I am new to this - Best way to save suspicious data?

Topics about disk partitioning (fdisk, parted, gparted, partimage), Volumes Management (lvm, evms, dmraid), Storage, file systems, ...
Post Reply
darrenlc
Posts: 4
Joined: 11 May 2009, 22:16

I am new to this - Best way to save suspicious data?

Post by darrenlc » 11 May 2009, 22:58

I have a customer's dell laptop with XP Home Edition installed. The system is currently locked in setup due to errors during a repair installation of Windows. There is only one partition on the drive and there is no bootable OS at this point.

The machine has about 22 GB of files that I need to backup. However, by the nature of the files I am concerned about the possibility that they may harbor malware.

I would like to back the files up to an external HD while ensuring that the files do not infect my my machines. Also, I am leery about putting them back on the customer's machine for fear of infecting his computer.

I am hoping that I might be able to accomplish these goals using the RecoveryCD. Is there a best practice for doing this?

Also, is there anything special I need to do to be able to access the external hard drive using the tools on the recovery CD? The drive plugs in via USB.

Thanks for any and all advice.

admin
Site Admin
Posts: 2715
Joined: 17 Jul 2003, 09:44

Post by admin » 12 May 2009, 06:46

You can clone an ntfs partition using fsarchiver, ntfsclone. You can also just copy the files by hand using ntfs-3g (see in the documentation)

darrenlc
Posts: 4
Joined: 11 May 2009, 22:16

Post by darrenlc » 12 May 2009, 13:02

I don't think I need to clone the partition - the only thing I want to do is rescue files from it. Can I use Midnight Commander for this?

I was tooling around with linux and then Midnight Commander last night and I was able to learn the interface well enough for now I think. However, I could not find the files that were on the hard drive; I could only see the files from the rescue cd.

Do I need to somehow mount the C drive of the Windows install before I see the files from the command prompt or in Midnight Commander?

I will check out ntfs-3g tonight - thanks for the tip.

admin
Site Admin
Posts: 2715
Joined: 17 Jul 2003, 09:44

Post by admin » 12 May 2009, 17:50

In that case, you probably want to read this:
http://www.sysresccd.org/Sysresccd-manu ... s_computer

darrenlc
Posts: 4
Joined: 11 May 2009, 22:16

Post by darrenlc » 12 May 2009, 19:49

Thanks for the link. That answers most of my questions.

However, I would like to know if there is a way to simply back the files up to an external hard drive connected via a USB port? Also, I would really like to compress the files using a zip/rar utility if possible, however, this is not necessary.

admin
Site Admin
Posts: 2715
Joined: 17 Jul 2003, 09:44

Post by admin » 12 May 2009, 21:46

Yes USB drives are supported. Just plug it, and you will see the partitions:
run "fsarchiver probe simple" to see the list of filesystems, and it will give you the name of the partition which is on the usb drive.

And then you have to mount the partition to a directory such as /mnt/backup, and you can copy the contents using either mc (midnight commander) or emelfm2 (graphical file manager).

Mount it with:
ntfs-3g /dev/xxx /mnt/backup

darrenlc
Posts: 4
Joined: 11 May 2009, 22:16

Post by darrenlc » 12 May 2009, 22:21

I typed:

Code: Select all

ntfs-3g /dev/sda1 /mnt/backup
The first message I received was this:
The disk contains an unclean file system (0, 0).
The file system wasn't safely closed on Windows. Fixing
I typed the same command again and received this message:
ntfs-3g-mount: mount failed: Device or resource busy
When I open midnight commander, I can't find anything under /dev that looks familiar. I am assuming from the line that I entered above that I am looking for a directory that reads: /dev/backup. However, I have also looked for sda1 and I have opened all directories (I think). I still see nothing familiar.

Have I even successfully mounted the drive?

Additionally, I did not see any information for the external drive that I had plugged into the usb port. :(

UPDATE************************************************

When I run fsarchiver I can now see both the c drive from the Windows installation and the external hard drive. I am also able to successfully mount the c drive and access it either with linux commands or with Midnight Commander.

However, I cannot mount the external hard drive because its file system is shown as "vfat". Do I have to format this external drive to an ntfs file system before I can mount it or is there a way to do to mount the vfat file system?

admin
Site Admin
Posts: 2715
Joined: 17 Jul 2003, 09:44

Post by admin » 13 May 2009, 07:20

To mount vfat, use this:
mount -t vfat /dev/xxx /mnt/backup

Post Reply