System Rescue with Knoppix

Kyle Rankin

Systems Architect

Author of The Official Ubuntu Server Book,
Knoppix Hacks and Knoppix Pocket Reference


http://greenfly.org/talks/knoppix/rescue.html

What is Knoppix?

A complete Linux distribution that runs directly from a bootable CD-ROM, Knoppix has many uses:

What is Knoppix?

A complete Linux distribution that runs directly from a bootable CD-ROM, Knoppix has many uses:

What is Knoppix?

A complete Linux distribution that runs directly from a bootable CD-ROM, Knoppix has many uses:

System Rescue with Knoppix

Linux Rescue
  • Reinstall boot loaders
  • Image damaged drives
  • Restore partition tables
  • Recover deleted files
  • Compromised system forensics

System Rescue with Knoppix

Linux RescueWindows Rescue
  • Reinstall boot loaders
  • Image damaged drives
  • Restore partition tables
  • Recover deleted files
  • Compromised system forensics
  • Reset the Windows boot loader
  • Restore System Files
  • Reset Windows Passwords
  • Edit the Windows Registry

Why Knoppix?

Knoppix 6

Reinstall Boot Loaders

Reinstall Boot Loaders

Chroot makes it easy

Image Damaged Drives

Image Damaged Drives

Why use dd_rescue and dd_rhelp?

Image Damaged Drives

Get dd_rhelp

Image Damaged Drives

Get dd_rhelp

Image Damaged Drives

Use dd_rhelp

  1. mount the destination drive
    knoppix@tty1[knoppix]$ sudo mount -o rw /dev/hdb1 /mnt/hdb1
  2. run dd_rhelp
    knoppix@tty1[knoppix]$ sudo dd_rhelp /dev/hda1 /mnt/hdb1/hda1_rescue.img
  3. fsck the image
    knoppix@tty1[knoppix]$ sudo fsck -y /mnt/hdb1/hda1_rescue.img
  4. mount the image loopback, or reimage to another drive

Restore Partition Tables

Restore Partition Tables

Gpart

Restore Partition Tables

Run Gpart

  1. First run gpart without the -W option to test
    root@ttyp0[/]# gpart /dev/hda
  2. Then use -W to actually write the changes
    root@ttyp0[/]# gpart -W /dev/hda /dev/hda
  3. Tweak the results

Recover Deleted Files

Recover Deleted Files

Let's clear out this directory...

Recover Deleted Files

Let's clear out this directory...

root@tty1[/]# rm -rf ./*

Recover Deleted Files

Let's clear out this directory...

root@tty1[/]# rm -rf ./*

. . .

Recover Deleted Files

Let's clear out this directory...

root@tty1[ / ]# rm -rf ./*

. . . / ?!

Recover Deleted Files

Let's clear out this directory...

root@tty1[/]# rm -rf ./*

CTRL-C!

CTRL-C!

Recover Deleted Files

Use fls and icat from the Sleuth Kit to recover deleted files.

Recover Deleted Files

Use fls and icat from the Sleuth Kit to recover deleted files.

  1. In Knoppix 6: install sleuthkit package
  2. Prepare the partition to recover (/dev/hda1 here)
  3. Prepare a data location (~/Desktop/recover here)
  4. Run fls
  5. Run icat on fls output

Recover Deleted Files

Prepare the partition to recover

Recover Deleted Files

Prepare a data location

Recover Deleted Files

Run fls

  1. fls = forensic ls
  2. Run fls
    $ sudo fls -f ext -d -r -p /dev/hda1 > ~/Desktop/recover/deleted_files.txt
    (-f: file system type, -d: deleted files only, -r: recursive, -p full paths on files)
  3. View content of deleted_files.txt
    ...
    r/r * 814650: home/krankin/.mozilla/firefox/3d4ef4xp.default/bookmarks.html
    r/r * 814675: home/krankin/.bashrc

Recover Deleted Files

Run icat on fls output

  1. Choose files to restore and note inode
  2. Run icat and specify the inode to restore
    $ sudo icat -f ext -r -s /dev/hda1 814650 > ~/Desktop/recover/bookmarks.html
    (-f: file system type, -r: special recovery mode, -s: output full content of sparse files)

Compromised System Forensics

Compromised System Forensics

When collecting forensics data:

Compromised System Forensics

When collecting forensics data:

Compromised System Forensics

Three Step Process:

Compromised System Forensics

Three Step Process:

  1. Install The Coroner's Toolkit (minutes)
  2. Collect forensics data (30 mins - 1hr)
    • Live machine vs. "Corpse"
  3. Analyze forensics data (days, weeks, months)

Compromised System Forensics

Install The Coroner's Toolkit

  1. $ sudo apt-get update
  2. $ sudo apt-get install tct

Compromised System Forensics

Collect forensics data

  1. Mount the corpse (hda1 here) read-only and destination (hdb1 here) read-write
  2. Create a destination directory for grave-robber (/mnt/hdb1/data here)
  3. Start script to save all grave-robber output
    $ sudo script /mnt/hdb1/grave-robber-output
  4. Run grave-robber within the script session on the corpse
    root@0[knoppix]# grave-robber -c /mnt/hda1 -o LINUX2 -d /mnt/hdb1/data -v
  5. Type exit to exit script

Compromised System Forensics

Analyze Forensics Data

Linux Recovery Questions?

The Windows "Recovery" Disk

What it can do
  • View text files
  • Check the disk for errors
  • Fix the MBR and boot.ini with defaults
  • Partition drives and format them
  • Restore system files from CD

The Windows "Recovery" Disk

What it can doWhat it can't do
  • View text files
  • Check the disk for errors
  • Fix the MBR and boot.ini with defaults
  • Partition drives and format them
  • Restore system files from CD
  • Edit text files
  • Browse outside of %SYSTEMROOT% and the root folder
  • Copy to floppies or CD
  • Edit registry
  • Much, much more

Knoppix the Windows Recovery Disk

Knoppix the Windows Recovery Disk

What Knoppix can do

Reset the Windows Boot Loader

Reset the Windows Boot Loader

Restore Corrupted System Files

Reset Windows Passwords

Edit the Windows Registry

Any Questions?

Other Resources