be available. (Appropriate for all grade

levels.)

tsulliva@comwares.net

Nice Tool - Bonus

• Internet Explorer History Viewer – “IEVH”– http://www.nirsoft.net/utils/iehv.html

– Will display Internet History in a complete and organized format for every user on a computer

• Session Philosophy – using all free software or utilities included with OS

Backup and Archive

• Best defense is a good offense– Recycle Bin – ONLY local drives– CD/DVD burners– Onetouch Backup – external drive– Ntbackup (Windows)– Syncback– Cobian Backup

Windows Archiving Tools

• System Restore – ONLY system files

• Volume Shadow Copy (VSC)

• NTBackup

• Windows Resource Kit Tools– Robocopy

How Drives Work• Files are stored magnetically or optically on

the drive.

• Drive is organized in logical parts– Sectors, Tracks, Cylinders, Partitions

• File is “written” onto the drive and the LOCATION(s) is recorded in the file tables

• These apply to– Hard Drive, Floppy Drive, CD, CDV, Flash

Memory, SD Cards, even digital tape drives

How Drives Work

• Examples– Hard Drive– Floppy Drive– CD Rom

Signs that your drive is damaged or failing

• Strange noises or grinding sound

• SLOW to open/save a file or boot

• Unresponsiveness

• Freezes and locks up.

• Blue screen of death

• TIP – check the event logs!

What happens when a file is “lost”• Erased

– Really just delete the file table so the reference to what and WHERE is lost

• Overwritten– Remagnetize the same parts of the drive or redo the

reflective ink on the CD/DVD

• Drive Partition is Lost– Boot record is corrupted and the beginning/ending

points for the logical drive are lost

• Physical Damage– Head crash, disk scratched, drive motor issues, drive

controller issues

Recover from Minor Drive Damage

• CD-DVD– Clean the drive with water and lint free cloth– Scratches with polisher or toothpaste (fine

abrasive)– Crack – run it in a SLOW drive (older drive)

• Disk Drive minor corruption– Included OS Tools

• Chkdsk (Win), FSCK (Linux), Disk Utility Mac • SFC (system file checker) in Windows

Windows Tools

• If system boots it may be possible to run and fix from inside Windows– System Restore to revert and recover system

files if it is corruption damage and not hard drive failure

– CHKDSK gui or command line• Chkdsk /R

– SFC command line• Scf /scannow

• Reference Site - http://ss64.com/

Simple (?) Undelete

• **Convar – PC Inspector 4– http://www.pcinspector.de/Sites/file_recovery/downloa

d.htm?language=1

• Softperfect File Recovery - fast scanner– http://www.softperfect.com/products/filerecovery/

(NTFS-FAT, HD, FD, Flash, SD)

• Undelete Plus– http://www.undelete-plus.com/ (NTFS-FAT, HD, FD,

Flash, SD,…)

• Hiren’s Boot Disk run inside Windows

Portable Apps

• Stand Alone programs which do NOT require installation to run.– Small footprint and clean up after themselves

• Can carry and run from Flash drive (or other media)

• Search for Portable App Project or Portable Freeware– http://portableapps.com/– http://www.portablefreeware.com/

Live CD Tools• Bart’s PE –WinXP http://www.nu2.nu/pebuilder/• Dell Linux with Open Management Server tools (OMSA)

– http://linux.dell.com/files/openmanage-contributions/omsa-51-live

• Knoppix - http://www.knoppix.org/ – Disk First Aide with Knoppix

• http://www.shockfamily.net/cedric/knoppix/

• Helix – custom Knoppix - for forensics and recovery– http://www.e-fense.com/helix/

• Ultimate Boot CD - http://www.ultimatebootcd.com/ • SystemRescueCD - http://www.sysresccd.org/• Hiran’s Boot CD• Ubuntu (Live CD – use aptget) - http://www.ubuntu.com/ • Ubuntu Rescue Remix - http://ubuntu-rescue-remix.org/

Tricks of the Trade• Floppy Drive – try in another machine or best

option is to try in a MAC or mounting in a *nix machine

• Hard Drive – try the “freezer” trick• SD or flash card readers for direct USB

connection• USB to ATA/SATA drive universal adapter

– Allows connecting basically any computer or laptop hard drive to a computer via the USB port

• Preferred Recovery Approach is to IMAGE the drive with some type of BIT Copier and then work on the image not the original

Corrupted Files

• Microsoft Word – File – Open and choose

• “Recover Text from any File”

• in this case, I would try Testdisk or Parted to restore your partition table. I hope her note wasn't longer than 512 characters.

• Source - http://xkcd.com/340/

Serious Corruption

• TEST Disk – recover partitions in most OS & File Systems (free)– http://www.cgsecurity.org/wiki/TestDisk_Down

load– Found on many Live CDs– Often Bundled with PhotoRec

• Restoration (free)– http://www.snapfiles.com/get/restoration.html

Sluth Kit

• For those so inclinded

• Forensic Tool– the Sluth Kit and Autopsy graphical interface– http://www.sleuthkit.org/index.phpS

Commercial

• Gibson Research (Steve Gibson)

• SPINRITE– http://www.grc.com/spinrite.htm

• Recovery Services

Dead Disk Readers

• Hard Drives, CD, DVD, Floppy, Flash• http://www.s2services.com/diskreaderfreeware.htm

– Tools for all OS systems

dd variants

• Linux, Debian, OSX– Linux/Unix history– File or Drive/Partition recovery tool

• dd – command line

• ddresue – easier user interface

• gddrescue – gnu project ddrescue

Ubuntu Example

• In terminal– Install gddrescue

$ sudo apt-get install gddrescue– Run this command and BE PATIENT

$ sudo ddrescue –v /dev/hdc cdr-backup2.iso /ddrescue.log

Or

$ sudo ddrescue –v /dev/hdd1 /dev/hdc1 /ddrescue.log

$ sudo fsck -C /dev/hdc1

dcfldd

• Linux Tool– dcfldd best on DEBIAN!– http://dcfldd.sourceforge.net/#download

Terence Sullivan, Shiloh/Chrisman Schools

Questions ?

•Presentation–www.il-edtech.org–www.shiloh.k12.il.us/presentations

tsulliva@comwares.net