Hosting Provided By

Re: Win32 Port of TAR

From: <Kevin.M-CTR.Shannon(at)faa.gov>
Date: Fri Nov 08 2002 - 14:18:32 EST

Did you consider the possibility that a virus may have wiped the files and directories and then wrote over the blocks? As for the files on root, where they all common file extensions like .doc .xls? A virus may have been written to search for those files and secure wipe them. At least this would explain why the normal system files where still present.

If the file system was FAT/FAT32, you can check out ECFS (Enforcement of Critical File Systems) by Winternals (www.winternals.com). This is a nice utility for hashing the files sector by sector based on MD5, 128 bit or other hashes. At least this could tell you if the windows folder is still present in the blocks.

I do have a question though; you stated that "4,096 Bytes in Bad Sectors." Shouldn't those bad sectors appear when you list out all of the files based on their hash?
Can a virus mark sectors as bad? Anyone?

Very nice job of explaining and taking the reader through the incident!

KMS Kevin Shannon, Sr. Network Administrator DOT/FAA/AVN/ Lockheed Martin InformationTechnology http://www.it.lockheedmartin.com/ Office - 405.954.7134 Email - Kevin.M-ctr.Shannon@faa.gov http://avn.faa.gov/

|---------+---------------------------->

|         |           "Chris Mawer"    |
|         |                    |
|         |                            |
|         |           11/04/2002 04:20 |
|         |           PM               |
|         |                            |

|---------+---------------------------->

  >------------------------------------------------------------------------------------------------------------------------------|
  |                                                                                                                              |
  |       To:       forensics@securityfocus.com                                                                                  |
  |       cc:                                                                                                                    |
  |       Subject:  Win32 Port of TAR                                                                                            |
  >------------------------------------------------------------------------------------------------------------------------------|

Do you need help?

Hey all,

Recently came to possession of a 1.98GB Fujitsu internal IDE hard-drive. Its
a little old and creaky, and stopped functioning quite as expected. Every time the POST process occurred during bootup, the process would complete, but then the dreaded blue screen of death would occur.

Thus, the user asked me to recover as much as possible and then restructure

the drive if possible into working format again.

No problem, mount under Windows 2000 access the drive, hmmn all seems fine files arent corrupted.

c:\>CHKDSK e:
4,096 Bytes in Bad Sectors. Whoops, wheres that then..hmmn cant find those sectors. CHKDSK e: /f didnt do anything either.

Ok, so I cant find the clusters..[backspace] *cluster*. Never mind, ill tar

the directories and files on the FAT32 partition and GZIP them, MD% the file
wipe the HH and then restore the files.

c:\>tar -cvf backup.tar e:\*
c:\>gzip backup.tar
c:\>md5sum backup.tar.gz

Do you need more help?

Nice little batch file and an hour later, woohoo a 500MB tar/gzip archive thatll fit nicely on a recovery CD.

Come to expand the archive. The gzip program decompresses the original tar archive. The tar program deflates into e:\ retaining the original stucture of the paths etc. Nice, files expanding CPU usage 100%...(1.33GHz Athlon lol).

Oh. Huh? What the hell?

c:\>e:
e:\>ls
My Documents
Program Files
autoexec.bat

Bootlog.prv
Bootlog.txt
Command.com

Config.sys
Detlog.txt
Frunlog.txt
Io.sys
Msdos.---
Msdos.sys
Netlog.txt

Well thats sweet. What happened to the WINDOWS folder? What happened to the

other 20 directories and sub-directories of the project the guy was working

on? What happened to the other files in the root dir? AAAARRRHHHH!!!

Ok, not to worry, i have my tarred and gzipped and md5 hashed archive burnt

Can we help you?

to CD-R. Sweet, no sweat start again.

Nope, same thing.

Why doesnt the win32 port from unxutils of TAR tar up certain directories? The TAR archive is just under the total filesize of the used filespace..whats happened? Am i looking at an inability to cover archives bigger than 600MB with these ports?

Ive just landed myself and my guy in some trouble, but he dumped me in it first I guess. :))

Anyone have any ideas? Ive now labelled the disk damaged, so as to avoid being used until its integrity can be futher confirmed.

Thanks, and apologies for the length.

Chris Mawer
http://chrismawer.netfirms.com

Broadband? Dial-up? Get reliable MSN Internet Access. http://resourcecenter.msn.com/access/plans/default.asp

This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com

This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com Received on Fri Nov 8 21:19:39 2002

This message: [ Message body ]
Next message: Gino Pietro Guidi: "RE: Remote Syslogd"
Previous message: James Lee Bell: "Re: Remote Syslogd"
Maybe in reply to: Chris Mawer: "Win32 Port of TAR"
Next in thread: Bruce P. Burrell: "Re: Win32 Port of TAR"
Reply: Bruce P. Burrell: "Re: Win32 Port of TAR"
Reply: Seth Arnold: "Re: Win32 Port of TAR"
Reply: Domingo Montanaro: "RE: DBX with Compression"

Contemporary messages sorted: [ By Date ] [ By Thread ] [ By Subject ] [ By Author ] [ By messages with attachments ]

This archive was generated by hypermail 2.1.8 : Wed Aug 23 2006 - 14:01:41 EDT

Can't find what you're looking for?