Recover Windows Files From A Corrupted System With BackTrack [Tutorial]
Uploaded by JAGTutorials on 27.12.2011
Transcript:
This tutorial will cover how to use BackTrack Linux to copy files and folders from a corrupted
Windows system to an external drive or a network location, even if the Windows system won’t
start. This will also work to recover files from a corrupted Linux system. What is BackTrack
Linux? BackTrack is a Linux distribution based on Ubuntu and focused on network analysis
and penetration testing. BackTrack is booted and run in live mode, so no installation is
required. BackTrack is great for recovering files from Windows systems that won’t boot.
Basically you boot up to the BackTrack USB drive we will setup, you will be able to open
your hard drive files from FAT and NTFS disks, and copy them to external media or to a network
location like a windows share. To boot to the USB drive you will need to enter your
computers BIOS and change the boot order so that the USB Drive comes before the hard drive.
This way when we turn on the computer it will start to the USB Drive. This will be different
for every computer but basically right after the computer starts when you see the text
portion of startup, you click usually F1, F2, or Delete to enter the systems BIOS. In
here you look for something referring to the boot order, and then change the USB Drive
to the first boot device. Let’s start the computer. Make sure that you have the USB
drive we created previously in the back of the computer, and that the USB drive is set
as the first boot device. To be able to record this process I am going to be running a virtual
machine of Windows XP using VirtualBox. I have two hard drives setup in this virtual
machine. Each drive is 10 GB. One drive is FAT32 and one is NTFS. Start the computer.
On the “BackTrack Live CD” window select “BackTrack Text”. On the “Welcome to
BackTrack” screen, next to “root@root: #”, type “startx” and press enter. When
BackTrack finishes loading you will get to the gnome desktop. Let’s review the disk
drives attached to this system. Click on the “Places” menu, then “Computer”. The
“Computer - File Browser” window will open. Here we have the drive and filesystem
devices. “File System”. The file system device is the USB drive with the BackTrack
files on it. Here we have the two ten GB drives we created earlier. For some reason they are
showing as being 11 GB instead of 10 GB. I was not able to find any information as to
why this is. On the “NTFS” device we have the test file we created earlier, as well
as a hidden Windows system folder. On the FAT32 device we can see all our our Windows
files. In many cases you will want to backup the “Documents” folder of any users on
the system that won’t boot. The users folder from the documents and settings folder contains
the users word, excel, and other documents, the users NTUSER.DAT registry file, as well
as settings and desktop shortcuts. Let’s open the “Documents and Settings” folder.
The “JAGTutorials” folder is our user folder. Right-click on it, and select “Copy”.
We now need to copy this folder to either some form of removable media, or to a network
location. We will cover both options. Option one. Copying to removable media. You could
have another USB Drive and copy to it if you want, but we will just copy to the USB Drive
we booted to. Click the “Places” menu, then select “Computer”. The device labeled
“File System” is the USB drive we booted to. Double click to open it. You can put the
files anywhere you want, but I would recommend placing them in the “Home” folder. Let’s
open “Home”. We will just place the files in the root of the home folder. Right-click
and select “Paste”. Once you have the files copied over you can just put it in another
computer and retrieve the information. Option two. Copying to a network location like a
Windows Folder Share. Name resolution doesn’t always seem to work so I always use the ip
address of the share server. On the computer where I have the Windows share setup, I will
click on the Windows “Start” button, then select the “Run” item. In the “Run”
window that opens, enter “CMD” and press enter. Enter “IPCONFIG” and press enter.
We need to take note of the “IPv4 Address”, which in this case is “192.168.0.3”. Close
out the window. I have a home network set with a network share. I won’t cover how
to set that up here. To access a windows share BackTrack uses SAMBA. Click on the “Places”
menu, then select “Connect to Server”. Under “Service Type:” it lists various
network connections you can make such as “Windows shares”, SSH, and FTP. We will select “Windows
Share”. For the “Server” we need to enter the IP Address of the server, which
we got before. I’ll enter “192.168.0.3”. For “Share”, enter the name of the Windows
share. In this case the share name is “Downloads”. I will enter “Downloads” in the field.
We will skip folder, but we could enter a folder name within the share, if we wanted
to open that instead. In the “User Name:” field you need to enter the name of a windows
user from the server with access to the share. The username for the computer needs to be
“IP address\Username”. In this case the test username is Sacha. I will enter “192.168.0.3\sacha”.
In the “Domain Name:” field, enter the IP Address again. Click
the “Connect” button. A file browser window will open displaying the content of your share.
Let’s create a new folder here named “testfolder”. Open the folder and right-click and select
“Paste”. There are a ton of forensics tools included in BackTrack Linux. We will
only cover copying files in this tutorial. I hope this helps recover data from corrupted
systems for you. I know it has been a huge help for me.
Windows system to an external drive or a network location, even if the Windows system won’t
start. This will also work to recover files from a corrupted Linux system. What is BackTrack
Linux? BackTrack is a Linux distribution based on Ubuntu and focused on network analysis
and penetration testing. BackTrack is booted and run in live mode, so no installation is
required. BackTrack is great for recovering files from Windows systems that won’t boot.
Basically you boot up to the BackTrack USB drive we will setup, you will be able to open
your hard drive files from FAT and NTFS disks, and copy them to external media or to a network
location like a windows share. To boot to the USB drive you will need to enter your
computers BIOS and change the boot order so that the USB Drive comes before the hard drive.
This way when we turn on the computer it will start to the USB Drive. This will be different
for every computer but basically right after the computer starts when you see the text
portion of startup, you click usually F1, F2, or Delete to enter the systems BIOS. In
here you look for something referring to the boot order, and then change the USB Drive
to the first boot device. Let’s start the computer. Make sure that you have the USB
drive we created previously in the back of the computer, and that the USB drive is set
as the first boot device. To be able to record this process I am going to be running a virtual
machine of Windows XP using VirtualBox. I have two hard drives setup in this virtual
machine. Each drive is 10 GB. One drive is FAT32 and one is NTFS. Start the computer.
On the “BackTrack Live CD” window select “BackTrack Text”. On the “Welcome to
BackTrack” screen, next to “root@root: #”, type “startx” and press enter. When
BackTrack finishes loading you will get to the gnome desktop. Let’s review the disk
drives attached to this system. Click on the “Places” menu, then “Computer”. The
“Computer - File Browser” window will open. Here we have the drive and filesystem
devices. “File System”. The file system device is the USB drive with the BackTrack
files on it. Here we have the two ten GB drives we created earlier. For some reason they are
showing as being 11 GB instead of 10 GB. I was not able to find any information as to
why this is. On the “NTFS” device we have the test file we created earlier, as well
as a hidden Windows system folder. On the FAT32 device we can see all our our Windows
files. In many cases you will want to backup the “Documents” folder of any users on
the system that won’t boot. The users folder from the documents and settings folder contains
the users word, excel, and other documents, the users NTUSER.DAT registry file, as well
as settings and desktop shortcuts. Let’s open the “Documents and Settings” folder.
The “JAGTutorials” folder is our user folder. Right-click on it, and select “Copy”.
We now need to copy this folder to either some form of removable media, or to a network
location. We will cover both options. Option one. Copying to removable media. You could
have another USB Drive and copy to it if you want, but we will just copy to the USB Drive
we booted to. Click the “Places” menu, then select “Computer”. The device labeled
“File System” is the USB drive we booted to. Double click to open it. You can put the
files anywhere you want, but I would recommend placing them in the “Home” folder. Let’s
open “Home”. We will just place the files in the root of the home folder. Right-click
and select “Paste”. Once you have the files copied over you can just put it in another
computer and retrieve the information. Option two. Copying to a network location like a
Windows Folder Share. Name resolution doesn’t always seem to work so I always use the ip
address of the share server. On the computer where I have the Windows share setup, I will
click on the Windows “Start” button, then select the “Run” item. In the “Run”
window that opens, enter “CMD” and press enter. Enter “IPCONFIG” and press enter.
We need to take note of the “IPv4 Address”, which in this case is “192.168.0.3”. Close
out the window. I have a home network set with a network share. I won’t cover how
to set that up here. To access a windows share BackTrack uses SAMBA. Click on the “Places”
menu, then select “Connect to Server”. Under “Service Type:” it lists various
network connections you can make such as “Windows shares”, SSH, and FTP. We will select “Windows
Share”. For the “Server” we need to enter the IP Address of the server, which
we got before. I’ll enter “192.168.0.3”. For “Share”, enter the name of the Windows
share. In this case the share name is “Downloads”. I will enter “Downloads” in the field.
We will skip folder, but we could enter a folder name within the share, if we wanted
to open that instead. In the “User Name:” field you need to enter the name of a windows
user from the server with access to the share. The username for the computer needs to be
“IP address\Username”. In this case the test username is Sacha. I will enter “192.168.0.3\sacha”.
In the “Domain Name:” field, enter the IP Address again. Click
the “Connect” button. A file browser window will open displaying the content of your share.
Let’s create a new folder here named “testfolder”. Open the folder and right-click and select
“Paste”. There are a ton of forensics tools included in BackTrack Linux. We will
only cover copying files in this tutorial. I hope this helps recover data from corrupted
systems for you. I know it has been a huge help for me.