-JD- Posted August 4, 2007 Share Posted August 4, 2007 Guys, Got a really pain in the arse problem for someone if they can help - i'm trying to rescue files from a friend's windows hard drive...god knows how she's done it but its absolutely screwed, to the point where i can only access it via safe mode with command prompt in vista (dont ask why, it just the only thing that works - tried everything!). I've been trying to remember back to my dos days and for the life of me can't figure this one out: Basically, the hard drive is NTFS and has 2 partitions - one i have rescued all the desired data from, but the other partition contains the illusive "My Documents" folder which i can't access as the admin account on the laptop i'm using obviously doesnt have the correct permissions to gain access to the user folder with "My Documents" in it. I've tried the old subinacl/xcacls method, and subinacl says its added admin ownership but when i try to use xcacls to change the permissions i get an access denied message, same as i do when i just try and access the directory normally. Anyone got any idea how i can get into this folder? Or at least copy it over to another hard drive that i can access from windows (this HD just kills normal windows as soon as its plugged in), obviously it goes without saying that the windows installation on the HD im trying to rescue is screwed, so can't get into it that way. Any ideas/useful commands to try would be GREATLY appreciated as it is getting harder and harder to actually access this partition, and i REALLY don't think i can chance unplugging it or even restarting again... Shame my friend doens't know how to back stuff up, eh? Cheers! -JD- Link to comment Share on other sites More sharing options...
Elfenwald Posted August 4, 2007 Share Posted August 4, 2007 I would not mess with an already f**ked up HD in Windows... Why not fire this machine up with a security Linux Live CD and use some forensic appz to get access to the data? and move it to some external HD? Backtrack (www.remote-exploit.org) always does a great job for me when it comes to reanimating dead Windozes... *lol* Or if you are uncomfortable with Linux: there are some good Windows-based LiveCDs around as well (Diamond Boot CD etc.), just check the usual suspects (little green demons etc.) Cheers and good luck!! Link to comment Share on other sites More sharing options...
-JD- Posted August 4, 2007 Author Share Posted August 4, 2007 I would not mess with an already f**ked up HD in Windows... Why not fire this machine up with a security Linux Live CD and use some forensic appz to get access to the data? and move it to some external HD? Backtrack (www.remote-exploit.org) always does a great job for me when it comes to reanimating dead Windozes... *lol* Or if you are uncomfortable with Linux: there are some good Windows-based LiveCDs around as well (Diamond Boot CD etc.), just check the usual suspects (little green demons etc.) Cheers and good luck!! Hey! Thanks for the tips...tried ubuntu a coupla times but to no avail...for some stupid reason the only thing that can read it is command prompt. Think ive got it now though... Cheers anyway! -JD- Link to comment Share on other sites More sharing options...
Elfenwald Posted August 4, 2007 Share Posted August 4, 2007 Ubuntu is a nice windowsish Desktop-Linux, but worthless for critical jobs like that... honestly - grab Backtrack or System Rescue CD - they mount everything what is still technically alive... ;-) And Backtrack can do a few other tricks as well (reading raw partition data with forensic apps - same stuff the cops use when they confiscated your PC and recover the data you erased in panic... *lol*) - but that takes some time reading man pages. AFAIK you have very little chance breaking in on the Windows CLI. and very good chances that every boot of the crippled Windoze makes things worse... good luck, mate! Link to comment Share on other sites More sharing options...
MadDoggyca Posted August 5, 2007 Share Posted August 5, 2007 A) use PQ magic to coverter NTFS back TO FAT32 .. by doing soo you permently remove all incription to the intire dive and files... Boot Useing someting called Hiren's Boot disc.... and use the passowrd removeles tools to get into the SAM files on the windows and remove the password and protectio nthat way.... c) mount drive in a eternal IDE case plug into USB and log into admistior on your pc to get by protection... d) downlaod and use Windows XP LiveCD or the NEw windows Vista Live CD and log in.... e) Boot into a live Linux cd mite do it toooooo Link to comment Share on other sites More sharing options...
gittela Posted August 5, 2007 Share Posted August 5, 2007 Another option is to install dd_rescue and dump the whole partition to an imagefile. I´ve done this on several occasions to extract data from messed up drives. dd_rescue is like dd but it ignores errors on the disk and sectorreads the whole ting. It can also be run several times, accumulating data from areas it did´t get on the last run. A really nice forensic tool, I use it in combo with various commercial apps, depending on the filesystem I´m trying to retrieve. More info can be found here: http://ddrescue.darwinports.com/ I can´t remember wether I compiled it or got it through Darwinports. This may not be the most newbie-friendly way, but it is definitely a powertool worth checking out. CHeers! Howard Link to comment Share on other sites More sharing options...
Metrogirl Posted August 5, 2007 Share Posted August 5, 2007 I think the 'access denied' msg in this case is probably ms-speak for 'unreadable data' rather than any permission problem. My approach in this case would be: 1) Take a forensic image of the entire drive using one of the tools already recommended, or obtain Encase from somewhere, or speak to your local friendly Law Enforcement or Big Computer Company contacts to see if someone can slip in a forensic image for you; 2) Obtain a copy of SPINRITE - this magic program can actually recover unreadable data, restore broken HDDs to function long enough to get stuff off and generally refresh even a working drive. Yes, it costs money to buy, but it's proved worth its weight in gold to me over the years; 3) Put the drive in a sealed plastic bag in the freezer for 24 hours before trying to read it - yes, this really works with some dodgy drives, I've used this trick more than once. The forensic image is a failsafe in case nothing else works; Encase in particular will keep on trying to read something for many cycles more than Windows would before giving up. Spinrite is fantastic and if this doesn't work nothing will. The freezer trick is useful if other methods fail. Good luck! Link to comment Share on other sites More sharing options...
Recommended Posts