I share some frustrations in my steps to recover data from a friends hard disk.
Become a Patron of Ask Leo! and go ad-free!
Transcript
This is Leo Notenboom with news, commentary and answers to some of the many
questions I get at askleo.info.
This week I want to share some of my experiences, frustrations and the final
solution as I attempted to recover data from a friends hard disk.
A non-technical friend got a new computer, and I inherited the old.
Naturally, it had important information on it that this friend didn’t want to
lose. Also as naturally, it was most likely heavily infected with viruses and
spyware.
So the challenge was how to copy the hard disk contents off without actually
booting the operating system and activating any malware while the machine sat
on the supposedly “safe” side of my firewall.
My first thought was to boot the machine using the Knoppix live CD. Booting
into Linux would absolutely prevent any malware from firing up, and once
booted, there are several options for copying the entire hard disk to another
location on my network.
So I changed the boot order in the BIOS, and booted from the latest Knoppix
CD. It booted fine, I could examine the system’s hard disk, and everything
looked good. Except for the network. After a couple of reboots, the network
wouldn’t initialize – it would fail to get an IP address.
My next thought was to boot from a bootable Windows CD I’d created using
BartPE. While I’d have to be a little more careful not to activate malware by
mistake, it “should” be safe. Once again the machine booted fine, I could
examine the hard disk and so on – except now the network wouldn’t work at
all.
It looked like a hardware failure.
I plugged into a different hub on my network. (Which also involved a few
minutes building a new network cable, since I didn’t happen to have any that
were long enough to reach the other device.) No luck.
I added a different network card to the machine. Still no luck.
So at this point, what would you do?
Out of desperation, I warned my wife that our network was going down for a
few minutes, and rebooted my router.
And then, as they say, all was well. The backup DVD is burning as I prepare
this podcast.
My biggest take-away here is that networking is still hard. It’s tough
enough to get it to work in the first place, but random things like a router
clogging up don’t make things any easier.
Oh, and that BartPE and Knoppix (which I’m sure would have worked once the
network issue had cleared up) are wonderful tools for geeks like me.
I’d love to hear what you think. Visit ask leo dot info, and enter 10992 in
the go to article number box. Leave me a comment, I love hearing from you.
This is a presentation of askleo.info, a free on-line technical question and
answer service. Hundreds of questions and answers are online and ready to help
solve your computer problems.
That’s askleo.info.
>So the challenge was how to copy the hard disk
>contents off without actually booting the
>operating system and activating any malware
>while the machine sat on the supposedly “safe”
>side of my firewall.
Even if it was on the safe side of your hardware firewall, don’t all your computers still have software firewalls (at least the Windows XP default firewall) on their own individual connections? Would an infected computer on the network still be a risk to the others if all the other computers do have their software firewalls enabled? I’ve always assumed it wouldn’t, but your post seems to imply otherwise…
Because I keep the “safe side” of my network safe, I do not run software firewalls on any of my machines. Yes, an infected machine on the “safe side” could certainly infect other machines on my network. That’s why when I bring a potentially suspect machine to the ‘safe side’ I need to take extra precautions, as I described.
So, what was the actual issue? Did your router not want to add the network card to it’s routing table? Had me an SMC router once, had to reboot that POS every other day – avoid like the plague.
ok all that makes sense however I think you are doing this all the wrong way and making this way too complicated. if you copy the contents of the hard drive it may copy the viruses, trojans, worms..etc. So why not boot it up clean the hard drive using various antivirus/antispyware tools, once done that organize with your friend what exactly he wants on it so this can be much easier than coping the entire drive with system files. doing that you can safely and easily copy it’s content via cd burning or onto another drive without any problems and you can clear it after that!
If the system is badly compromised (and I had no assurance that it wasn’t) a virus scan may not clean things out completely – the virus scanner itself might be infected. In addition, the machine wasn’t running well so I’m not certain I actually COULD have booted and run a Virus scan.
And finally, I wanted an *exact* image of what my friend had left – I wanted to avoid any changes prior to saving the image, and that included any changed due to a virus scan.
eyy leo thx for the myspace updates. especially the one where you put a picture as a caption. i relle wondered how to do that and now i now
thz a LOT!!!
i have a virus that disabled my firewall, and it appears to be impossible to bring it back up. Also, this virus is blocking my attempts to boot from disk. I can boot up, but I can’t bring up the firewall, and it doesn’t even mention booting into safe mode. I’m running Vista. What do I do? Is there anything to do?