by April 12, 2005 0 comments

Has your hard drive’s partition ever crashed out, and that too just 15 minutes before delivering a presentation to a customer? Or perhaps some virus, worm or Trojan crept into your network and choked the wits out of your bandwidth. How about this? A hacker managed to get into your machine (remotely or locally) and tampered with your corporate information. You know it’s happened, but need to give your boss authentic proof of the incident, which can later be used as evidence for the cyber crime. 

While there can be ways of securing your system against hackers and worm attacks, what do you do if you’ve lost data? That’s when you wish you had something to help recover your valuable data. This story is about ‘that something’- known as live rescue CDs. This is nothing but a customized live CD containing specific tools for rescuing partitions, data and even a few network-monitoring tools. The best thing about these CDs is that they can run on any machine and most of them can read all standard partition types without doing any configuration. We’ve thoroughly evaluated four live rescue CDs to help you choose the right one for your needs. We’ve even given their ISO images on this month’s DVD. You could burn them on a CD using any CD burning software, like Nero. Using them is simple.

Just insert them into a drive, reboot the machine, and make sure that the BIOS is set to boot from the CD drive. Another word of caution before we proceed any further. While running these CDs is pretty easy, using them isn’t. You need to have good working knowledge of Linux as well as PC hardware. None of the live CDs came with any proper documentation, so you’ll have to figure out which tools are bundled with each and then look up their individual websites for usage information. Therefore, we strongly suggest that you first try them out on a test machine, understand how to use and operate them fully, before actually using them on a real system. 

How we tested 
While testing these CDs, we had three things in mind. First, whether it could recover deleted partitions or not, and if yes, then which partition types, eg, NTFS, ext2 and ext3. The next thing we tested was ease of configuration and usage. Finally, we looked at how many tools it included for monitoring and assessing a network.

For testing the partition-recovery capabilities, we took a standard P4 machine with 256 MB RAM and a 40 GB hard disk and installed Linux in to it. Then we
used a standard DOS bootable floppy to run the fdisk command and delete all partitions. We then booted the machine with the live CD and tried to recover the partition. We then installed Windows XP on the same machine with the NTFS file system and repeated the same process. We also tried to destroy the MBR and then tried to recreate it using the live CDs. We also tested the forensic tools to check weather they can do data recovery or not. To test them we created and deleted some documents in both NTFS and ext3 partitions and tried to recover them as well. At the end of our evaluation, we found the ‘Fire’ live rescue CD to be the best of the lot. It was a complete rescue CD having everything you might need after your machine’s been compromised. The name FIRE comes from ‘Forensic and Incidence Response Environment’, which gels with the performance we got from the CD. We found that this live CD had the maximum software for data recovery, forensics, network assessment and anti virus.

By Anindya Roy and Sanjay Majumder

F.I.R.E : Forensics, data recovery and network monitoring in one neat package

Fire is a full-fledged forensics rescue CD, which has tools like, TCT, tctutils, graverobber, fatback and autopsy. These tools recover lost data and other fingerprints of lost data. In addition, it has a virus scanner (f-prot), which can scan for viruses on any Linux or Windows machine. This anti virus can be updated either from the Internet or from an update floppy. It also has a partition-recovery tool (parted) that can recover data from Linux, BeOS and Windows. To recover the partition table, you can use ‘gpart’ or TestDisk. gpart scans your whole hard disk and recovers it, whereas TestDisk tool can do both partition and data recovery. 

Other than this, it has a few network tools such as ethereal and dsniff for network analysis. If you want to audit your network utilization then it has ‘argus’, an open-source project that generates reports of your network utilization. In addition, you can quickly install an IDS (Intrusion Detection System) on your network using the AIDE (Advance Intrusion Detection Environment) tool. To use FIRE rescue Live CD, you need to boot your machine from this CD and on the boot prompt type in ‘3’ and it will boot into a graphical mode, otherwise it will boot under text mode. Once it’s booted, you will get a GUI interface with four open terminal windows. Now, on right-clicking on the GUI screen you will get a context menu, which includes basic tools for networking and forensic. You can use them according to your needs, otherwise you can use terminal window to run the advanced tools. In the shootout, this had larger number of forensic tools compared to other live rescue CDs. Overall it’s a complete tool kit for forensic experts. 

This is the GUI of Fire. To access the menu right click on the interface

In our tests, the CD was able to recover both NTFS and Linux partitions. It was also able to recover deleted files from NTFS and ext3 file systems completely by using autopsy. The gpart recovery tool, which was also available in Linux-BBC, took two and a half hours to rescue a 10 GB partition from a 40 GB disk. The other partition-recovery tool, testdisk, also took a long time, but was faster than

LNX-BBC : Recover CD with small footprint

LNX-BBC was the tiniest rescue CD in the shootout. Only of 50 MB, this live CD can recover your lost Linux ext2, exe3, LVM and Windows partitions. The best part is that, because of its small size, it can be burnt on to a small business card shaped CD. That’s also where it gets its name from-Linux Bootable Business Card, short for BBC. Apart from other developer projects, it has rescue and forensic tools like ‘gpart’ and ‘graverobber’. To recover and rebuild a lost Linux partition, simply boot from this CD, and you will get a login prompt. Log in as root without a password and you will get a bash prompt. Finally run the following command from the prompt: 

# gpart /dev/hdb (/dev/hdb device name could vary according to your system)

The above command will search your entire hard disk and guess your partition table. After scanning the hard disk, you will get the list of partitions. Now the next step is to write back the recovered partitions on the MBR. However, this tool takes lot of time to scan the lost partition, so you need to have patience. To do this, run this command.

Choose the resolution to boot in

# gpart -W /dev/hdb /dev/hdb

This command will scan your entire hard disk and give a list of supposed partitions. And it will also ask you, whether you want to write back the partition table to MBR that has been recovered. Just type-in the partition number as shown in the list and you will be able to recover the lost partition on your Linux machine. 

Unfortunately, scanning takes a lot of time depending on your hard disk size. 

Being a small distro, it has a limited number of rescue tools. It comes with gpart for partition recovery, which was also there with FIRE, so there was no difference in its functionality.

Hackin9: Network monitoring and investigation, but no data recovery

Well this is more of a rescue CD for the network rather than data. It’s a full GUI-based live CD like Knoppix and has all possible tools for assessing a network. If you have doubt that your corporate network is being attacked, then this is the right CD. Except for data or partition recovery, it has all network and forensic tools that a network administrator needs. You just need any machine connected to your network and boot that machine with this CD and you are ready to use it.

The live CD not only detects the source of hacking attempts, but also assesses your in-house network vulnerabilities using Nessus and gives nice reports. It has a good collection of sniffing tools like ethereal, ettercap, etherape, dsniff and many others. If you have a wi-fi network then you can run Kismet to sniff a wireless network. It also has wireless drives for the Centrino chipset. Like Knoppix, you can work on this distro and save the work on a local hard drive or anywhere on the network. You can even use the same distro to dial to the Internet using

GUI of Hackin9 from where you can run the basic network assessment tools and configure the interface

If you want to do a forensic survey on any hard drive then you can use sluethkit tool to accomplish the task. Overall it’s a handy tool kit for network administrators. 

This CD doesn’t have any partition or data-recovery tools. So we were not able to run the recovery tests on it. We did run the sniffers and Ntop. The best part is that you don’t have to configure these. They work fine with the default config. We used ettercap to sniff data on the network. The only drawback is that you can’t store the log files generated by any sniffer, unless you mount a hard drive and save them there. 

Plan-B: With lots of pre-configured scripts, even newbies will find this easy to use

Plan-B is another live rescue CD based on RedHat Linux and has a set of forensics data-recovery tools such as autopsy, foremost sleuthkit and BCwipe DCLF-DD. However, it doesn’t have gpart as a partition-recovery tool like the other two distros we checked, but it comes with parted-another partition-manipulating software. But in this case the partition detection is not fully automatic and you have to know the size of the deleted partition to do a calculated guess for repairing it. 

It also has a few network-security tools to investigate a network. The tools are SARA, Ntop and Nessus. But the best thing about these tools is that they require zero configuration. You just have to run the shell scripts placed in /root/bin to start the services. You won’t believe that it can start Ntop with default configuration, open up the browser and show its interface just by running a shell script

One other attractive feature that it has is a BIOS password recovery tool, which recovers CMOS passwords. On the security front, it gives a long list of tools from creating a firewall to deploying a quick IDS system around your network. Like Fire and Hacking9, it has a GUI interface and by right-clicking anywhere on the GUI you can access few of the GUI tools. Plan-B is an all-in-one toolkit for security experts, and even for those who are not very good with Linux configuration files. It contains lots of pre-configured scripts which makes it easy to use even for

Plan-B gives you options to boot in to various processor architectures, so select the one that syour hardware supports 

While doing the tests we found that parted does not automatically search for deleted partitions. That’s why initially we ended up with an NTFS partition of the wrong size, which wasn’t accessible at all because we didn’t provide the correct partition size information. So we recommend keeping a record of your partition sizes.

But if you know the exact size of the deleted partition then recreating it with ‘parted’ is really easy and fast. It just takes a couple of minutes to do it.

Features table

partition types
table recovery tools
monitoring tools
Plan-B 657 Fat/NTFS,LVM,ext2,
ext3, Reiser FS,BeOS, QNX 4
None None parted SARA,
Nessus, Ntop, Ettercap, Dsniff
GUI None
Hackin9 496 None None None None SARA,
Nessus, Ntop, Ettercap, Dsniff,Kismat  and many more
GUI None
LNX-BBC 47 Fat/NTFS,LVM,ext2,
 ext3, Reiser FS,BeOS, QNX 4
None None Gpart None Terminal None
FIRE 578 Fat/NTFS,LVM,ext2,
ext3, Reiser FS,BeOS, QNX 4
autopsy TCT,
Autopsy, Sleuthkit

No Comments so far

Jump into a conversation

No Comments Yet!

You can be the one to start a conversation.