RE: Digital Evidence Question - What is an effective Windows hard -disk search tool?

["Jim" <jimhoward300 () hotmail com>]

Replying to the original writer (Gene LeDuc) - If an NT or 2K system
boots up and it says it is missing the boot.ini file (I guess that's
what happened), the immediate solution is to boot the computer from the
floppy drive with an NT/2K boot disk.  This is a diskette that simply
has the boot.ini, ntldr, and another file (slips from memory -
ntdetect?), copied to it.  This will launch your NT/W2K system just as
if you had booted from the hard drive.  Then you copy the boot.ini file
back onto the hard drive (modify it as needed) and the problem is fixed.
Copy the files onto the floppy from a working 2K machine.  

Note - this is not the installation diskettes, this is a boot disk.
Here are some instructions I found on the net (what he doesn't say is
that you can copy these files from any Windows 2000 computer - you may
have to modify the boot.ini on the floppy, in the event that you don't
have a default setup):

<<<<<
To make a simple boot disk that will allow you to boot into Windows 2000
in the event that your one or more of your boot files is corrupted, e.g.
boot.ini or ntldr, you can make a single boot disk by formatting a
floppy disk in Windows 2000, and then copying the following files from
your active partition e.g. C:\ to your newly formatted floppy: boot.ini,
NTLDR, bootsect.dos, ntbootdd.sys (you will only need this file if you
are using scsi(X) in the boot.ini file, see above) and ntdetect.com.
Then if you are unable to boot into Windows 2000 for any reason simply
insert the Boot Disk, and the loader menu will appear, and you can boot
as normal.
> > > > >

Also, the boot.ini file is simply a small text file, and has nothing to
do with the NIC (although an unexpected reboot may have deleted the
boot.ini file somehow).

Jim


-----Original Message-----
From: Ansgar Wiechers [mailto:bugtraq () planetcobalt net] 
Sent: Wednesday, June 18, 2003 7:50 PM
To: security-basics () securityfocus com
Subject: Re: Digital Evidence Question - What is an effective Windows
hard -disk search tool?

On 2003-06-18 Gene LeDuc wrote:
> > It funny that this discussion started in the last few days..  As
> > Murphy would have it, last night while installing a new nic card.
> > Something happened to the boot.ini file and corrupted it. I don't
> > know how or why except the possibility of it writing to the boot.ini
> > file the nic information.  I don't think that this information is
> > stored in the boot.ini file but maybe.  Anyway the problem I ran into
> > is that the win would not load and I couldn't recover it.  (No safe
> > mode, no fixboot, no fixmbr, nothing)  I figured I would just overlay
> > an OS on top of the old one and then recover the information, no luck
> > the process would not perform unless I format.  Great...  If you know
> > what I mean.  I have been researching free tools to recover lost data
> > but no real luck in a software that performs properly.  I was
> > wondering if anyone has/knows of one.  Looking to recover my office
> > files - *.xls, *.pst file and *.doc files.
>
> If all you want to do is recover the info, you can attach the hard
> drive to a linux box and mount the NTFS partition.  From that point
> you can browse the NTFS file system and copy any files you want.
> Depending on the flavor and version of linux, you may have to load an
> NTFS driver; I believe sourceforge has a read-only driver.  If you
> don't have a linux box hanging around then I suppose you could also
> attach the drive to another MS box and access it natively.

Most distributions provide (read-only-)access to NTFS out of the box,
since it is part of the official kernel. The only exception I know of is
RedHat (you have to install the driver yourself there).
If you don't happen to have a Linux box you could try tomsrtbt [1] which
runs from a single floppy disk. With another harddisk in the box you can
easily copy the files you want to preserve onto the second harddisk. Use
FAT32 as filesystem for the second harddisk so it will be read- and
writable from Windows as well as from Linux.

[1] http://www.toms.net/rb/

Best regards
Ansgar Wiechers

------------------------------------------------------------------------
---
Evaluating SSL VPNs' Consider NEOTERIS, chosen as leader by top
analysts!
The Gartner Group just put Neoteris in the top of its Magic Quadrant,
while InStat has confirmed Neoteris as the leader in marketshare.
     
Find out why, and see how you can get plug-n-play secure remote access
in
about an hour, with no client, server changes, or ongoing maintenance.
          
Visit us at: http://www.neoteris.com/promos/sf-6-9.htm
------------------------------------------------------------------------
----


---------------------------------------------------------------------------
Evaluating SSL VPNs' Consider NEOTERIS, chosen as leader by top analysts!
The Gartner Group just put Neoteris in the top of its Magic Quadrant,
while InStat has confirmed Neoteris as the leader in marketshare.
     
Find out why, and see how you can get plug-n-play secure remote access in
about an hour, with no client, server changes, or ongoing maintenance.
          
Visit us at: http://www.neoteris.com/promos/sf-6-9.htm
----------------------------------------------------------------------------