MBR

Curious conspiracies… or maybe just progress all at once

Dave Farquhar security , , , , , , , , , , , , , , ,

In the wake of Truecrypt’s sudden implosion, someone sent me a link to this curious blog post. I can see why many people might find the timing interesting, but there are a number of details this particular blog post doesn’t get correct, and it actually spends most of its time talking about stuff that has little or nothing to do with Truecrypt.

What’s unclear to me is whether he’s trying to say the industry is deliberately sabotaging Truecrypt, or if he’s simply trying to make a list of things that are making life difficult for Truecrypt. His post bothers me a lot less if it’s just a laundry list of challenges, but either way, the inaccuracies remain. Read more

An SSD data loss issue–and how to prevent it

Dave Farquhar Hardware, security , , , , , , , ,
An SSD data loss issue–and how to prevent it

Longtime reader Dan Bowman–probably my very first reader, come to think of it–sent in this article from Infoworld regarding SSDs and data loss in power failure.

It’s not theoretical. I’ve seen it. I also know how to prevent it.

Read more

Beware the Mebromi, my son: BIOS infections

Dave Farquhar security, Viruses , , , ,

Symantec has identified Mebromi. a piece of malware that not only infects the MBR, but also infects the Award BIOS. BIOS infections are very difficult to detect and eradicate.

By hooking into the BIOS, Mebromi can easily re-infect a system the next time you reboot. Which is exactly what it does. Read more

How to clean an MBR and recover drive partitions

Dave Farquhar security , , , , , , , , , , , ,

Sometimes it’s necessary to recover drive partitions because you accidentally repartitioned a drive you didn’t mean to, or because your MBR got infected or otherwise trashed. Here’s how to recover them, for free.

Infecting MBRs with malware is popular with virus writers again. And I fully expect chaos to ensue, because that’s what happened the last time there was more than one virus floating around that infected MBRs. They quit doing it for a good reason.

So here’s how to clean up the mess when an MBR gets infected, or when multiple infections blitzes the MBR and the hard drive loses the ability to boot, just displaying a message like Missing Operating System or Operating System Not Found.

We’ll be using the Gparted Live CD. Many Linux live CDs have the proper tools, but GParted works well and it’s a small download. You can try to use another Linux live CD, and it will work fine, but the icons might not all be where I say they are.

Read more

MBR rootkits don’t mean you have to wipe the drive

Dave Farquhar security, Software , , , , , ,
MBR rootkits don’t mean you have to wipe the drive

There’s a nasty rumor going around that if your computer gets infected with the Popureb rootkit, your only recourse is to wipe your MBR, reformat your hard drive, and reinstall (or run your factory recovery disk, which is essentially the same thing).

Not so fast.

Read more

A free SSD alignment tool

Dave Farquhar Hardware, Windows , , , , , , , , ,

We’ve talked recently about the importance of aligning your partitions on your SSD or your RAID array. What if I told you you could align an SSD or RAID array for free? Here’s where to find a free SSD alignment tool–it’s just not normally billed as such.

Alignment helps performance, sometimes tremendously, and it also dramatically improves your SSD’s life expectancy. Newer versions of Windows automatically align their partitions, but only if you do a clean installation to an empty drive. Older versions of Windows created their partitions starting at sector 63, for tradition’s sake. Maybe moving off sector 63 made dual-booting with Windows 9x harder.

Two readers, Jim and Xrocode, suggested utilities to do the job. One costs $30 and seems fairly automatic. One is free and requires a small amount of work. Grab the freebie here. It’s a 274 MB download, so it doesn’t even take all that long.

Read more

Operating System Not Found, Missing Operating System, and friends

Dave Farquhar Troubleshooting , , , ,

So the PC that stored my resume got kicked (as in the foot of a passer-by hitting it) and died, and the backup that I thought I had… Well, it wasn’t where I thought it was.

Time for some amateur home data recovery. Here’s how I brought it back.This machine ran Windows 2000. The first trick to try on any machine running any flavor of Windows is to boot from a DOS boot disk containing FDISK.EXE and issue the command FDISK /MBR. This replaces the master boot record. A corrupt MBR is the most common malady that causes these dreaded error messages, and this is the easiest fix for it.

That didn’t work for me.

The second trick is to use MBRWork. Have it back up the first sector, then have it delete the boot record. Then it gives you an option to recover partitions. Run that, then run the option that installs the standard MBR code. I can’t tell you how many times this tool has made me look like I can walk on water.

No dice this time either.

Next I tried grabbing the Windows 2000 CD and doing a recovery install. This has brought systems back to life for me too. Not this time. As happens all too often, it couldn’t find the Windows 2000, so it couldn’t repair it.

The drive seemed to work, yet it couldn’t boot or anything. I could have and probably should have put it in another PC to make sure it was readable. But I didn’t have a suitable donor handy. Had there been such a system, I would have put the drive in, checked to see if it was readable, and probably would have run CHKDSK against it.

Lacking a suitable donor, instead I located an unused hard drive and put it in the system. I booted off the drive just to make sure it wasn’t a hardware problem. It wasn’t–an old copy of Windows 98 booted and dutifully spent 20 minutes installing device drivers for the new motherboard hardware. So I powered down, installed both drives, and broke out a copy of Ghost.

Ghost, as I have said before, doesn’t exactly copy data–what it does is better described as reinterpreting the data. This allows you to use Ghost to lay down an image on dissimilar hard drives. It also makes Ghost a fabulous data recovery tool. Ghost complained that the NTFS log needed to be flushed. Well, that requires booting into Windows (and I think that’s all that’s necessary), but I couldn’t do that. It offered to try the copy anyway, so I chose that. So it cranked for about 15 minutes. I exited Ghost, powered down, and disconnected the bad drive. I powered back up, and it booted. Fabulous.

Now I can use Ghost to copy the now-good drive back over to the drive that was bad in the first place. I’ll do that, but sending out the resume takes much higher priority.

How to remember lots and lots of stuff

Dave Farquhar Health , , ,

I’ve been slogging away in nostalgiaville, writing obscure stuff over at Wikipedia again (once an addict, always an addict, even if the addiction hurts you), and I started wondering about something. Why is 20 years ago easier for me to remember than last week?
I think there are two reasons for that, but if I go off exploring those, I’ll never get back on track. I stumbled across a web site today called Supermem. It extols the virtues of repetition for memory. It’s really heavy reading and not terribly eloquent, at least I don’t think. I think the author’s strategy is showing off how much stuff he can remember and trying to make you jealous, in the meantime arguing that even ordinary people, given enough knowledge, can become geniuses. And maybe the people he cites in his stories are examples of people who became geniuses through knowledge.

And I’ve mostly summed up what he spent pages and pages saying.

The basic premise is that knowledge isn’t everything but it sure can add value to anything else you have, and from the outside, sometimes knowledge can look like everything. But we forget lots of things. The key to remembering things is repetition. The hard part is coming up with a strategy for repetition that works.

Of course he has a solution. As you might have guessed, he wants to sell you something. In this case, it’s a piece of commercial software.

The only reason I didn’t scramble for the back button right then and there was because old versions of the program–specifically, the DOS and Win3.1 versions–are now public domain. And the program inspired a similar Linux program called Memaid. So you can try it out without spending any money.

So here’s how it works. Take some things you don’t want to forget, then figure out how to phrase them in the form of a question. Then you enter those things into the program. It drills you. And it figures out how often you need to repeat something in order to retain it.

The idea is to establish a pattern. Seek out things you won’t want to forget. Then figure out how to restate those things in Q&A form. Enter them into the program, then spend 30 minutes a day with the program. If you do both–learn at least one new thing every day and drill on the old stuff–you’ll accumulate a body of knowledge.

Here are a couple of examples from my job:

Q: What’s the optimal Linux command to create/write images of floppy disks? (The device name will vary in other Unix-like environments)
A: dd if=/dev/fd0 of=(filename) bs=18k
dd if=(filename) of=/dev/fd0 bs=18k

Q: What’s the DOS command to rewrite the boot record on a hard drive that won’t boot or has been corrupted by a boot-sector virus?
A: fdisk /mbr

Q: What’s the web site I can go to in order to find the geographic location of an IP address?
A: www.networldmap.com

And I would do well to add some specific questions to the list as well, such as, “What’s the primary nameserver at our Sunset Hills office?”

So if you want to sound like William F. Buckley Jr. and not come off like an idiot–like one person I know who likes to pepper the dictionary.com word of the day into everything he can, except he frequently misspells or misuses it–add that. If your goal is to lose as many coolness points as possible, put things like Vanilla Ice’s real name in there. If I’d known about this program when I was in college, I’d have put my Spanish vocabulary words and verb conjugations in there, and today I’d be able to say more than just hablo pocísimo español without embarrassing myself. (And for all I know, you’re not supposed to put the -ísimo suffix on poco and when I do it, I come off like someone who would say no sabo. OK, so I guess I do remember a little Spanish, but not enough to hold much of a conversation.)

It’s an interesting idea. I think I’m going to give it more than just a try.

Putting every question I ask Charlie (along with the answer) in there would be a good start.

Don’t try this at home

Dave Farquhar Hardware

“What you got in that system?”
“An 850.”

“Oh. 850 MHz isn’t too bad these days.”

“No, the CPU’s a 750. The hard drive’s an 850.”

“Where’d you get an 850-gig drive?”

“Who said anything about gigs?”

Yeah, I put a computer together this week. I had problems with the hard drive. Bad problems. Like Windows won’t load anymore and it coughs up a hairball when I try to reformat the disk. Yeah. Bad news. So I sent in a clunky old Seagate 850-meg drive off the bench. Hey, I wanted to play Railroad Tycoon, alright?

Along the way I recalled a few tricks.

FORMAT C: /Q /U /AUTOTEST formats a hard drive as quickly as possible, no questions asked and none of that aggravating “saving unformat information” that takes a week and doesn’t work when you want to unformat the drive anyway.

FORMAT C: /U /AUTOTEST does an unconditional, no-questions-asked long format, but still faster than plain old format without switches.

But if you want to get a drive up and running really fast, use the GDISK utility that comes with Ghost (if you don’t have Ghost, you may be able to find an old version of GDISK online if you look hard enough, because at one time it was freely distributable):

GDISK 1 /MBR /WIPE will quickly delete all the partitions on a disk.
GDISK 1 /CRE /PRI /FOR /Q will create and format a single FAT32 partition so fast you’ll wonder what’s wrong with Microsoft. Reboot and you’re ready to rock’n’roll.

Well, as much as an 850 will let you rock’n’roll, that is. Which ain’t much. But I know I’ve got a decent hard drive around here somewhere. So I think I’ll go find it. I’ve had enough of this insanity.

And I still haven’t gotten in my game of Railtycoon.

It was a high-stakes game, and I won.

Dave Farquhar General , , , , , , , ,

Who’s to say where the wind will take you
Who’s to know what it is will break you
I don’t know where the wind will blow
Who’s to know when the time has come around
I don’t wanna see you cry
I know that this is not goodbye
–U2, Kite

When I last left you, I was denying it was time to say goodbye to the data on a friend’s hard drive. I’d found some information on the Internet that promised to get her data back, but I hadn’t done it yet. As often is the case with the Internet, the instructions I found online for doing the job were close. They were not quite right, but they brought me close enough that I was able to make it work.

Removing Form.A from a FAT32 drive is difficult. I was able to verify its presence using the free-for-private-use F-Prot, but F-Prot wouldn’t remove it, Usenet reports to the contrary.

One word of warning: Do as I say, not as I do. The first thing I should have done was make a bit-for-bit backup copy of the drive. I didn’t do that right away. Norton Ghost will work, though it’s not exactly a bit-for-bit copy. A better approach is to get a mini-distribution of Linux and use the standard Unix dd command to make a backup copy. (For example: dd /dev/hda1 /dev/hda2 bs=1024k) Once you have a copy of the drive, work from the copy! If you don’t know how to do all this, do not attempt recovery yourself. It’s much too easy to mess up your drive beyond any hope of recovering your data. This information is presented for informational and entertainment purposes only. I make no representation whatsoever that this will work for you. For all I know it’ll install Gator on your computer and leave the dome light on in your car and erase all your VHS tapes.

I downloaded a utility called ivinit.exe from www.invircible.com (don’t e-mail me if their Web site is down; I could only get to their site about one time out of four myself). It’s a very limited utility; I’d chained the drive off another drive for recovery purposes but ivinit will only work on the primary partition on your C drive. So I disabled the primary drive. Ivinit found it and warned me that the MBR and its mirror didn’t match. I restored the MBR from its mirror, then rebooted. I re-enabled my primary drive, let it boot, and tried to access the drive. I got the invalid media type error again. I ran FDISK, which told me I had a single FAT32 partition. That was a good sign.

So I ran MBRWORK.exe, deleted the MBR and EMBR and told it to recover my partitions. It found a single FAT32 partition. Excellent. I rebooted, tried to read drive C, and… Yeah. Invalid media type paid me another unwelcome visit.

I ran the real-mode version of Norton Disk Doctor from a recent copy of Norton Utilities. You have to be very careful with Norton Disk Doctor; never run it unless you’re positive the version you have knows about FAT32. Otherwise, you’re setting your hard drive up for a train wreck. NDD wasn’t too happy. It wanted to scavenge and rebuild the partition table, and it didn’t offer me a chance to make a backup copy. I never let a low-level utility do anything that it won’t let me undo. I aborted.

At this point I wised up. I put an Intel 10/100 network card in the PC I was using to recover the data, plugged into my network, grabbed my magic network boot disk, and connected up to the big Windows 2000 computer I use for editing video. I ran Norton Ghost and told it to make an image of the disk. To my amazement, it found a single 3.8-gig FAT32 partition and started running through filenames!

Like I said, Ghost doesn’t normally do a bit-for-bit copy; it stores enough information to recreate a valid copy of your partition. If your partition isn’t quite valid, that means you don’t get an exact copy. The upside of that is that Ghost can be a useful data recovery tool, assuming it can make sense of your partition. And fortunately, it looks like it’ll make sense of partitions that Windows itself doesn’t want to touch.

Theoretically, I could have restored the data by just making an image with Ghost, then restoring the image immediately afterward.

Norton Disk Doctor revived the partition, and it revived it more quickly than a Ghost restore would have. Then I ran into another pitfall–everything in the root directory appeared OK, and most subdirectories one level deep were fine, but anything nested gave sector not found errors. Norton Disk Doctor offered to fix that stuff, but I had a gut feeling that I shouldn’t go that route. Any time there’s the possibility of bad sectors, I want SpinRite.

As soon as I ran SpinRite, it reminded me of why I should bring it into the game as quickly as possible. It reported that the drive’s CMOS parameters appeared incorrect and it was hesitant to continue. That’s good–incorrect CMOS parameters can cause the problems I was seeing. And trying to repair the drive with messed up CMOS parameters will lead to nothing good–something that Steve Gibson is certainly aware of, and something that Symantec may not necessarily care about. In this case, the parameters were wrong because I put the drive in another system and it defaulted to a different addressing method. Whenever you’re doing data recovery and you want to move the drive, you need to be sure you get addressing straight or you’ll do a whole lot more harm than good.

After I corrected the CMOS, a simple DIR /W /S ran through the entire drive with no complaints. Norton Disk Doctor found no filesystem errors or low-level errors. SpinRite doesn’t do anything about filesystem errors, which is why I went back to NDD–use NDD when you suspect filesystem problems, but always always turn surface-scan-type stuff over to SpinRite. And there’s no harm in running SpinRite first–it’ll alert you to problems that NDD might not notice.

Along the way I learned a whole lot more than I ever wanted to know about boot-sector viruses. AntiCMOS and Form were able to coexist together nicely, and on just about any computer purchased new between 1992 and 1996, they’d just happily infect any disk you used and you’d probably never be the wiser. With the release of Windows 95B and FAT32, Form became destructive. (Why should Microsoft test new filesystems for compatibility with old viruses?) Wendy told me the problem appeared after she left an old disk in the computer before she booted it up. I suspect their old computer picked up the virus at some point, and since it wasn’t destructive under DOS and Windows 3.1, they never noticed. The computer just happily infected disks. Boot sector viruses flourished in the early 90s, as everyone needed a boot disk to play Doom or other tricky DOS games, so people traded boot disks like recipes. As often as not, those boot disks carried viruses.

When I went to put the drive back in, the dreaded “Operating system not found” paid me a visit. I hadn’t wanted to try to boot off the drive while it was in another PC for obvious reasons. So I did the standard drill. First up: fdisk /mbr. Strikeout. Second: sys c:. Strikeout. Finally, God reached down with His two-by-four and smacked me upside the head to knock some sense into me. I ran plain old fdisk and found the problem–no active partition. So I set the partition to active, and boom. The system booted up and was its old self again. It seems like I always make that mistake.

Data recovery is definitely a trade or a skill, not a science or process.