System Rescue with Knoppix

Kyle Rankin

Quinstreet Inc.

Author of Knoppix Hacks and Knoppix Pocket Reference


http://greenfly.org/talks/knoppix/rescue-oscon05.html

What is Knoppix?

A complete Linux distribution that runs directly from a bootable CD-ROM, Knoppix has many uses:

What is Knoppix?

A complete Linux distribution that runs directly from a bootable CD-ROM, Knoppix has many uses:

What is Knoppix?

A complete Linux distribution that runs directly from a bootable CD-ROM, Knoppix has many uses:

System Rescue with Knoppix

Linux Rescue
  • Reinstall boot loaders
  • Image damaged drives
  • Restore partition tables
  • Recover deleted files

System Rescue with Knoppix

Linux RescueWindows Rescue
  • Reinstall boot loaders
  • Image damaged drives
  • Restore partition tables
  • Recover deleted files
  • Reset the Windows boot loader
  • Restore System Files
  • Reset Windows Passwords
  • Edit the Windows Registry

Why Knoppix?

Reinstall Boot Loaders

Reinstall Boot Loaders

Chroot makes it easy

Reinstall Boot Loaders

Chroot makes it easy

Reinstall Boot Loaders

Chroot makes it easy

Image Damaged Drives

Image Damaged Drives

Image Damaged Drives

Image Damaged Drives

Why use dd_rescue and dd_rhelp?

Image Damaged Drives

Why use dd_rescue and dd_rhelp?

Image Damaged Drives

Why use dd_rescue and dd_rhelp?

Image Damaged Drives

Why use dd_rescue and dd_rhelp?

Image Damaged Drives

Why use dd_rescue and dd_rhelp?

Image Damaged Drives

Why use dd_rescue and dd_rhelp?

Image Damaged Drives

Get dd_rescue and dd_rhelp

Image Damaged Drives

Get dd_rescue and dd_rhelp

Image Damaged Drives

Use dd_rhelp

  1. mount the destination drive
    knoppix@tty1[knoppix]$ sudo mount -o rw /dev/hdb1 /mnt/hdb1

Image Damaged Drives

Use dd_rhelp

  1. mount the destination drive
    knoppix@tty1[knoppix]$ sudo mount -o rw /dev/hdb1 /mnt/hdb1
  2. run dd_rhelp
    knoppix@tty1[knoppix]$ sudo dd_rhelp /dev/hda1 /mnt/hdb1/hda1_rescue.img

Image Damaged Drives

Use dd_rhelp

  1. mount the destination drive
    knoppix@tty1[knoppix]$ sudo mount -o rw /dev/hdb1 /mnt/hdb1
  2. run dd_rhelp
    knoppix@tty1[knoppix]$ sudo dd_rhelp /dev/hda1 /mnt/hdb1/hda1_rescue.img
  3. fsck the image
    knoppix@tty1[knoppix]$ sudo fsck -y /mnt/hdb1/hda1_rescue.img

Image Damaged Drives

Use dd_rhelp

  1. mount the destination drive
    knoppix@tty1[knoppix]$ sudo mount -o rw /dev/hdb1 /mnt/hdb1
  2. run dd_rhelp
    knoppix@tty1[knoppix]$ sudo dd_rhelp /dev/hda1 /mnt/hdb1/hda1_rescue.img
  3. fsck the image
    knoppix@tty1[knoppix]$ sudo fsck -y /mnt/hdb1/hda1_rescue.img
  4. mount the image loopback, or reimage to another drive

Restore Partition Tables

Restore Partition Tables

Gpart

  • short for "Guess Partition"
  • works best with primary partitions
  • not perfect

Restore Partition Tables

Run Gpart

First run gpart without the -W option to test

  • root@ttyp0[/]# gpart /dev/hda

Restore Partition Tables

Run Gpart

First run gpart without the -W option to test

  • root@ttyp0[/]# gpart /dev/hda

Then use -W to actually write the changes

  • root@ttyp0[/]# gpart -W /dev/hda /dev/hda

Restore Partition Tables

Run Gpart

First run gpart without the -W option to test

  • root@ttyp0[/]# gpart /dev/hda

Then use -W to actually write the changes

  • root@ttyp0[/]# gpart -W /dev/hda /dev/hda

Tweak the results

Recover Deleted Files

Recover Deleted Files

Let's clear out this directory...

Recover Deleted Files

Let's clear out this directory...

root@tty1[/]# rm -rf ./*

Recover Deleted Files

Let's clear out this directory...

root@tty1[/]# rm -rf ./*

. . .

Recover Deleted Files

Let's clear out this directory...

root@tty1[ / ]# rm -rf ./*

. . . / ?!

Recover Deleted Files

Let's clear out this directory...

root@tty1[/]# rm -rf ./*

CTRL-C!

CTRL-C!

Recover Deleted Files

Use unrm and lazarus from The Coroner's Toolkit to recover deleted files.

Recover Deleted Files

Use unrm and lazarus from The Coroner's Toolkit to recover deleted files.

  1. Prepare the partition to recover (/dev/hda1 here)
  2. Prepare a data partition (/dev/hdb1 here)
  3. Run unrm
  4. Run lazarus on unrm output
  5. Review lazarus output

Recover Deleted Files

Prepare the partition to recover

  • Turn off the machine!

Recover Deleted Files

Prepare the partition to recover

  • Turn off the machine!
  • Boot from a rescue disk (like Knoppix) that won't mount the drive by default

Recover Deleted Files

Prepare the partition to recover

  • Turn off the machine!
  • Boot from a rescue disk (like Knoppix) that won't mount the drive by default
  • Mount the partition read-only
    root@tty1[]# mount -o ro /dev/hda1 /mnt/hda1

Recover Deleted Files

Prepare a data partition

  • At least 220% of recovery partition free space
    100% for unrm, 100% for lazarus, and ~20% for overhead

Recover Deleted Files

Prepare a data partition

  • At least 220% of recovery partition free space
    100% for unrm, 100% for lazarus, and ~20% for overhead
  • Must be a different partition than the one to recover

Recover Deleted Files

Prepare a data partition

  • At least 220% of recovery partition free space
    100% for unrm, 100% for lazarus, and ~20% for overhead
  • Must be a different partition than the one to recover
  • Mount read-write
    root@tty1[]# mount -o rw /dev/hdb1 /mnt/hdb1

Recover Deleted Files

Run unrm

  1. Make a directory to store the unrm output
    root@tty1[]# mkdir /mnt/hdb1/unrm

Recover Deleted Files

Run unrm

  1. Make a directory to store the unrm output
    root@tty1[]# mkdir /mnt/hdb1/unrm
  2. Run unrm
    root@tty1[]# unrm /dev/hda1 > /mnt/hdb1/unrm/output

Recover Deleted Files

Run lazarus on unrm output

  1. Make a directory to store recovered blocks in unrm dir
    root@tty1[]# cd /mnt/hdb1/unrm; mkdir blocks

Recover Deleted Files

Run lazarus on unrm output

  1. Make a directory to store recovered blocks in unrm dir
    root@tty1[]# cd /mnt/hdb1/unrm; mkdir blocks
  2. Run lazarus on the unrm output file and output
    root@tty1[unrm]# lazarus -h -w . -D blocks output
    (-h: HTML output, -w: where to store HTML frames, -D: where to store files it recovers)

Recover Deleted Files

Review lazarus output

  • Grep within blocks directory for keywords

Recover Deleted Files

Review lazarus output

  • Grep within blocks directory for keywords
  • View the HTML output
    root@tty1# mozilla file:///mnt/hda2/unrm/output.frame.html

Linux Recovery Questions?

The Windows "Recovery" Disk

What it can do
  • View text files
  • Check the disk for errors
  • Fix the MBR and boot.ini with defaults
  • Partition drives and format them
  • Restore system files from CD

The Windows "Recovery" Disk

What it can doWhat it can't do
  • View text files
  • Check the disk for errors
  • Fix the MBR and boot.ini with defaults
  • Partition drives and format them
  • Restore system files from CD
  • Edit text files
  • Browse outside of %SYSTEMROOT% and the root folder
  • Copy to floppies or CD
  • Edit registry
  • Much, much more

Knoppix the Windows Recovery Disk

Knoppix the Windows Recovery Disk

What Knoppix can do

  • Write to the full disk (even NTFS)
  • Fix boot.ini
  • Scan for viruses
  • Install files from .cabs
  • Blank passwords
  • Edit the registry

Reset the Windows Boot Loader

Reset the Windows Boot Loader

  • The Knoppix equivalent of fdisk /mbr:
    knoppix@tty1[knoppix]$ sudo install-mbr /dev/hda

Restore Corrupted System Files

Restore Corrupted System Files

  • Mount the Windows filesystem read-write

Restore Corrupted System Files

  • Mount the Windows filesystem read-write
  • Find a .cab file on the system that contains the file you need

Restore Corrupted System Files

  • Mount the Windows filesystem read-write
  • Find a .cab file on the system that contains the file you need
  • Then use cabextract to extract the file:
    knoppix@tty1[knoppix]$ cd /mnt/hda1/winnt/system32/
    knoppix@tty1[system32]$ sudo cabextract -F ntdll.dll "/mnt/hda1/winnt/ServicePackFiles/i386/sp4.cab"

Reset Windows Passwords

Reset Windows Passwords

Reset Windows Passwords

Reset Windows Passwords

  • Get the latest chntpw deb from http://packages.debian.org/unstable/admin/chntpw
  • Extract the binary from the deb:
    $ alien --to-tgz chntpw_0.99.2-1_i386.deb
    $ tar xvzf chntpw_0.99.2.tgz ./usr/sbin/chntpw
    $ mv ./usr/sbin/chntpw ~/.dist/bin/
  • Mount the Windows partition read-write

Reset Windows Passwords

  • Get the latest chntpw deb from http://packages.debian.org/unstable/admin/chntpw
  • Extract the binary from the deb:
    $ alien --to-tgz chntpw_0.99.2-1_i386.deb
    $ tar xvzf chntpw_0.99.2.tgz ./usr/sbin/chntpw
    $ mv ./usr/sbin/chntpw ~/.dist/bin/
  • Mount the Windows partition read-write
  • Change to the winnt(or windows)/system32/config directory

Reset Windows Passwords

  • Get the latest chntpw deb from http://packages.debian.org/unstable/admin/chntpw
  • Extract the binary from the deb:
    $ alien --to-tgz chntpw_0.99.2-1_i386.deb
    $ tar xvzf chntpw_0.99.2.tgz ./usr/sbin/chntpw
    $ mv ./usr/sbin/chntpw ~/.dist/bin/
  • Mount the Windows partition read-write
  • Change to the winnt(or windows)/system32/config directory
  • Blank the Administrator password:
    $ chntpw SAM

Reset Windows Passwords

  • Get the latest chntpw deb from http://packages.debian.org/unstable/admin/chntpw
  • Extract the binary from the deb:
    $ alien --to-tgz chntpw_0.99.2-1_i386.deb
    $ tar xvzf chntpw_0.99.2.tgz ./usr/sbin/chntpw
    $ mv ./usr/sbin/chntpw ~/.dist/bin/
  • Mount the Windows partition read-write
  • Change to the winnt(or windows)/system32/config directory
  • Blank the Administrator password:
    $ chntpw SAM
  • Blank other user passwords:
    $ chntpw -u username SAM

Edit the Windows Registry

Edit the Windows Registry

  • Be Careful

Edit the Windows Registry

  • Be Careful
  • Use chntpw with the -e option on the registry hive
    $ chntpw -e SOFTWARE

Edit the Windows Registry

  • Be Careful
  • Use chntpw with the -e option on the registry hive
    $ chntpw -e SOFTWARE
  • Browse the registry with cd, ls, cat
  • Add, edit, and delete keys
  • q to quit, ? for help

Edit the Windows Registry

  • Be Careful
  • Use chntpw with the -e option on the registry hive
    $ chntpw -e SOFTWARE
  • Browse the registry with cd, ls, cat
  • Add, edit, and delete keys
  • q to quit, ? for help
  • Unmount the filesystem to ensure changes

Any Questions?

Other Resources