Helping people with computers... one answer at a time.

I share some frustrations in my steps to recover data from a friends hard disk.

Listen:
Download the mp3

Transcript

This is Leo Notenboom with news, commentary and answers to some of the many questions I get at askleo.info.

This week I want to share some of my experiences, frustrations and the final solution as I attempted to recover data from a friends hard disk.

A non-technical friend got a new computer, and I inherited the old. Naturally, it had important information on it that this friend didn't want to lose. Also as naturally, it was most likely heavily infected with viruses and spyware.

So the challenge was how to copy the hard disk contents off without actually booting the operating system and activating any malware while the machine sat on the supposedly "safe" side of my firewall.

My first thought was to boot the machine using the Knoppix live CD. Booting into Linux would absolutely prevent any malware from firing up, and once booted, there are several options for copying the entire hard disk to another location on my network.

So I changed the boot order in the BIOS, and booted from the latest Knoppix CD. It booted fine, I could examine the system's hard disk, and everything looked good. Except for the network. After a couple of reboots, the network wouldn't initialize - it would fail to get an IP address.

My next thought was to boot from a bootable Windows CD I'd created using BartPE. While I'd have to be a little more careful not to activate malware by mistake, it "should" be safe. Once again the machine booted fine, I could examine the hard disk and so on - except now the network wouldn't work at all.

It looked like a hardware failure.

I plugged into a different hub on my network. (Which also involved a few minutes building a new network cable, since I didn't happen to have any that were long enough to reach the other device.) No luck.

I added a different network card to the machine. Still no luck.

So at this point, what would you do?

Out of desperation, I warned my wife that our network was going down for a few minutes, and rebooted my router.

And then, as they say, all was well. The backup DVD is burning as I prepare this podcast.

My biggest take-away here is that networking is still hard. It's tough enough to get it to work in the first place, but random things like a router clogging up don't make things any easier.

Oh, and that BartPE and Knoppix (which I'm sure would have worked once the network issue had cleared up) are wonderful tools for geeks like me.

I'd love to hear what you think. Visit ask leo dot info, and enter 10992 in the go to article number box. Leave me a comment, I love hearing from you.

This is a presentation of askleo.info, a free on-line technical question and answer service. Hundreds of questions and answers are online and ready to help solve your computer problems.

That's askleo.info.

Article C2867 - December 10, 2006 « »

Share this article with your friends:

Share this article on Facebook Tweet this article Email a link to this article
Leo Leo A. Notenboom has been playing with computers since he was required to take a programming class in 1976. An 18 year career as a programmer at Microsoft soon followed. After "retiring" in 2001, Leo started Ask Leo! in 2003 as a place for answers to common computer and technical questions. More about Leo.

Not what you needed?

7 Comments
Simon
December 10, 2006 7:55 PM

>So the challenge was how to copy the hard disk
>contents off without actually booting the
>operating system and activating any malware
>while the machine sat on the supposedly "safe"
>side of my firewall.

Even if it was on the safe side of your hardware firewall, don't all your computers still have software firewalls (at least the Windows XP default firewall) on their own individual connections? Would an infected computer on the network still be a risk to the others if all the other computers do have their software firewalls enabled? I've always assumed it wouldn't, but your post seems to imply otherwise...

Leo Notenboom
December 10, 2006 8:20 PM

Because I keep the "safe side" of my network safe, I do not run software firewalls on any of my machines. Yes, an infected machine on the "safe side" could certainly infect other machines on my network. That's why when I bring a potentially suspect machine to the 'safe side' I need to take extra precautions, as I described.

Ivan
December 13, 2006 7:31 AM

So, what was the actual issue? Did your router not want to add the network card to it's routing table? Had me an SMC router once, had to reboot that POS every other day - avoid like the plague.

Dominique
December 13, 2006 10:16 AM

ok all that makes sense however I think you are doing this all the wrong way and making this way too complicated. if you copy the contents of the hard drive it may copy the viruses, trojans, worms..etc. So why not boot it up clean the hard drive using various antivirus/antispyware tools, once done that organize with your friend what exactly he wants on it so this can be much easier than coping the entire drive with system files. doing that you can safely and easily copy it's content via cd burning or onto another drive without any problems and you can clear it after that!

Leo
December 13, 2006 10:22 AM

If the system is badly compromised (and I had no assurance that it wasn't) a virus scan may not clean things out completely - the virus scanner itself might be infected. In addition, the machine wasn't running well so I'm not certain I actually COULD have booted and run a Virus scan.

And finally, I wanted an *exact* image of what my friend had left - I wanted to avoid any changes prior to saving the image, and that included any changed due to a virus scan.

Rhoda
January 29, 2007 5:20 PM

eyy leo thx for the myspace updates. especially the one where you put a picture as a caption. i relle wondered how to do that and now i now
thz a LOT!!!

mike g
March 3, 2009 3:45 PM

i have a virus that disabled my firewall, and it appears to be impossible to bring it back up. Also, this virus is blocking my attempts to boot from disk. I can boot up, but I can't bring up the firewall, and it doesn't even mention booting into safe mode. I'm running Vista. What do I do? Is there anything to do?

Comments on this entry are closed.

If you have a question, start by using the search box up at the top of the page - there's a very good chance that your question has already been answered on Ask Leo!.

If you don't find your answer, head out to http://askleo.com/ask to ask your question.