Dying HD with severe infection...data recovery question

Appleby · #1 03-30-2011, 07:45 PM

Ok guys I need some advice. Customer has a 7 year old Dell desktop that they are ready to replace. The hard drive will no longer boot so they ask me to see if I could recover their photos from it. I attempt to run SpinRite on the drive, just see what condition its in...the drive can't even be found my SpinRite, but it is spinning, so I'm hoping data recovery is possible. I use my IDE to USB cable to connect it to my bench computer....drive is found, contents of drive open and BAM...Kaspersky pops up red alert..the slaved drive has infected my bench machines. I unplug the slaved drive and start assessing my bench machine. Seems it was a bad trojan and Kaspersky had been scanning the slaved drive (for just a few seconds) and had found tons of severe infections. So I know I've got a very badly infected machine.

My bench machine is clean again, but I'm not sure where to go from here. I'm 99% sure I can get the data off but I don't want to infect my machine so I'm not sure what to do. Thoughts?

Skyhooker · #2 03-30-2011, 07:55 PM

You could either disable autorun on the host machine you're slaving the drive to, so that no trojans execute, and make sure you're only copying over JPEGs, for example, or boot into a Linux distro - my favorite is Knoppix for things like this - and only copy his pictures folder to your backup drive. You could then scan the backup drive with your favorite AV just to make sure.

I always have my bench machine imaged so I can restore a clean installation within minutes in case something slips through.

Martyn · #3 03-30-2011, 07:55 PM

I'm thinking get the image onto another decent hard drive then scan that drive slaved. Recently I had a similar situation and I wanted to get the data with infections onto my main computer. I used Acronis True Home and imaged it and I was surprised to find the infections stayed in the image and wasn't detected by Kaspersky. I then extracted it to another drive, slaved it and scanned it saving the data.

iisjman07 · #4 03-30-2011, 08:00 PM

Two things are screaming at me:
1) USB adapter for data recovery =

. You should really plug the drive directly into the motherboard to increase your chances of data recovery

2) The drive smells like it's badly infected; use a linux live cd to copy the files across. Linux should be completely un-phased by the most severe infections. Copying the files should be easy even if you're not a linux person, you can just use a nice GUI to copy the photos across to somewhere else by dragging and dropping. If you want a couple of suggestions for nice gui-linux repair distros I'd recommend using puppy linux or ubuntu, but System Rescue CD is a very nice solution if you know a bit of bash.

Once you've copied the folder with the photos in it, scan it on your bench machine or using a live cd if you're hesitant to plug it into your pc again.

Appleby · #5 03-30-2011, 08:01 PM

Thanks guys. I did turn autorun off which I didn't even realize was still turned on?! And yes all I'm wanting is JPEGs, so I'm tempted to double check autorun is off and rolling the dice again....

The real issues is I don't want to spend a ton of time here because the customer isn't going to pay for it...they want the pictures if I can get them cheaply, if not, they said forget it. If I get into imaging it and such then obviously my time/cost goes up. This is supposed to be a quick fix or no fix.

I'm thinking no autorun and gambling...

iisjman07 · #6 03-30-2011, 08:05 PM

You could install Returnil Virtual System on your bench machine, grab the files and pick up any infections there may be, but then reboot to remove infections on your bench machine. You could set it up in about 5 minutes