Entry tags:

free software, howto

Digging through Windows with GNU+Linux
A friend gave me an old hard drive. I threw it in the ancient computer I recently installed Debian 4.0 on (see previous entry). The hard drive originally had Windows 98 on it. He wanted to get a lot of his university course work and personal files off it. Unfortunately, Windows -- even newer versions -- are awful at finding files. Connecting the drive to a GNU+Linux operating system really showed the sleuthing powers of free software systems.

First I mounted the disk as read-only at /mnt (as the root user):

# mount -t vfat -o ro /dev/hdb2 /mnt

Then you can sick the GNU findutils on the hard drive (as a non-administrative user):

$ updatedb --output=./lose98-hd.locatedb --localpaths=/mnt

Let's see what we have after about a minute of listening to the sound of spinning hard drive disks?

$ locate -S --database=./lose98-hd.locatedb 
Database ./lose98-hd.locatedb is in the LOCATE02 format.
Locate database size: 210363 bytes
Filenames: 18694 with a cumulative length of 1045772 bytes
	of which 6385 contain whitespace, 
	0 contain newline characters, 
	and 1 contain characters with the high bit set.
Compression ratio 79.88%

Then it's easy to list all the files with a .doc extension:

$ locate --database=./adam-hd.locatedb -i *.doc

To find JPEG images that aren't in a browser cache folder.

$ locate --database=./lose98-hd.locatedb -i -r '.jpe?g$' | grep -vie cache

The locate command is not only more powerful than Windows "Find files...", they're also really fast because they benefit from indexing the file system and you get the benefit of the rest of the Unix toolbox, including find and file, that provide even more meta data about the file system and help fine tune your searches.

I'm sure you could easily get deeper and deeper if you knew even more subtleties about the FAT filesystem (using dd) or say the W32 platform and system files (I'm sure there are Perl libraries for W32). The downside is that GNU+Linux is a monolithic kernel. Mounting drives and their images can be done, but is a bit of a chore. In an idealized microkernel environment -- like GNU/Hurd, it would provide a better experience and safer sandbox.

When I was done playing and couldn't find any more files for my friend, I formatted the drive (as root user):

cfdisk -z /dev/hdb
mke2fs -j -L /backup /dev/hdb1
mkdir /backup
echo -e "/dev/hdb1 /backup ext3 defaults 0 2" >> /etc/fstab
mount /backup

If I wanted to be a computer forensic investigator, the tools in a GNU+Linux system would provide a pretty good base to build a larger tool for cataloging hard drives. I'd probably write the package in shell script or maybe Perl. Fortunately, I already have a day job. But others are working on developing free forensic tools.

Yeah, this was just an excuse to try posting to the Debian community in Live Journal.

• Mini Sitemap:

• Post to Journal
• Downloads

• LJ Gift Shop
• Safety Tips

• Support & FAQs
• Be a Support Volunteer

• Feedback & Contact Us
• Report Abuse

• Site News
• More... (Full Sitemap)