or, How to use a Knoppix to recover a Windows system
About a week ago, I got a call from my Dad. When he logged into his desktop at home, Windows 2000 was acting like this was the first time he’d logged in. His My Documents was empty, and his e-mail was gone. Thanks to a remote access tool I have, I was able to determine that the files were still there, but that Windows had, for some reason, created a new profile for him. His docs and e-mail config were in another folder, which was at least somewhat comforting. After spending several hours trying to restore his profile, I had to throw in the towel, and suggested he take it to a local computer shop.
Well, the situation deteriorated, and the files seemed to have dissapeared. Unfortunately, the local computer shop wasn’t able to find any files, though I suspect they didn’t really try any serious data recovery efforts. Since it was unclear as to whether the issue was some sort of virus, or a weird drive failure, I hopped on the train with my laptop, USB drives, and a new hard drive, ready to recover files.
First things first – I booted the system, and ran the usual batter of virus and spyware scans. The virus scan came up empty handed, and the spyware scans didn’t show anything of consequence. However, I did notice that the “ask.com” toolbar was installed for Internet Explorer. Most of these toolbars are benign on their own, but can open up your system to all sorts of nasty things. As it was, I found an article indicating that there was a serious flaw in the toolbar, which would allow remote control of a computer. Naturally, I pulled it out, but that still left me with the problem of the missing files. Luckily, I had a copy of the Knoppix 5.1 ISO file.
I booted up the desktop using a burned copy of Knoppix, and used the ntfsundelete utility to see if there were any files still on the drive. I lucked out, and it looked like the majority of the files my parents needed were still on the disk. Using an external drive, I managed to recover the docs, as well as the PST files for Outlook, and their digital photos. All seemed well, until I discovered that even some of the files that ntfsundelete indicated had been recovered were garbled or just couldn’t be opened. At least the PSTs were intact, as well as a few of the key document files.
I managed to get a hold of a friend with a Windows app called OnTrack EasyRecovery. I ran their data recovery, and found about the same number of files, but the tool that really had me interested was their File Repair – specifically WordRepair. Unfortunately, it only seemed to partially ungarble some of the garbled Word docs. Still, it’s got a nice interface, and I have to admit, using the command-line interface for ntfsundelete was a bit of a pain sometimes, since I had to go through the results to check for duplicates. However, their pricetag is around $200, and the trial version only shows you what you “could” recover (and for the record, files that the software thought it “could” recover were just as garbled as the ones ntfsundelete grabbed).
In conclusion, I recommend using ntfsundelete on a copy of Knoppix, and spend the $200 on a new drive…and maybe some sort of backup media.