Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

How do I transfer data from an infected PC to an external HDD


  • Please log in to reply
11 replies to this topic

#1 mahendru1992

mahendru1992

  • Members
  • 37 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:New Delhi
  • Local time:09:03 AM

Posted 03 August 2014 - 05:22 AM

Hey guys, 

I have some important data that I need to get from my friend's PC. But her compute is riddled with viruses. How do I transfer my data to an external HDD or a pen drive? I read some articles on write protecting the pen drives, but then I guess I can't copy anything onto it. 

 

Thank you in advance!

 

 



BC AdBot (Login to Remove)

 


#2 Didier Stevens

Didier Stevens

  • BC Advisor
  • 2,659 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:05:33 AM

Posted 03 August 2014 - 02:58 PM

You can boot from a Live CD and then copy your data. Then you know that the malware will not be active and won't be able to infect your removable storage.

 

However, the malware can have tampered with your data files, or added files in your data folders. You can scan the data files with an anti-virus, but there is no 100% guarantee that your data files will be clean.

 

What type of data files do you want to recover?


Didier Stevens
http://blog.DidierStevens.com
http://DidierStevensLabs.com

SANS ISC Handler
Microsoft MVP 2011-2016 Consumer Security, Windows Insider MVP 2016-2018
MVP_Horizontal_BlueOnly.png

 

If you send me messages, per Bleeping Computer's Forum policy, I will not engage in a conversation, but try to answer your question in the relevant forum post. If you don't want this, don't send me messages.

 

Stevens' law: "As an online security discussion grows longer, the probability of a reference to BadUSB approaches 1.0"


#3 Kilroy

Kilroy

  • BC Advisor
  • 3,324 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Launderdale, MN
  • Local time:10:33 PM

Posted 03 August 2014 - 05:26 PM

Normally I pull the drive and connect it to a known good machine using a USB to SATA adapter with up to date anti-virus software installed.  Then copy the data to another drive.  Since you're not booting you're not launching the infections.  You can scan the drive first to find infected files if you would like, however these days most infections are from the Internet and not from infected data files.



#4 Crazy Cat

Crazy Cat

  • Members
  • 808 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Lunatic Asylum
  • Local time:03:33 PM

Posted 03 August 2014 - 10:12 PM

That's why I MD5 hash all my data files, should malware inject or modify the data files. I suggest to virus scan and view the data files in a limited account.
 

Two things are infinite: the universe and human stupidity; and I'm not sure about the universe. ― Albert Einstein ― Insanity is doing the same thing, over and over again, but expecting different results.

 

InternetDefenseLeague-footer-badge.png


#5 mahendru1992

mahendru1992
  • Topic Starter

  • Members
  • 37 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:New Delhi
  • Local time:09:03 AM

Posted 03 August 2014 - 11:43 PM

First of all, thank you guys for replying

You can boot from a Live CD and then copy your data. Then you know that the malware will not be active and won't be able to infect your removable storage.

 

However, the malware can have tampered with your data files, or added files in your data folders. You can scan the data files with an anti-virus, but there is no 100% guarantee that your data files will be clean.

 

What type of data files do you want to recover?

What's a Live CD? Is that the Windows file CD?

Well the data is basically my GMAT pdfs, docs and ppts that I made myself, and  photos and videos of a trip that we made a few days back.

Let's just say that those videos and photos aren't as impt as the GMAT notes that I made my myself. I have my exam in a month and I need them.

My brother deleted mines by mistake and I didn't have a backup. :(

 

Normally I pull the drive and connect it to a known good machine using a USB to SATA adapter with up to date anti-virus software installed.  Then copy the data to another drive.  Since you're not booting you're not launching the infections.  You can scan the drive first to find infected files if you would like, however these days most infections are from the Internet and not from infected data files.

But if i pull the drive and connect it to my laptop, wouldn't the effect be the same? I'd be booting up again anyways.

Lets say the virus or trojan or whatever it is that is affecting her pc has not affected my files, and i still transfer my data, how likely is it that I get the virus on HDD?

There are too many viruses in her system. When I boot up, random web pages would open up and some weird notification to install some weird bullbleep antivirus would regularly pop up.

 

 

That's why I MD5 hash all my data files, should malware inject or modify the data files. I suggest to virus scan and view the data files in a limited account.

Ha! this is a cool idea for the future. What you mean is that i should create md5 for all my impt data and then regularly keep on checking for changes to md5. If the md5 has changed, either the data is corrupt or somehow the data has gotten affected by the virus? Am I right?



#6 Didier Stevens

Didier Stevens

  • BC Advisor
  • 2,659 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:05:33 AM

Posted 04 August 2014 - 09:24 AM

A Live CD is an operating system on a CD/DVD. You put the CD in your computer, and boot from it. The operating system on the live CD will boot (so not the operating system on the harddisk of your computer),

and give you access to the harddisks of your computer.

 

Most Live CDs run Linux. There are also popular Windows Live CDs, but Microsoft requires you to have a valid license to use Windows. To respect this, you should download a tool to make a Windows Live CD using your own copy of WIndows on a CD/DVD.

 

So you'll get up and running faster if you just download a Linux Live CD. Have you ever used Linux before?


Didier Stevens
http://blog.DidierStevens.com
http://DidierStevensLabs.com

SANS ISC Handler
Microsoft MVP 2011-2016 Consumer Security, Windows Insider MVP 2016-2018
MVP_Horizontal_BlueOnly.png

 

If you send me messages, per Bleeping Computer's Forum policy, I will not engage in a conversation, but try to answer your question in the relevant forum post. If you don't want this, don't send me messages.

 

Stevens' law: "As an online security discussion grows longer, the probability of a reference to BadUSB approaches 1.0"


#7 mahendru1992

mahendru1992
  • Topic Starter

  • Members
  • 37 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:New Delhi
  • Local time:09:03 AM

Posted 04 August 2014 - 09:39 AM

A Live CD is an operating system on a CD/DVD. You put the CD in your computer, and boot from it. The operating system on the live CD will boot (so not the operating system on the harddisk of your computer),

and give you access to the harddisks of your computer.

 

Most Live CDs run Linux. There are also popular Windows Live CDs, but Microsoft requires you to have a valid license to use Windows. To respect this, you should download a tool to make a Windows Live CD using your own copy of WIndows on a CD/DVD.

 

So you'll get up and running faster if you just download a Linux Live CD. Have you ever used Linux before?


 

No I haven't used Linux before. But I'm sure I can navigate around if I want to. At least right now I'm desperate enough to do anything.

Let's say I even boot from a live CD, but if the virus has affected the files, than obviously It'll get passed onto my hard disk right? So what I was thinking was boot from the live CD, install a free anti virus, scan the relevent data and If the files are affected, I'll simply copy paste the data inside them to a new doc, pdf or excel file since they wouldn't be affected by the virus. Would this work?


Edited by mahendru1992, 04 August 2014 - 09:39 AM.


#8 Didier Stevens

Didier Stevens

  • BC Advisor
  • 2,659 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:05:33 AM

Posted 04 August 2014 - 10:23 AM

You will not be able to install AV on your computer when you run a Live CD.

 

But there are free Live CDs produced by anti-virus companies that include their AV product.

6 years ago, I made a video for the F-Secure Live CD. This gives you an idea how it works:

http://blog.didierstevens.com/2008/08/21/removing-malware-with-a-live-cd/

 

But be careful before you do this. If the AV finds malware in your data files, you run the risk that it deletes the files without recovery option.

 

Opening the files to copy the content is risky, you might active the malware by opening the files if they are infected. And then it can infect your new data files or your removable disk connected to the PC.

But you could copy the content to a text file (notepad)

 

I think the best thing you can do is the following:

1) boot from a Live CD

2) review the creation and modification dates of all your data files on the harddisk

3) if they predate the infection, then they are probably clean,

4) copy your data files to a USB stick.

5) remove the USB stick, don't plug it in another computer

6) boot from a Live CD from a AV company, and scan the harddisks.

 

If you didn't find data files dating from the infection, and the AV didn't find anything, then you are PROBABLY safe. Then you can use the files you copied on the USB stick.

But realize that there is no 100% guarantee. The malware might also have tampered with the timestamps, and the AV might miss malware, especially if you didn't manage to use the latest AV signatures.

 

Also be careful with AV Live CDs. They can delete infected files and render your computer unbootable.

 

I build my own Windows Live CD with the Ultimate Boot CD, so I haven't used Linux Live CDs in a while.

Here is a list of Live CDs:

http://www.livecdlist.com/

If I would choose one, I'd select Hiren's Boot CD, because of its history

http://en.wikipedia.org/wiki/Hiren%27s_BootCD


Edited by Didier Stevens, 04 August 2014 - 10:24 AM.

Didier Stevens
http://blog.DidierStevens.com
http://DidierStevensLabs.com

SANS ISC Handler
Microsoft MVP 2011-2016 Consumer Security, Windows Insider MVP 2016-2018
MVP_Horizontal_BlueOnly.png

 

If you send me messages, per Bleeping Computer's Forum policy, I will not engage in a conversation, but try to answer your question in the relevant forum post. If you don't want this, don't send me messages.

 

Stevens' law: "As an online security discussion grows longer, the probability of a reference to BadUSB approaches 1.0"


#9 mahendru1992

mahendru1992
  • Topic Starter

  • Members
  • 37 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:New Delhi
  • Local time:09:03 AM

Posted 04 August 2014 - 10:49 AM

You will not be able to install AV on your computer when you run a Live CD.

 

But there are free Live CDs produced by anti-virus companies that include their AV product.

6 years ago, I made a video for the F-Secure Live CD. This gives you an idea how it works:

http://blog.didierstevens.com/2008/08/21/removing-malware-with-a-live-cd/

 

But be careful before you do this. If the AV finds malware in your data files, you run the risk that it deletes the files without recovery option.

 

Opening the files to copy the content is risky, you might active the malware by opening the files if they are infected. And then it can infect your new data files or your removable disk connected to the PC.

But you could copy the content to a text file (notepad)

 

I think the best thing you can do is the following:

1) boot from a Live CD

2) review the creation and modification dates of all your data files on the harddisk

3) if they predate the infection, then they are probably clean,

4) copy your data files to a USB stick.

5) remove the USB stick, don't plug it in another computer

6) boot from a Live CD from a AV company, and scan the harddisks.

 

If you didn't find data files dating from the infection, and the AV didn't find anything, then you are PROBABLY safe. Then you can use the files you copied on the USB stick.

But realize that there is no 100% guarantee. The malware might also have tampered with the timestamps, and the AV might miss malware, especially if you didn't manage to use the latest AV signatures.

 

Also be careful with AV Live CDs. They can delete infected files and render your computer unbootable.

 

I build my own Windows Live CD with the Ultimate Boot CD, so I haven't used Linux Live CDs in a while.

Here is a list of Live CDs:

http://www.livecdlist.com/

If I would choose one, I'd select Hiren's Boot CD, because of its history

http://en.wikipedia.org/wiki/Hiren%27s_BootCD

Oh boy, I just realised that she'd be busy opening my notes. I guess the virus must have affected the files. Well......LOL. 

But anyways I'll still give it a try. I'll boot from a live CD and follow the subsequent steps to the letter.

Thanks a lot for all your help! Appreciate it. :D



#10 Didier Stevens

Didier Stevens

  • BC Advisor
  • 2,659 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:05:33 AM

Posted 04 August 2014 - 10:53 AM

You're welcome.

 

I just remembered that if yo come to the point that you have to copy/paste the content of your documents, you could also save them as plain text.

For example, in Word, you can do a Save As... Plain text (*.txt).


Didier Stevens
http://blog.DidierStevens.com
http://DidierStevensLabs.com

SANS ISC Handler
Microsoft MVP 2011-2016 Consumer Security, Windows Insider MVP 2016-2018
MVP_Horizontal_BlueOnly.png

 

If you send me messages, per Bleeping Computer's Forum policy, I will not engage in a conversation, but try to answer your question in the relevant forum post. If you don't want this, don't send me messages.

 

Stevens' law: "As an online security discussion grows longer, the probability of a reference to BadUSB approaches 1.0"


#11 Crazy Cat

Crazy Cat

  • Members
  • 808 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Lunatic Asylum
  • Local time:03:33 PM

Posted 07 August 2014 - 12:09 AM

First of all, thank you guys for replying

That's why I MD5 hash all my data files, should malware inject or modify the data files. I suggest to virus scan and view the data files in a limited account.

Ha! this is a cool idea for the future. What you mean is that i should create md5 for all my important data and then regularly keep on checking for changes to md5. If the md5 has changed, either the data is corrupt or somehow the data has gotten affected by the virus? Am I right?
Yes, that's it in a nut shell. To hash many files in a folder and output the results as a text file, use this File Checksum Integrity Verifier (FCIV) command-prompt utility. Full command-line at http://support.microsoft.com/kb/841290

fciv.exe c:\myfiles\*.* > FilesCheck_02-08-14.txt
ExamDiff. http://www.prestosoft.com/download/ed19.zip is one easy way to compare "FilesCheck_02-08-14.txt" and "FilesCheck_22-10-14.txt"

File Checksum Integrity Verifier utility.
The File Checksum Integrity Verifier (FCIV) is a command-prompt utility that computes and verifies cryptographic hash values of files. FCIV can compute MD5 or SHA-1 cryptographic hash values. These values can be displayed on the screen or saved in an XML file database for later use and verification.

http://support.microsoft.com/kb/841290
http://www.microsoft.com/en-au/download/details.aspx?id=11533&e6b34bbe-475b-1abd-2c51-b5034bcdd6d2=True&751be11f-ede8-5a0c-058c-2ee190a24fa6=True&fa43d42b-25b5-4a42-fe9b-1634f450f5ee=True
http://superuser.com/questions/245775/is-there-a-built-in-checksum-utility-on-windows-7

If you didn't find data files dating from the infection, and the AV didn't find anything, then you are PROBABLY safe. Then you can use the files you copied on the USB stick. But realize that there is no 100% guarantee. The malware might also have tampered with the timestamps, and the AV might miss malware, especially if you didn't manage to use the latest AV signatures.

TOUCH, Change file timestamps. http://ss64.com/nt/touch.html and http://superuser.com/questions/292630/how-can-i-change-the-timestamp-on-a-file

Edited by Crazy Cat, 07 August 2014 - 12:10 AM.

 

Two things are infinite: the universe and human stupidity; and I'm not sure about the universe. ― Albert Einstein ― Insanity is doing the same thing, over and over again, but expecting different results.

 

InternetDefenseLeague-footer-badge.png


#12 Crazy Cat

Crazy Cat

  • Members
  • 808 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Lunatic Asylum
  • Local time:03:33 PM

Posted 27 August 2014 - 12:33 AM




First of all, thank you guys for replying




That's why I MD5 hash all my data files, should malware inject or modify the data files. I suggest to virus scan and view the data files in a limited account.

Ha! this is a cool idea for the future. What you mean is that i should create md5 for all my important data and then regularly keep on checking for changes to md5. If the md5 has changed, either the data is corrupt or somehow the data has gotten affected by the virus? Am I right?
Yes, that's it in a nut shell. To hash many files in a folder and output the results as a text file, use this File Checksum Integrity Verifier (FCIV) command-prompt utility. Full command-line at http://support.microsoft.com/kb/841290
fciv.exe c:\myfiles\*.* > FilesCheck_02-08-14.txt
ExamDiff. http://www.prestosoft.com/download/ed19.zip is one easy way to compare "FilesCheck_02-08-14.txt" and "FilesCheck_22-10-14.txt"

The File Checksum Integrity Verifier (FCIV) is a command-prompt utility that computes and verifies cryptographic hash values of files. FCIV can compute MD5 or SHA-1 cryptographic hash values. These values can be displayed on the screen or saved in an XML file database for later use and verification. http://support.microsoft.com/kb/841290 http://www.microsoft.com/en-au/download/details.aspx?id=11533&e6b34bbe-475b-1abd-2c51-b5034bcdd6d2=True&751be11f-ede8-5a0c-058c-2ee190a24fa6=True&fa43d42b-25b5-4a42-fe9b-1634f450f5ee=Truehttp://superuser.com/questions/245775/is-there-a-built-in-checksum-utility-on-windows-7
Or this script. http://www.bleepingcomputer.com/forums/t/544425/malware-virus-etc-registry-valueskeywords/#entry3459693
 

Two things are infinite: the universe and human stupidity; and I'm not sure about the universe. ― Albert Einstein ― Insanity is doing the same thing, over and over again, but expecting different results.

 

InternetDefenseLeague-footer-badge.png





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users