Archive for January 7, 2010

The Recovery Console is a feature of the Windows 2000, Windows XP and Windows Server 2003 operating systems. It provides the means for administrators to perform a limited range of tasks using a command line interface. Its primary function is to enable administrators to recover from situations where Windows does not boot as far as presenting its graphical user interface. As such, the Recovery Console can be accessed either through the original installation media used to install Windows, or it can also be installed to the hard drive and added to theNTLDR menu.

The recovery console has a simple command line interpreter. Many of the available commands closely resemble the command-line commands that are normally available on Windows, namely attrib, copy, del, and so forth.

From the recovery console an administrator can:

  • create and remove directories, and copy, erase, display, and rename files
  • enable and disable services (which modifies the service control database in the registry, to take effect when the system is next bootstrapped)
  • write a new Master Boot Record to a disc, using the fixmbr command
  • write a new Volume Boot Record to a volume, using the fixboot command
  • format volumes
  • expand files from the compressed format in which they are stored on the installation CD-ROM
  • perform a full CHKDSK scan to repair corrupted disks and files, especially if the computer cannot be started properly

Filesystem access on the recovery console is by default severely limited. An administrator using the recovery console has only read-only access to all volumes except for the boot volume, and even on the boot volume only access to the root directory and to the Windows system directory (e.g. \WINNT). This can be changed by changing Security Policies to enable read/write access to the complete file system including copying files from removable media (i.e. floppy drives).

Although it appears in the list of commands available by using the help command, and in many articles about the Recovery Console (including those authored by Microsoft), the netcommand is not available. No protocol stacks are loaded, so there is no way to connect to a shared folder on a remote computer as implied.

Advertisements

Normal—Backs up the files you select, and marks the files as backed up.

Incremental—Backs up the files that changed since the last backup, and marks the files as backed up.

Differential—Backs up the files that changed since the last backup, but doesn’t mark the files as backed up.

Copy—Backs up the files you select, but doesn’t mark the files as backed up.

Daily—Backs up the files that changed that day, but doesn’t mark the files as backed up.

Data recovery is the process of salvaging data from damaged, failed, corrupted, or inaccessible secondary storage media when it cannot be accessed normally. Often the data are being salvaged from storage media such as hard disk drives, storage tapes, CDs, DVDs, RAID, and other electronics. Recovery may be required due to physical damage to the storage device or logical damage to the file system that prevents it from being mounted by the host operating system.

The most common “data recovery” issue involves an operating system (OS) failure (typically on a single-disk, single-partition, single-OS system), where the goal is to simply copy all wanted files to another disk. This can be easily accomplished with a Live CD, most of which provide a means to 1) mount the system drive, 2) mount and backup disk or media drives, and 3) move the files from the system to the backup with a file manager or optical disc authoring software. Further, such cases can be mitigated by disk partitioning and consistently moving valuable data files to a different partition from the replaceable OS system files.

The second type involves a disk-level failure such as a compromised file system, disk partition, or a hard disk failure —in each of which the data cannot be easily read. Depending on the case, solutions involve repairing the file system, partition table or MBR, or hard disk recovery techniques ranging from software-based recovery of corrupted data to hardware replacement on a physically damaged disk. These last two typically indicate the permanent failure of the disk, thus “recovery” means sufficient repair for a one-time recovery of files.

A third type involves the process of retrieving files that have been “deleted” from a storage media, since the files are usually not erased in any way but are merely deleted from the directory listings.

Although there is some confusion as to the term, the term “data recovery” may be used to refer to such cases in the context of forensic purposes or spying.

Recovering data after physical damage

A wide variety of failures can cause physical damage to storage media. CD-ROMs can have their metallic substrate or dye layer scratched off; hard disks can suffer any of several mechanical failures, such as head crashes and failed motors; tapes can simply break. Physical damage always causes at least some data loss, and in many cases the logical structures of the file system are damaged as well. This causes logical damage that must be dealt with before any files can be salvaged from the failed media.

Most physical damage cannot be repaired by end users. For example, opening a hard disk in a normal environment can allow airborne dust to settle on the platter and become caught between the platter and the read/write head, causing new head crashes that further damage the platter and thus compromise the recovery process. Furthermore, end users generally do not have the hardware or technical expertise required to make these repairs. Consequently, costly data recovery companies are often employed to salvage important data. These firms often use “Class 100” / ISO-5 cleanroom facilities to protect the media while repairs are being made. (Any data recovery firm without a pass certificate of ISO-5 or better will not be accepted by hard drive manufacturers for warranty purposes

Recovery techniques

Recovering data from physically-damaged hardware can involve multiple techniques. Some damage can be repaired by replacing parts in the hard disk. This alone may make the disk usable, but there may still be logical damage. A specialized disk-imaging procedure is used to recover every readable bit from the surface. Once this image is acquired and saved on a reliable medium, the image can be safely analysed for logical damage and will possibly allow for much of the original file system to be reconstructed.

Hardware repair

Examples of physical recovery procedures are: removing a damaged PCB (printed circuit board) and replacing it with a matching PCB from a healthy drive, performing a live PCB swap (in which the System Area of the HDD is damaged on the target drive which is then instead read from the donor drive, the PCB then disconnected while still under power and transferred to the target drive), read/write head assembly with matching parts from a healthy drive, removing the hard disk platters from the original damaged drive and installing them into a healthy drive, and often a combination of all of these procedures. Some data recovery companies have procedures that are highly technical in nature and are not recommended for an untrained individual. Any of them will almost certainly void the manufacturer’s warranty.

Disk imaging

The extracted raw image can be used to reconstruct usable data after any logical damage has been repaired. Once that is complete, the files may be in usable form although recovery is often incomplete.

Open source tools such as DCFLdd or DOS tools such as HDClone can usually recover data from all but the physically-damaged sectors. Studies have shown that DCFLdd v1.3.4-1 installed on a Linux 2.4 Kernel system produces extra “bad sectors” when executed with certain parameters, resulting in the loss of information that is actually available. These studies state that when installed on a FreeBSD Kernel system, only the bad sectors are lost. DC3dd, a tool that has superseded DCFLdd, and ddrescue resolve this issue by accessing the hardware directly. Another tool that can correctly image damaged media is ILook IXImager.

Typically, Hard Disk Drive data recovery imaging has the following abilities: (1) Communicating with the hard drive by bypassing the BIOS and operating system which are very limited in their abilities to deal with drives that have “bad sectors” or take a long time to read. (2) Reading data from “bad sectors” rather than skipping them (by using various read commands and ECC to recreate damaged data). (3) Handling issues caused by unstable drives, such as resetting/repowering the drive when it stops responding or skipping sectors that take too long to read (read instability can be caused by minute mechanical wear and other issues). and (4) Pre-configuring drives by disabling certain features, such as SMART and G-List re-mapping, to minimize imaging time and the possibility of further drive degradation.

Problem: What Is the IP Address of a Router?

A typical home network router possesses two IP addresses, one for the internal home (LAN) and one for the external Internet (WAN) connection. How can you find the router IP addresses?

Solution:

The internal, LAN-IP address is normally set to a default, private number. Linksys routers, for example, use 192.168.1.1 for their internal IP address. D-Link and Netgear routers typically use 192.168.0.1. Some US Robotics routers use 192.168.123.254, and some SMC routers use 192.168.2.1. No matter the brand of router, its default internal IP address should be provided in documentation. Administrators often have the option to change this IP address during router setup. In any case, however, the private LAN-IP address remains fixed once set. It can be viewed from the router’s administrative console.

The external, WAN-IP address of the router is set when the router connects to the Internet service provider. This address can also be viewed on the router’s administrative console. Alternatively, the WAN-IP address can be found by visiting a Web-based IP address lookup service like http://checkip.dyndns.org/ from any computer on the home LAN.

Another way to identify the public IP addresses of routers, involves executing a ping or “traceroute” command. From inside a home network, the (DOS) command “ping -r 1” will send a message through the home router that will cause its IP address to be displayed. For example, “ping -r 1 http://www.yahoo.com” should result in a message like the following displayed on the command prompt:

Reply from 67.84.235.43: bytes=32 times=293ms TTL=56
Route: 209.178.21.76

In this example, the IP address after “Route:” (209.178.21.76) corresponds to the router WAN address.

On corporate networks, network discovery services based on SNMP can automatically determine the IP addresses of routers and many other network devices.

Power-on self-test (POST) is the common term for a computer, router or printer’s pre-boot sequence. The same basic sequence is present on all computer architectures. It is the first step of the more general process called initial program load (IPL), booting, or bootstrapping. The term POST has become popular in association with and as a result of the proliferation of the PC. It can be used as a noun when referring to the code that controls the pre-boot phase or when referring to the phase itself. It can also be used as a verb when referring to the code or the system as it progresses through the pre-boot phase. Alternatively, this may be called “POSTing.”

For embedded systems power-on self-test (POST) refers to the testing sequence that occurs when a system is first powered on. POST is software written to initialize and configure a processor and then execute a defined series of tests to determine if the computer hardware is working properly. Any errors found during the self-test are stored or reported through auditory or visual means, for example through a series of beeps, flashing LEDs or text displayed on a display. Once the POST sequence completes, execution is handed over to the normal boot sequence which typically runs a boot loader or operating system. POST for embedded systems has been around since the earliest days of computer systems.

On power up, the main duties of POST are handled by the BIOS, which may hand some of these duties to other programs designed to initialize very specific peripheral devices, notably for video and SCSI initialization. These other duty-specific programs are generally known collectively as option ROMs or individually as the video BIOS, SCSI BIOS, etc.

The principal duties of the main BIOS during POST are as follows:

  • verify the integrity of the BIOS code itself
  • find, size, and verify system main memory
  • discover, initialize, and catalog all system buses and devices
  • pass control to other specialized BIOSes (if and when required)
  • provide a user interface for system’s configuration
  • identify, organize, and select which devices are available for booting
  • construct whatever system environment that is required by the target OS

The BIOS will begin its POST duties when the CPU is reset. The first memory location the CPU tries to execute is known as the reset vector. In the case of a hard reboot, the northbridgewill direct this code fetch (request) to the BIOS located on the system flash memory. For a warm boot, the BIOS will be located in the proper place in RAM and the northbridge will direct the reset vector call to the RAM.

During the POST flow of a contemporary BIOS, one of the first things a BIOS should do is determine the reason it is executing. For a cold boot, for example, it may need to execute all of its functionality. If, however, the system supports power savings or quick boot methods, the BIOS may be able to circumvent the standard POST device discovery, and simply program the devices from a preloaded system device table.

The POST flow for the PC has developed from a very simple, straightforward process to one that is complex and convoluted. During POST, the BIOS must integrate a plethora of competing, evolving, and even mutually exclusive standards and initiatives for the matrix of hardware and OSes the PC is expected to support. However, the average user still knows the POST and BIOS only through its simple visible memory tests and setup screen.