System Rescue with Knoppix

Kyle Rankin

Quinstreet Inc.

Author of Knoppix Hacks and Knoppix Pocket Reference


http://greenfly.org/talks/knoppix/rescue_hp.html

What is Knoppix?

A complete Linux distribution that runs directly from a bootable CD-ROM, Knoppix has many uses:

What is Knoppix?

A complete Linux distribution that runs directly from a bootable CD-ROM, Knoppix has many uses:

What is Knoppix?

A complete Linux distribution that runs directly from a bootable CD-ROM, Knoppix has many uses:

System Rescue with Knoppix

Linux Rescue
  • Reinstall boot loaders
  • Image damaged drives
  • Restore partition tables
  • Recover deleted files
  • Compromised system forensics

System Rescue with Knoppix

Linux RescueWindows Rescue
  • Reinstall boot loaders
  • Image damaged drives
  • Restore partition tables
  • Recover deleted files
  • Compromised system forensics
  • Reset the Windows boot loader
  • Restore System Files
  • Reset Windows Passwords
  • Edit the Windows Registry

Why Knoppix?

Reinstall Boot Loaders

Reinstall Boot Loaders

Chroot makes it easy

Image Damaged Drives

Image Damaged Drives

Why use dd_rescue and dd_rhelp?

Image Damaged Drives

Get dd_rescue and dd_rhelp

Image Damaged Drives

Get dd_rescue and dd_rhelp

Image Damaged Drives

Use dd_rhelp

  1. mount the destination drive
    knoppix@tty1[knoppix]$ sudo mount -o rw /dev/hdb1 /mnt/hdb1
  2. run dd_rhelp
    knoppix@tty1[knoppix]$ sudo dd_rhelp /dev/hda1 /mnt/hdb1/hda1_rescue.img
  3. fsck the image
    knoppix@tty1[knoppix]$ sudo fsck -y /mnt/hdb1/hda1_rescue.img
  4. mount the image loopback, or reimage to another drive

Restore Partition Tables

Restore Partition Tables

Gpart

Restore Partition Tables

Run Gpart

  1. First run gpart without the -W option to test
    root@ttyp0[/]# gpart /dev/hda
  2. Then use -W to actually write the changes
    root@ttyp0[/]# gpart -W /dev/hda /dev/hda
  3. Tweak the results

Recover Deleted Files

Recover Deleted Files

Let's clear out this directory...

Recover Deleted Files

Let's clear out this directory...

root@tty1[/]# rm -rf ./*

Recover Deleted Files

Let's clear out this directory...

root@tty1[/]# rm -rf ./*

. . .

Recover Deleted Files

Let's clear out this directory...

root@tty1[ / ]# rm -rf ./*

. . . / ?!

Recover Deleted Files

Let's clear out this directory...

root@tty1[/]# rm -rf ./*

CTRL-C!

CTRL-C!

Recover Deleted Files

Use unrm and lazarus from The Coroner's Toolkit to recover deleted files.

Recover Deleted Files

Use unrm and lazarus from The Coroner's Toolkit to recover deleted files.

  1. Prepare the partition to recover (/dev/hda1 here)
  2. Prepare a data partition (/dev/hdb1 here)
  3. Run unrm
  4. Run lazarus on unrm output
  5. Review lazarus output

Recover Deleted Files

Prepare the partition to recover

Recover Deleted Files

Prepare a data partition

Recover Deleted Files

Run unrm

  1. Make a directory to store the unrm output
    root@tty1[]# mkdir /mnt/hdb1/unrm
  2. Run unrm
    root@tty1[]# unrm /dev/hda1 > /mnt/hdb1/unrm/output

Recover Deleted Files

Run lazarus on unrm output

  1. Make a directory to store recovered blocks in unrm dir
    root@tty1[]# cd /mnt/hdb1/unrm; mkdir blocks
  2. Run lazarus on the unrm output file and output
    root@tty1[unrm]# lazarus -h -w . -D blocks output
    (-h: HTML output, -w: where to store HTML frames, -D: where to store files it recovers)

Recover Deleted Files

Review lazarus output

Compromised System Forensics

Compromised System Forensics

When collecting forensics data:

Compromised System Forensics

When collecting forensics data:

Compromised System Forensics

Two Step Process:

Compromised System Forensics

Two Step Process:

  1. Collect forensics data (30 mins - 1hr)
    • Live machine vs. "Corpse"
  2. Analyze forensics data (days, weeks, months)

Compromised System Forensics

Collect forensics data

  1. Mount the corpse (hda1 here) read-only and destination (hdb1 here) read-write
  2. Create a destination directory for grave-robber (/mnt/hdb1/data here)
  3. Start script to save all grave-robber output
    $ sudo script /mnt/hdb1/grave-robber-output
  4. Run grave-robber within the script session on the corpse
    root@0[knoppix]# grave-robber -c /mnt/hda1 -o LINUX2 -d /mnt/hdb1/data -v
  5. Type exit to exit script

Compromised System Forensics

Analyze Forensics Data

The Windows "Recovery" Disk

What it can do
  • View text files
  • Check the disk for errors
  • Fix the MBR and boot.ini with defaults
  • Partition drives and format them
  • Restore system files from CD

The Windows "Recovery" Disk

What it can doWhat it can't do
  • View text files
  • Check the disk for errors
  • Fix the MBR and boot.ini with defaults
  • Partition drives and format them
  • Restore system files from CD
  • Edit text files
  • Browse outside of %SYSTEMROOT% and the root folder
  • Copy to floppies or CD
  • Edit registry
  • Much, much more

Knoppix the Windows Recovery Disk

Knoppix the Windows Recovery Disk

What Knoppix can do

Reset the Windows Boot Loader

Reset the Windows Boot Loader

Restore Corrupted System Files

Reset Windows Passwords

Edit the Windows Registry

Any Questions?

Other Resources