Run linux from floppies. then you can mount the filesystem in question and (possibly) read from it. As a worst case scenario, you can get a binary image of the disk and use 'restore' software on it later (mount it as a loopback filesystem in linux and fiddle with partition table geometry and all sorts of obscure, virus like actions).
If that fails, I suggest you scream really loud and bang your head against the wall no less than 3, and no more than 8 times. If you experience nausea before the third bang, you should quit and kick something instead. /Andy On Wed, 18 Jun 2003, Wilcox, Stephen wrote: > Hello > > It funny that this discussion started in the last few days.. As Murphy would have > it, last night while installing a new nic card. Something happened to the boot.ini > file and corrupted it. I don't know how or why except the possibility of it writing > to the boot.ini file the nic information. I don't think that this information is > stored in the boot.ini file but maybe. Anyway the problem I ran into is that the > win would not load and I couldn't recover it. (No safe mode, no fixboot, no fixmbr, > nothing) I figured I would just overlay an OS on top of the old one and then > recover the information, no luck the process would not perform unless I format. > Great... If you know what I mean. I have been researching free tools to recover > lost data but no real luck in a software that performs properly. I was wondering if > anyone has/knows of one. Looking to recover my office files - *.xls, *.pst file and > *.doc files. > > Stephen > > -----Original Message----- > From: Robinson, Sonja [mailto:[EMAIL PROTECTED] > Sent: Wednesday, June 18, 2003 10:54 AM > To: Robinson, Sonja; 'marcus peddle'; [EMAIL PROTECTED] > Subject: RE: Digital Evidence Question - What is an effective Windows > hard -disk search tool? > > > I was a bit rushed yesterday, sorry, so here is a bit more detail but still > in a general kind of knowledge base. I'm trying to keep it a simple > explanation so that the general population can understand the basics. If > people want to get really technical please feel free.... > > In Windows operating Systems (and others) there is the File Allocation Table > (FAT) that is basically an index of where your files are located. Your > files can and are written across numerous clusters and are not written > sequentially. One file is in a number of pieces across your hard drive and > each cluster points to the next in the chain. In addition, MS writes files > more than once (this you'll find in free space and swap space.) If your > file does not fill up the entire cluster, MS dumps other data into it. This > "extra area" is called unallocated space. This data can be anything and is > normally what was in RAM at the time. So for instance you cluster is 24K > (just throwng out a number here) and your file only fills up 18K, well then > the remaining 6K is filled up with "garbage". "What is one O/S's garbage > could be the confidential info I'm looking for...." > > When you delete a file, only the pointer in the FAT table is deleted. The > file is still there until it is overwritten. Since MS writes to random > clusters only parts of your file may be overwritten at anytime and the parts > that aren't overwritten are recoverable. It should be noted that MS > normally starts overwriting the beginning clusters of the drive so of the > file is located near the end of the drive it takes longer to overwrite. > Remember though again, that, it does not write in sequential clusters. > Theortically, the end of the drive may never be written to depending on how > much writing and deleting you do. > > In order to obtain this "deleted" or "hidden" information you need to > analyze your drives using tools gnerally used for forensics (NTI, Coroners > tool kit, Encase, FTK, Linux tools). In most acses bitstream copies are > done first to preserve evidence but if you're not worried about evidence and > you just want to see what's on your drive any of these tools will work, but > they're not free (Linux tools generally are). If you just want to undelete > files Norton Utilities works great. It's much easier to see it in a > diagram. I think NTI has a good diagram but I'm sure there are others out > there as well. > > UltraEdit and other hex editors are great for reading misc data, files and > disks. You just have to be patient. > > Did you ever notice how all of your e-mail is 1K even if it is blank, yes MS > dumps info in there too but it is generally invisible unless you do > analysis. It's amazing what you can find.... > > > > > Sonja Robinson, CISA > Network Security Analyst > HIP Health Plans > Office: 212-806-4125 > Pager: 8884238615 > > > > -----Original Message----- > From: Robinson, Sonja > Sent: Tuesday, June 17, 2003 3:17 PM > To: 'marcus peddle'; [EMAIL PROTECTED] > Subject: RE: Digital Evidence Question - What is an effective Windows hard > -disk search tool? > > > You're looking for something hat does DoD specs, 31x write, try maresware > decalsfy, bcwipe, etc. There are a number of tools. Make sure that it goes > past the eof flag at the end of the drive. And the LE, most likely used > Encase or FTk. What he did was not magic, it's called forensics. Files are > not deleted when you delete them their pointer is so that the O/S can't > effectively find the file anymore even though the file rsides on the drive > until it is overwritten. Files are written multiple time in an MS o/s and > can reside in multiple locations. You need to look at free, swap and > uallocated space. There is a wealth of info there. > > Sonja Robinson, CISA > Network Security Analyst > HIP Health Plans > Office: 212-806-4125 > Pager: 8884238615 > > > > -----Original Message----- > From: marcus peddle [mailto:[EMAIL PROTECTED] > Sent: Monday, June 16, 2003 8:12 PM > To: [EMAIL PROTECTED] > Cc: [EMAIL PROTECTED] > Subject: Digital Evidence Question - What is an effective Windows hard-disk > search tool? > > > Hello, > > I have a question/request: > > A few weeks back, a friend of mine in law enforcement > demo'ed a tool he had on is computer that searched his > entire hard drive and built an evidence file (he > called it acquiring the drive). He then used a > propritarty tool to search the file the tool built for > things he thought he had deleted. I am very aware of > the footprint that can be left on a users computer but > he had an extensive wipe tool that I was quite > surprised to see did not delete everything. He began > pulling up images/cookies/files that he thought he had > deleted years ago. > > Needless to say i was quite surprized. > > So I now use a wiping program on my computer that > deletes and overwrites all deleted files. I also have > a few other footprint erasers going but I wonder how > effective they are. > > What I seek is the following: > > -A tool (peferably freeware) that I can use to acquire > and search my hard drive for > images/history/general/etc information that I have > "deleted". > > Any suggestions? It goes without saying that any > ideas you may have would be appreciated. Thanks! > > Marcus > > > ______________________________________________________________________ > Post your free ad now! http://personals.yahoo.ca > > --------------------------------------------------------------------------- > Evaluating SSL VPNs' Consider NEOTERIS, chosen as leader by top analysts! > The Gartner Group just put Neoteris in the top of its Magic Quadrant, while > InStat has confirmed Neoteris as the leader in marketshare. > > Find out why, and see how you can get plug-n-play secure remote access in > about an hour, with no client, server changes, or ongoing maintenance. > > Visit us at: http://www.neoteris.com/promos/sf-6-9.htm > ---------------------------------------------------------------------------- > > > ********************************************************************** > This message is a PRIVILEGED AND CONFIDENTIAL communication, and is intended > only for the individual(s) named herein or others specifically authorized to > receive the communication. If you are not the intended recipient, you are > hereby notified that any dissemination, distribution or copying of this > communication is strictly prohibited. If you have received this > communication in error, please notify the sender of the error immediately, > do not read or use the communication in any manner, destroy all copies, and > delete it from your system if the communication was sent via email. > > > > > ********************************************************************** > > > --------------------------------------------------------------------------- > Evaluating SSL VPNs' Consider NEOTERIS, chosen as leader by top analysts! > The Gartner Group just put Neoteris in the top of its Magic Quadrant, while > InStat has confirmed Neoteris as the leader in marketshare. > > Find out why, and see how you can get plug-n-play secure remote access in > about an hour, with no client, server changes, or ongoing maintenance. > > Visit us at: http://www.neoteris.com/promos/sf-6-9.htm > ---------------------------------------------------------------------------- > > --------------------------------------------------------------------------- > Evaluating SSL VPNs' Consider NEOTERIS, chosen as leader by top analysts! > The Gartner Group just put Neoteris in the top of its Magic Quadrant, > while InStat has confirmed Neoteris as the leader in marketshare. > > Find out why, and see how you can get plug-n-play secure remote access in > about an hour, with no client, server changes, or ongoing maintenance. > > Visit us at: http://www.neoteris.com/promos/sf-6-9.htm > ---------------------------------------------------------------------------- > > > ---------------------------------------- > The information transmitted in this message is intended only for the person or > entity to whom it is addressed and may contain confidential and/or privileged > material. Any review, retransmission, dissemination or other use of, or taking of > any action in reliance upon this information by persons or entities other than the > intended recipient is prohibited. If you received this in error, please contact the > sender and destroy any copies of this document. > > --------------------------------------------------------------------------- > Evaluating SSL VPNs' Consider NEOTERIS, chosen as leader by top analysts! > The Gartner Group just put Neoteris in the top of its Magic Quadrant, > while InStat has confirmed Neoteris as the leader in marketshare. > > Find out why, and see how you can get plug-n-play secure remote access in > about an hour, with no client, server changes, or ongoing maintenance. > > Visit us at: http://www.neoteris.com/promos/sf-6-9.htm > ---------------------------------------------------------------------------- > > > --------------------------------------------------------------------------- Evaluating SSL VPNs' Consider NEOTERIS, chosen as leader by top analysts! The Gartner Group just put Neoteris in the top of its Magic Quadrant, while InStat has confirmed Neoteris as the leader in marketshare. Find out why, and see how you can get plug-n-play secure remote access in about an hour, with no client, server changes, or ongoing maintenance. Visit us at: http://www.neoteris.com/promos/sf-6-9.htm ----------------------------------------------------------------------------
