Save your PC: bootable Linux rescue tools
by Richard Hillesley
Linux is now a respected, mature operating system that's free and open source, so it shouldn't be surprising that it has a generic role as a platform for tools for the repair and rescue of both Linux and Windows operating systems.
The vast majority of computer users don't know or care about the underlying technologies that drive the gadgets and utilities they access on a daily basis. Most of these users run Windows and have little idea of what to do when things go wrong. Perhaps the drive won't boot or files are corrupted, random messages pop up, the registry or the file system is broken. The problem may be blamed on a root kit, a broken program, or a virus. Sometimes the data is lost, and sometimes the user gets lucky with a rescue disk supplied by one or other of the anti-virus vendors.
As often as not these rescue disks will boot a version of Linux. For instance, the Kaspersky Labs rescue disk runs a version of Gentoo, Panda Security's SafeDisk is based on Debian GNU/Linux, and BitDefender and F-Secure are based on Knoppix; and these are not the only examples.
The anti-virus vendors use Linux for practical reasons. Linux belongs to no-one and is free, but cost is not the decisive factor.
The Linux kernel is modular, can support a wide range of hardware out of the box, and the code and tools are freely available. NTFS and FAT file systems can be accessed and manipulated by file managers and other applications. Samba gives access to Windows networks, and a Linux-based system won't be susceptible to Windows viruses.
A rescue disk might include the vendor's anti-virus scanner and other proprietary tools that are specific to Windows systems. But a technically inclined user also has access to a wide variety of command line and graphics tools that are available only under free software licences, and in many cases, are part of any GNU / Linux system.
Thanks for the memory
The technology that makes a Linux-based repair and rescue CD possible is the live distribution: a version of Linux which will boot from a CD or USB flash memory stick (LiveUSB), run entirely in small amounts of RAM, and in some cases, run on older PCs with little disk space and less memory. An operating system that runs entirely in memory provides the scope for inspecting and manipulating the data on the hard drive of the system being repaired, without affecting or being infected by the data on the drive.
LiveCD technology first came to Linux with the release of Klaus Knopper's Knoppix in September 2000. Knoppix allowed a user to test drive GNU / Linux and its applications without writing to the hard drive, and also provided a useful means for inspecting the hard drive. Most of the mainstream GNU / Linux distributions are now available in a LiveCD version, which allows a prospective user to test for aesthetic and practical compatibility.
Further down the scale are a plethora of small live distributions, such as Damn Small Linux, Puppy or SliTaz. The small distributions have all kinds of uses. Damn Small Linux, for instance, weighs in at a mere 50 MB, and can run in minimal amounts of memory, but can be expanded into a full blown Debian installation. SliTaz is even smaller and serves a similar purpose. Puppy Linux is useful as a nomadic desktop tool, which allows the user to move their work from box to box, preserving the work on the same flash drive or CD as the operating system and leaving no trace on the host computer. All of these distributions can be used to inspect and restore maverick file systems on the hard drive.
But there are also Live GNU / Linux distributions that are specifically engineered for use as a rescue tool, to run in small amounts of memory while the user searches for and rescues data that has been lost on broken file systems, clones and revives old and damaged partitions, and restores broken installations.
In extremis the same ends can be achieved by most live distributions of Linux. Most will include the means to usefully access and retrieve files on Linux or other operating systems. The shortcomings of this option are that the mainstream distributions will be more unwieldy in limited amounts of RAM, and may not include the more esoteric applications.
Watching the detectives
GNU / Linux repair and rescue disks can be as useful for recovering other operating systems as they are for Linux. Fat, NTFS or Apple partitions can be mounted and displayed using a Linux file manager. GNU Parted, GParted and fdisk – not the DOS utility – can be used for assigning and resizing partitions or editing the disk partition table. PartImage can be used for disk imaging, and TestDisk can recover lost partitions.
Among the more sophisticated tools for rescuing data from corrupt or damaged media are the command line tools such as ddrescue (now at version 1.14), which "also features a 'fill mode' able to selectively overwrite parts of the output file, with a number of interesting uses like wiping data, marking bad areas or even, in some cases, 'repairing' damaged sectors" – and safecopy, which "tries to extract as much data as possible from a problematic (i.e. damaged sector) source – like floppy drives, hard disk partitions, CDs, tape devices, where other tools like dd would fail due to I/O errors."
PhotoRec can recover lost photographs and other data, and a range of command line tools can be used to inspect, create, delete, resize, move and restore lost data files and file systems.
At an entirely different level, the Sleuth Kit is an open source forensic analysis tool which can be used, not only to inspect and recover data, but also to identify the footprint and presence of root kits or intruders, or to map previously deleted data, so is sometimes used in the more murky areas of the law. The purpose of a repair and rescue tool is to recover data the user wants to see. A forensic analysis tool is sometimes used to recover data a user doesn't want others to see.
But, as Brian Carrier sees it in his justification for open source forensics:
"Digital forensic tools are used to fire employees, convict criminals, and demonstrate innocence. All are serious issues and the digital forensic application market should not be approached in the same way that other software markets are. The goal of a digital forensic tool should not be market domination by keeping procedural techniques secret."
"Digital forensics is a maturing science that needs to be continuously held to higher standards. The procedures used should be clearly published, reviewed, and debated. The availability of analysis tools to the general public has likely increased their quality and usability. The next step is to increase confidence in the tools through publication, review, and formal testing."
The Sleuth kit is included in the Ubuntu Rescue Remix live CD.
At the most elementary level, a Linux rescue disk can be used to create a boot disk with GRUB. Partitions and disks, or segments of partitions, can be cloned, and systems can be inspected or replicated across the network with the minimum of fuss. Data can be saved to the CD itself, a USB memory disk, across the network, or to any other storage device that is to hand.
An up to date Linux repair and rescue disk is a useful tool for every Linux user to have in his or her tool box for sorting the disk and boot problems that can occur at any time – but there are also free distributions which exist specifically to deal with Windows systems, the most comprehensive of which is the Trinity Rescue kit.