Core Data Recovery

Author Archive

Hackers have been exploiting the bug since early June, Microsoft is releasing a patch July 14th

This hole in IE could be more damaging than the one  the conflicker virus exploited.

http://www.computerworld.com/s/article/340930/Researcher_Says_IE_Bug_Could_Spread_Quickly?taxonomyId=17 .

Here’s a link to the Conflicker Eye Chart, If some of the images fail to load, you may be infected.

http://www.baylor.edu/its/security/conficker/

First, let me say this, leave it to the professionals if your data is critical. I do NOT recommend this if you can not afford to lose everything. All information contained in this article is to be used at YOUR OWN RISK. I will not be held responsible for your actions under any circumstances. Proceed with caution only if you are a geek.

Let me start by saying, I wrote this piece because I had to do a complex data recovery on a system damaged by a unix administrator trying to fix a drive that would not mount. This drive was, to make matters more complex, a striped raid array running an EXT2 partition type and all the files written were in inode tables. Those tables got shot by the attempt to repair the problem with FSCK. (NOTE DO NOT RUN FSCK to repair a drive that will not mount, unless you have a backup).

So, I have many tools to use if the drive is NTFS to restitch the 1 TB drives (2 of them) into one 2TB image file to run a recovery on. I do not have such tools in unix. This is the method I researched and successfully used to image the entire drive that was bad (was flaky, not dead) to a new 1 TB Western Digital drive.

I was then able to stitch the drives together in a virtual striped pair in Debian linux. I then used scalpel to retrieve the files that I could not retrieve with my unix recovery methods. (FSCK had shot the Inode table to hell).

So below is the method, tried and true, to image bit for bit an entire drive to another drive of everything, (even if there is no partition table available whatsoever (as is the case with a striped pair)). I prefer Debian however, I suggest UBUNTU in this article as it is easier to do the job from a bootable cdrom for an average windows technician to use.

If you can’t afford to have someone recover it, or think you are a super geek, here’s how to do a sector by sector copy of a drive that is failing to one that is new.

Mark the hard disk you have, set it aside as your source drive.

Grab a scratch drive (If you have one) and install ubuntu  on it from the cd downloaded here:

http://www.ubuntu.com/getubuntu/download , burn it to a cdrom.

Boot the cdrom and install ubuntu, I say this because if you have a small hard disk, you can stop the copy process in the middle without losing data.

Once ubuntu is loaded, select the package manager, search for ddrescue and install it.

Now you will need the 2 USB to IDE adapters I mentioned just now. (Easier than any other method)

Plug the source Hard disk into the IDE – USB adapter and plug the power in. Don’t plug in the usb yet.

sudo fdisk -l will list all drives in the system and whatever partitions are available to you.
note and mark the drives.

Then plug in your usb and run it again
sudo fdisk -l
you will see and mark the appropriate /dev/sdb etc. Please physically mark the drive with a post it note.
Plug in your usb attached destination drive and run it once again.
sudo fdisk -l
and mark the drive with the info.

Another way is below

run this:

ls /dev/sda
ls /dev/sdb
ls /dev/sdc

as soon as you get a not found error, stop searching.

If you have a /dev/sda file not found, you can now plug in your usb.

Please note, I want you to tag the drive with a pen as /dev/xxx as soon as you discover what it is.

If /dev/sda was found, or no error, put a sticker with /dev/sda on the computer tower (that’s where the scratch drive is and apparently it’s either scsi, or SATA.

if /dev/sdb was not found, Plug in the usb and wait 30 seconds.

then issue the
ls /dev/sdb  if there is not an error, you may tag the source drive /dev/sdb.

Then please plug in the drive you are copying to *Your Destination drive*

Issue the following if /dev/sdb was the last drive you tagged
ls /dev/sdc if no error, you may tag your destination drive as /dev/sdc

NOW for the magic.

You have a source drive (Tagged /dev/sdb for this example)
You have a destination drive (tagged /dev/sdc for this example.)

Issue the following command:
sudo ddrescue -n /dev/sdb /dev/sdc /home/root/logfile.log
This will take a while, but skips all troubled sectors.
sudo ddrescue -r3 /dev/sdb /dev/sdc /home/root/logfile.log
This command retrys all bad sectors logged above and makes this process much faster.

Once this is done, you can shutdown -h now and shutdown the computer.

On a seperate computer, running xp and having enough room for your critical files.
Plug in the USB to IDE adapter with the destination drive attached and powered on.
Copy any files if the partition will mount. If it will not mount, Install Get Data Back from runtime.org
Purchase a license for it and run it on the drive you recovered your data to to get as much as humanly possible back.

Below is a link I found after I wrote this all out for you.
http://www.linux.com/learn/tutorials/8225-clone-your-ubuntu-installation-onto-a-new-hard-disk

It has more information in other words, that you might find helpful for accomplishing a sector by sector (or byte by byte copy)

http://www.2thedeuce.com/video/?autoStart=true&topVideoCatNo=default&clipId=3686051

Personally, If I wanted to make my data unrecoverable by most means, I’d drill a hole (3/8″) down thru the platters (The rounded part of the drive).

This will destroy it so somebody would have to spend tens of thousands of dollars recovering your old data.

I’m running a real world test using linux to give you guys some numbers.

I’m doing a sector for sector copy of a 1 Terabyte SATA II western digital drive to another 1 Terabyte SATA II Western digital thru usb.

I’ll post the results on my blog.

For the record I’m using a quad core Intel chip, Biostar board, Thermaltake USB docks (2 of them)

Right now it looks like drive to drive copy using:
ddrescue -n /dev/sdb /dev/sdc

it looks like it’s going to take about 16 hours of transfer time (estimated at this point) to copy between the drives.

I’m going to try 2 different platforms and drives and give you guys some real world numbers here.

I use SATA II External Thermaltake drives for data transfer of striped array members for their ease of use and hook them up with ESATA as a rule.

It will be interesting to see the performance difference for the copy, of course copying from drive to drive amplifies difference in speed.

(My blog is at http://www.coredatarecovery.com)

Twitter 101 — What you need to know about Social Networking

Thursday, February 26^th – Social Network Basics

It’s not the $600 billion plan currently running thru Congress, but we have decided to offer free workshops every couple of months on the most popular topics we’re being asked about. For February it’s social networking. It seems like everyone has gotten depressed about the economy and gotten a Twitter account – but now what to do with the thing?

Or, perhaps your solution to dealing with the economic downturn is to try to get your employees excited about using MySpace and Facebook. That’s probably NOT the best idea, but do you know why?

Maybe you just need help deciding on a strategy for which of the dozens of sites and widgets to begin with.

Even if you’re not interested in using these sites for business purposes, if you have kids you need to come to this workshop. A basic understanding can be very important.

We will meet at a central location (to be decided when we see how many confirmations we get) and chat for about an hour about social networks. Twitter, Facebook, Digg, etc.  We’ll cover the basics – what they are, how you can use them wisely, how to find information and what NOT to do. If you’re interested in attending, the class will be at 3pm on Thursday, February 26^th. Email or call us and we’ll get you confirmed and get back to you with a location.

Please RSVP 520-861-1673 so that we may reserve enough seats

So, you’ve blown up you qwest modem.

Never fear, We can get you up and running.

If you can find it, you should retrieve your inital letter, called the welcome letter from qwest.

This comes when you signed up for your dsl service.

Can’t find it?, Ok

You need to find a bill from qwest (Last month’s is perfect)

Call this number – Qwest DSL Support – 1-888-777-9569,  Option 1

You need your DSL NUMBER and your last 4 digits from your account number (On your last bill)

With the computer plugged into the network physically, open the modem in internet explorer

http://192.168.0.1

User is admin

Password is admin

Click the connect button, Enter the username and password provided to you by qwest for your account to get you up and running again.

You should setup your wireless if you wish to have wireless.

You should also change your router password from the default.

If that doesn’t get you up and running, give me a call.

Chuck House

(520) 861-1673

I’ve reviewed a 4 TB External RAID (Redundant Array Of Independent Disks)

For backup purposes, Or high speed storage these rock.

These Raid array boxes come complete with (4) 1 TB Western digital 7200 rpm drives.

They can be configured with striped mode (4TB high speed with up to 3Gbps transfer) great for high speed backup or video editing.

Or they can be setup with raid 0 + 1, Striped and mirrored (for High speed & mirrored operation (2 TB size))

Below are the specs, I’ve ordered one in for myself, if anyone out there needs one of these, just call

520-861-1673
Specs:
4TB Quad Bay RAID SATA to USB & eSATA

RAID 0+1, 0, JBOD RAID Subsystem

USB 2.0 (480mbps)/eSATA (3.0Gbps)

Windows ME/2000/XP/Vista, Mac OSX

Package Information:

• 4TB eSATA & USB Quad Bay External RAID Subsystem x 1
• eSATA Cable x 1
• USB 2.0 Cable x 1
• Power Cord x 1
• Manual x 1
• 3 Year Warranty

From the same type of spyware as before (Antivirus 2008, Antivirus 2009) this bug announces to you it has found your system to be full of bugs and errors. (relax, if you’ve got this bug you’re not infected with viruses and Trojans)

It’s goal is to get you to buy antivirus 2010 for $49.99 and it’s a scummy tactic to infect your computer with malware to try to sell you anything.

How did I get infected with this?

Most likely you were browsing the web and clicked on a free scan, or a warning saying you were infected with some bug. then the installer installs this malware on your unit making it a pain in the *SS to use your system.

How do I get Rid of this bug?

Here are the associated files and at the bottom is a link to malware bytes removal tool,

It is shareware but will allow you to remove the infection for free.

If you find yourself the victim of these bugs on a regular basis, I recommend purchasing a license for malware bytes. (I did just because I wanted to support their software development.)

Associated Antivirus 2010 Files:

c:\Program Files\AV2010
c:\Program Files\AV2010\AV2010.exe
c:\Program Files\AV2010\svchost.exe
c:\WINDOWS\system32\IEDefender.dll
c:\WINDOWS\system32\wingamma.exe
c:\Documents and Settings\All Users\Desktop\AV2010.lnk
c:\Documents and Settings\All Users\Start Menu\Programs\AV2010
c:\Documents and Settings\All Users\Start Menu\Programs\AV2010\AV2010.lnk
c:\Documents and Settings\All Users\Start Menu\Programs\AV2010\Uninstall.lnk

Associated Antivirus 2010 Windows Registry Information:

HKEY_CURRENT_USER\Software\AV2010
HKEY_CLASSES_ROOT\AppID\{3C40236D-990B-443C-90E8-B1C07BCD4A68}
HKEY_CLASSES_ROOT\AppID\IEDefender.DLL
HKEY_CLASSES_ROOT\CLSID\{FC8A493F-D236-4653-9A03-2BF4FD94F643}
HKEY_CLASSES_ROOT\IEDefender.IEDefenderBHO
HKEY_CLASSES_ROOT\IEDefender.IEDefenderBHO.1
HKEY_CLASSES_ROOT\Interface\{7BC7565C-5062-43CE-8797-DC2C271140A9}
HKEY_CLASSES_ROOT\TypeLib\{705FD64B-2B7B-4856-9337-44CA1DA86849}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{FC8A493F-D236-4653-9A03-2BF4FD94F643}
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E972-E325-11CE-BFC1-08002bE10318}\0012
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E972-E325-11CE-BFC1-08002bE10318}\0013
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E972-E325-11CE-BFC1-08002bE10318}\0014
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run “Windows Gamma Display”

Malware bytes anti-malware tool is effective as a removal method.

Instructions can be Found at http://www.bleepingcomputer.com/malware-removal/remove-antivirus-2010

APPENDED:

If you cannot download the latest version, or get this program to install,

Click HERE for a locally hosted version.

I’ve renamed the installer to keep this bug from preventing it’s execution.

Once installed, open my computer, C:, Program files,Malware Bytes.

Right click mbam.exe and copy

Right click and paste.

You will see a new file called copy of mbam.exe appear,

Execute this version as it will run where the other version has been blocked by antivirus 2009.

 

In addition:

Please download gmer here (renamed to cmer.exe) and excecute it to be certain you are not infected with a rootkit. If you find yourself infected, please call me immediately.

 

Thank you.

520-861-1673

Chuck House

Drop.io is a service, They free drops of up to 100 Megabytes. Bigger drops cost a little but work well.

Their service is secure and encrypted and the drop is password protected as well.

You can specify the drop to last 3 days and then it dissapears.

Perfect solution if you need to transfer critical files to your customer.