PDA

View Full Version : Dying HD with severe infection...data recovery question


Appleby
03-30-2011, 07:45 PM
Ok guys I need some advice. Customer has a 7 year old Dell desktop that they are ready to replace. The hard drive will no longer boot so they ask me to see if I could recover their photos from it. I attempt to run SpinRite on the drive, just see what condition its in...the drive can't even be found my SpinRite, but it is spinning, so I'm hoping data recovery is possible. I use my IDE to USB cable to connect it to my bench computer....drive is found, contents of drive open and BAM...Kaspersky pops up red alert..the slaved drive has infected my bench machines. I unplug the slaved drive and start assessing my bench machine. Seems it was a bad trojan and Kaspersky had been scanning the slaved drive (for just a few seconds) and had found tons of severe infections. So I know I've got a very badly infected machine.

My bench machine is clean again, but I'm not sure where to go from here. I'm 99% sure I can get the data off but I don't want to infect my machine so I'm not sure what to do. Thoughts?

Skyhooker
03-30-2011, 07:55 PM
You could either disable autorun on the host machine you're slaving the drive to, so that no trojans execute, and make sure you're only copying over JPEGs, for example, or boot into a Linux distro - my favorite is Knoppix for things like this - and only copy his pictures folder to your backup drive. You could then scan the backup drive with your favorite AV just to make sure.

I always have my bench machine imaged so I can restore a clean installation within minutes in case something slips through.

Martyn
03-30-2011, 07:55 PM
I'm thinking get the image onto another decent hard drive then scan that drive slaved. Recently I had a similar situation and I wanted to get the data with infections onto my main computer. I used Acronis True Home and imaged it and I was surprised to find the infections stayed in the image and wasn't detected by Kaspersky. I then extracted it to another drive, slaved it and scanned it saving the data.

iisjman07
03-30-2011, 08:00 PM
Two things are screaming at me:
1) USB adapter for data recovery = :(. You should really plug the drive directly into the motherboard to increase your chances of data recovery

2) The drive smells like it's badly infected; use a linux live cd to copy the files across. Linux should be completely un-phased by the most severe infections. Copying the files should be easy even if you're not a linux person, you can just use a nice GUI to copy the photos across to somewhere else by dragging and dropping. If you want a couple of suggestions for nice gui-linux repair distros I'd recommend using puppy linux or ubuntu, but System Rescue CD is a very nice solution if you know a bit of bash.

Once you've copied the folder with the photos in it, scan it on your bench machine or using a live cd if you're hesitant to plug it into your pc again.

Appleby
03-30-2011, 08:01 PM
Thanks guys. I did turn autorun off which I didn't even realize was still turned on?! And yes all I'm wanting is JPEGs, so I'm tempted to double check autorun is off and rolling the dice again....

The real issues is I don't want to spend a ton of time here because the customer isn't going to pay for it...they want the pictures if I can get them cheaply, if not, they said forget it. If I get into imaging it and such then obviously my time/cost goes up. This is supposed to be a quick fix or no fix.

I'm thinking no autorun and gambling...

iisjman07
03-30-2011, 08:05 PM
You could install Returnil Virtual System on your bench machine, grab the files and pick up any infections there may be, but then reboot to remove infections on your bench machine. You could set it up in about 5 minutes

Frank
03-30-2011, 08:13 PM
Can you boot to PE on your bench machine and do the transfer there?

paristotle
03-30-2011, 08:30 PM
+1 for the PE. There is a good free one. Ultimate Boot CD 4 Win.

MobileTechie
03-30-2011, 08:47 PM
As long as autorun is disabled then you're safe.

dbdawn
03-30-2011, 08:52 PM
If all they want is pictures I would use a PE disk or a Linux live CD.

Appleby
03-30-2011, 09:19 PM
Thanks folks. I was in a hurry to get it done today so I disabled autoplay and hooked it up to another bench machine that I didn't care much about. I had MSSE running and it started scanning the slaved drive and caught the trojan but it hadn't moved over to my machine. I was able to grab the photos and get it done.

Thanks for the help. I'm going to start making image backups of my system just for this reason...which I should be doing anyway but I've been too lazy.:rolleyes:

Swiper
03-31-2011, 03:23 AM
I'm going to second the image to a known good hard drive. I have made money by being able to recover data they forgot to request in the initial recovery eg. income tax documents, and emails. Image it and save for 30 days don't take a chance on the drive failing after a couple of good workouts. Then run AV. My 2 cents.

cpalmer2k
03-31-2011, 03:58 AM
If all they want is pictures I would use a PE disk or a Linux live CD.

I'd suggest a Ubuntu Live CD, it has saved me twice now by pulling files off of hard drives that several data recovery apps wouldn't even recognize as existing anymore. Just copy the files using it, and take it from there.

codythetech
03-31-2011, 04:44 AM
i actually once had a dying HD that wasn't recognized when slaved and wouldn't mount when i booted up an Ubuntu live CD. I then used testdisk and everything copied over fine. amazing tool.

kevinjhaag
03-31-2011, 01:08 PM
Two things are screaming at me:
1) USB adapter for data recovery = :(. You should really plug the drive directly into the motherboard to increase your chances of data recovery

+1 I agree on a failing hard drive. You might not have to many chances to recover data.

I'm going to second the image to a known good hard drive. I have made money by being able to recover data they forgot to request in the initial recovery eg. income tax documents, and emails. Image it and save for 30 days don't take a chance on the drive failing after a couple of good workouts. Then run AV. My 2 cents.

+1 Totally agree. Just because the customer thinks they only need the photos on the computer doesn't mean they may have forgotten something. Image that drive for a safety net for yourself and your customers. You would be a hero to the customer if they forgot a document and your able to provide it for them.

I'd also image the drive due to the age of the computer. They might have some programs that won't work in a modern OS, so you might need to virtualize it.

About your bench computer... Mine is well protected. I have it imaged and I also use a program like Deep Freeze (but Returnil System Safe should do the same also). And autorun is disabled. Being well protected saves me time; especially when it comes to restoring windows on a computer back to the way I originally had it.

Well at least you got it done for the customer. I hope the advice you received on this forum helps with future jobs. Have a good day, sir.

Kevin