Data loss is an unpleasant fact of our life, especially if we loss important personal papers, such as yearly projects, graduate theses, financial reports, presentations, photographs and much more that can’t be downloaded from the Internet and, as always, don’t have a backup. There are a lot of reasons why data losses occur. For example, "accidental" deletion, hardware failure, malware, etc. And, although valuable data can be recovered in many cases, you need to know how and what to do when data loss has occurred. Today we'll talk about it.
I suggest talking about such powerful free data recovery software as "TestDisk". It’s a very popular and effective program that can recover data none the worse for similar programs like "R-Studio" and "GetDataBack". Besides, TestDisk is available for lots of operating systems, including Linux and Windows. It should be noted that TestDisk is in one package with PhotoRec. Let’s take a closer look at these programs.
TestDisk is a program designed to recover lost partitions and MBR.
PhotoRec is a data recovery software tool designed to recover lost pictures from digital camera memory and lost files including video, documents and archives from Hard Disks and CD-ROMs.
At first, I would like to show you visually the process of deleting files. I chose removable storage media (128 MB ) for the experiments. It had been formatted previously and the following files were copied on it:
Now we can open the command interpreter, go into the directory with the program "TestDisk" and run this application. After that we will see the following content:
There we are asked whether to record the information gathered during TestDisk use or not. I advise to choose the "Create" item, because it will be possible to see what you did in the log file at any time.
Next, we need to choose a device with which we will work:
In the list box select our 128 MB flash disk, which is highlighted in the figure.
After clicking "Proceed", we are asked about the partition table type:
It is necessary to select one of the items. Users of Windows OS must select first one.
After that the following list of available commands will be displayed:
We should select "Advanced" item. Now we may begin to work directly with the flash disk:
Here we need to select "Image Creation" item and the directory where the image of our disk will be saved:
Then we press "Y" key and wait until the saving process is complete:
After that we delete the previously created files on our removable storage media and repeat the procedure of disk image creating. It is needed to rename the previously created disk image, because if the original name is not changed, the image file will be overwritten with new data.
Now we should use any program to compare files and see all the changes that occurred after files were deleted:
Without going into details of the filesystem operations I just want to say that many of them do not delete the data, but only delete the information about these data. The figure above shows the result of comparison - disk image before Delete and after Delete. As you can see in the figure, the image file that is stored on removable media and subjected to removal is still present on the disk.
Now let's move on to the "PhotoRec" program and see how to recover deleted files using this program. For a successful data recovery, it is important to adhere to certain rules, namely, do not record any data on the same drive from which you are trying to recover the data. I'll come back to this question in more detail later.
And now we go on to the next point. Run the program and perform the following steps:
1) select a media for the analysis:
2) the partition table type:
3) select the partition that contains the deleted files or if you aren't sure which partition that is, or if no partitions are listed, select the drive itself and click "Search":
4) indicate the filesystem type:
5) then indicate where to find the files:
6) next, you must select the directory in which you will save your recovered data and click "Y":
7) you will then see a report containing the information about the recovered files found and their number:
After the recovery is finished, you may compare these files with the original, for example, calculating the SHA1 and MD5 hashes:
It proves once again that the recovered files are identical to the original ones.
And now, we go back to the question why should you not write any data on the media if you intend to recover the deleted data. We begin with the fact that after deleting files, the data itself isn’t deleted; just the area where the deleted folders were stored is now marked as free space. But you should remember not to put other new files or folders in the same place where the previous folders were stored, otherwise this free space will be overwritten by others, which makes it difficult to restore deleted folders, at least in its original form.
P.S.: Secure delete function is implemented by some operation systems, that is, not only the file’s directory entry is removed, but also overwrites the data area on the disk where the original file was stored. Thus a secure file delete function ensures that deleted files can't be retrieved.
... The Trojan then sends a request to the following address:
In reply it gets a list of links from which it will download files. At the time of writing, the list was as shown below…
For every virus analyst this is a well-known situation. You have a list of a few dozen malicious programs. You download them using your favorite downloading program (I use Wget in such cases). Thus, you have downloaded files and you need to know how they are detected.
Then the strength test of your mouse begins — right click — “Check for viruses” — to open a report — to copy a detection if it exists — to place a sample into an archive with password and detect as the name ...
At some point you get tired of it. Is it possible to automate this process? The answer to this is absolutely yes! My favorite programming language Perl helps us:
This script is called within the command line (or prepared BAT-file):
In this line:
C:Perlbinperl is the path to the Perl interpreter. There is no need to specify the full path if the Perl is installed correctly by setting the Path environment variable;
D:testdetect.pl is the path and name of the script;
D:testsample is a parameter, which contains the path to the directory containing the files you want to scan;
D:testdetected is a parameter, which contains the path where detected files will be moved.
You need to include the quotes if there are spaces in the path. For example:
Now we can move straight to the script. In the beginning we get the first parameter:
@ARGV is an array that contains the command-line arguments intended for the script.
$ARGV[0] is the first argument. In this case, it contains the path to the directory containing the files you want to scan; i.e. D: testsample.
Check command line argument. If this argument is not present, then the info message that you must to specify the directory with the samples will be displayed.
Then we place this parameter in the variable $DirToNotDetected.
After that, check the presence of the second argument:
The second parameter is not critical. If it is not present, then a directory for detected files named "detect" will be created directly in the directory with samples. Specify this path in the variable $ DirToDetected.
Create a directory for detected files.
Then we place a path to a file archiver in the variable $PathTo7z. I use 7zip.
Next we put the password which will be used for archives in the variable $pass.
Specify a path to Kaspersky Anti-Virus in the variable $PathToKasper.
Then we specify the path to the log file of the anti-virus scanner in the variable $KasperLogDir. In this case, the log will be saved in a directory containing the detected files.
Place a command line from which the scanner will be run in the variable $KasperCMDLine. Consider it in more detail:
"$PathToKasper\avp.com" it will be interpreted as
"C:Program FilesKaspersky LabKaspersky Internet Security 7.0avp.com". You need to use the backslash character before quotes.
SCAN /fa /i0 /RA:"$KasperLogDir\kasperlog.txt" is a scanner settings: "/fa" - to scan all files without exception; "/i0" - only a report without cure; "/RA:" – to save all events, not only critical; "$KasperLogDir\kasperlog.txt" - to save the log-report into the file "kasperlog.txt", placing it by the path indicated in the variable $KasperLogDir.
"$DirToNotDetected" is the path to the detected file.
Launch the command line for execution.
Once the scanning is finished, open the log or display a message that the file can not be opened, if you can not open it. This is possible if a report isn’t created, for example, if the specified for it directory was read-only.
Put the log into the array @file_to_parse, each element of which will be separate lines, and ...
... for each element of the array:
We remove the last character from a string. This is useful in removing the endline from a user-entered string.
Perl enables you to match patterns within strings with the =~ operator. Expression you want to find must be indicated between slashes: / what you are looking for. Symbol "|" means "or."
If the string contains the words "detected" or "suspicion", bounded by tabs (t), then do the following ...
Here we make a slight digression to see how the log of anti- virus scanner looks like. I will cite a part:
Highlighted in red lines will be tested $line =~ /tdetectedt|tsuspiciont/. Notice the line that highlighted in green. This line also contains the word "detected", but it is not limited by tabs. In addition, the words "detected" and "suspicion" can be placed in the paths to files or in the file names. To avoid false alarm conditions we add the characters "t" at the beginning and end of the desired keywords.
Go back to the script. So, if we found the search string, then:
Split a line into pieces by a tab and put the parts in the array @ arr. Consider one of the lines. I use an editor that can display the special characters to make it clear:
At first, it will be removed the newline character (underlined in red). Also, please pay attention - in the previous screenshot the distance between the date and time (underlined in blue) is the same as between the packer and the word "detected" (underlined in green), but in the first case is simply a gap, but in the second is tab character. Dividing the line we obtain four elements:
Put the element of the array number three in a variable $detect. Another important feature that is obvious to programmers, but it often causes errors and confusion for beginners is that elements are numbered from 0. Thus:
16/08/2009 12:32:35 is zero element of the array,
D:testsample1.exe//PE_Patch.UPX//UPX is the first,
detected – is the second,
Trojan-GameThief.Win32.OnLineGames.bmtc is the third element of the array.
That is, "Trojan-GameThief.Win32.OnLineGames.bmtc" will be written in the variable $detect.
Then we substitute underscores for colons in the variable $detect. Thus, some not-a-virus:AdWare.Win32.Agent.pgv will be written as not-a-virus_AdWare.Win32.Agent.pgv. The reason why it is needed will become clear later.
If the first element of the array (in this case this is D:testsample1.exe//PE_Patch.UPX//UPX) contains a forward slash (a slash "/" is interpreted as a special character, so before it we will specify the backslash "\"), this element must be divided by a slash. In this expression we separate the path and detected file name from the packer. Since we've already saved a detect in the variable $detect we do not need the array @arr, so we can again use this name. Thus:
in the zero element of the array @arr ($arr[0]) will be written "D:testsample1.exe",
in the first ($arr [1]) - nothing
in the second ($arr [2]) - PE_Patch.UPX,
in the third ($arr [3]) - nothing
in the fourth ($arr [4]) - UPX.
Write zero in the first element.
Write first element of array, i.e. the name file and path (D: testsample1.exe) into the variable $path_name. Please note that if the condition is false (file not packed), then the name and path obtained when dividing line by the tab will be in $arr [1].
So we have the detect and the path to the file. It remained only to remove the file in the archive with a password:
7-Zip file archiver is run. At the same time all variables will be replaced by their values, and as a result the command will look like this:
"C:Program Files7-Zip7za" a -tzip "$DirToDetectedTrojan-GameThief.Win32.OnLineGames.bmtc.zip" "D:testsample1.exe" -y -ppassword"
Here:
C:Program Files7-Zip7za is the path to the program 7zip
a is a parameter that indicates that the archiver must place it in the archive
-tzip is compression method zip
$DirToDetectedTrojan-GameThief.Win32.OnLineGames.bmtc.zip is the path and name of the archive in which the file should be placed.
D:testsample1.exe is file required to be archived.
-y - answer yes to all questions (effectively making the command non-interactive)
-p – is a parameter that indicates that the archive should be with a password
Here we use a detect as the name of the archive. The file name can’t contain a colon that is why we replaced the colons with underscores.
After that, the processed file can be deleted:
Execute the command del "D:testsample1.exe". This line is not mandatory. Sometimes it may even prevent. For example, when several malicious files are in a self-extracting archive, then this file will have several detects, and if it is removed immediately after the first move, then archive with another detects will be empty.
After that we return to the top of the loop and repeat all described for the next string. As soon as the end of the report file is reached, the while loop will be ended.
Once the processing is complete, close the report file.
Display message on completion.
After that we obtain the directory D:testdetected containing all of our files:
The number of archive files smaller than the number files in the source directory, because some files can be detected identically:
Code :
if( $ARGV[0] eq "" ) {
die "Must specify path to the directory with samples\n"; }
This article examines the next virtualization product - Microsoft Virtual PC 2007. This is a free program, but it didn't gain wide usage. Perhaps it’s due to a lack of information about Virtual PC, while there is a lot of information about the virtual machines from Sun and VMware in the Internet. In addition, binding to Microsoft products as a host system may be critical for some users. And if we can’t do anything with the cross-platform, it is possible to contribute more information about this product.
You can download Microsoft Virtual PC 2007 from the official website: http://www.microsoft.com/downloads/details.aspx?FamilyID=28c97d22-6eb8-4a09-a7f7-f6c7a1f000b5&displaylang=en. Note that the version with built-in Service Pack is available. This is important because Virtual PC will not run on Windows Vista SP1 and even Windows XP SP3 without this Service Pack. The download size is about 30MB (it must be noted that this is the smallest download size among all described virtual machines); both 32- and 64-bit versions are available.
In this article we will continue to consider the popular virtualization software products. Today we will discuss the VMware Player. This is a freeware program from VMware, an established virtualization company.
This article is the second in a series devoted to the virtual machines. This time we will discuss one of the most popular solutions in the virtualization area - VMware Workstation.
VMware Workstation version 7 will be considered.
It can be downloaded from the official website - http://www.vmware.com/products/workstation/.
To try Workstation Free for 30 Days you should register. Simply complete the registration form:
After the form is completed you will receive a download link for the trial version of this product and trial serial number by e-mail. The installation package has 512 MB in size. The sizes of Linux "bundles" are 271 and 277 MB for 32-bit and 64-bit versions, respectively. Read more ->
