Volume 19, Number 3
"WHAT, ME WORRY?"
RECOVERING AFTER A VIRUS WITHOUT A BACKUP
By Michael Trittipo
Michael Trittipo is the director of technology for the Minnesota State Bar Association. He can be reached at firstname.lastname@example.org.
Everyone says you should back up regularly and test whether you can restore. Good backups are your best protection against data loss from any cause, not just viruses. But what if you haven't regularly backed up and verified you can restore? What can you do to get your client documents, trust accounts, and time records back if a virus infects your computer and you don't have backups?
Antivirus vendors don't offer much advice on this score-"restore from backups" is as far as they go. Tech support people often focus on getting your computer working, not on retrieving your data. No one seems to have much sympathy if you haven't backed up; you can almost hear them humming the line from Chicago, "He had it comin.'"
The good news is that data is often recoverable in electronic form after a virus infection (or other incident) even without a backup. Generally, if a drive still spins and doesn't make unusual noises, much of its data is recoverable. The bad news is that recovery can require significant tech savvy, and success may depend heavily on avoiding early missteps. Thus, you need to diagnose early how far you or your tech support can safely go. Some cases may require the skills of a data recovery specialist, and even what a specialist can do may be limited if you proceed too hastily at the outset.
First Do No Harm
The key damage question, which informs everything else you do, is whether data files were overwritten or only deleted by the virus. Data that's been overwritten-bad bytes replacing good ones-is essentially gone for good. But if a file is "only" deleted, the data is still there and often can be recovered; only a pointer to the data has been erased.
That's the good news. The bad news is that when a file has been "deleted," the computer thinks it can use the space again. So installing new software-even an antivirus update or data recovery software-may overwrite the very part of the disk where the deleted file was/is stored; that will make the data unrecoverable. Even visiting a web page for further information may overwrite "deleted" data. So a key step when you suspect a virus is determining whether file deletion was part of the payload.
One way to determine this is by identifying the virus, and one way to identify a virus is by looking at how it got itself installed. Viruses don't appear by magic; they can only be installed by some human action (clicking on an attachment or a link) or by some pre-programmed computer action associated with a particular event (previewing an e-mail or running whatever's on a web page). So get a pencil and some paper and record exactly what you and the computer were doing before trouble hit; what happened then, including the text of any system messages if you can recall them; and what you did. Don't wait: Write it down while it's fresh. Be precise and exact; don't paraphrase if you can avoid it.
For example, if you had just clicked on an attachment in e-mail, write down the subject, sender, and message body, and the attachment's full name and true extension, to the extent possible. (You should never click on any attachment without knowing its true extension.) Write down as much detail as you can recall; for example, when you closed the message window, did you click on a button inside the window or on the window's upper right "x" button? You can use this information later to try to identify the virus. Do not do the research from the affected PC, however, until you can verify that no files were deleted.
Check Your Data in Windows
After you finish taking notes, the next step is to check on your data. If Windows is running, use Windows Explorer to look at a few data folders whose contents you know, and see what files appear. If Windows won't restart normally, try starting it in "Safe mode," a special trouble-shooting mode available at boot-up, and use Windows Explorer from there. Try opening a couple of files (preferably, ones you know you have copies of elsewhere, in case the act of viewing them causes damage). Are the contents right and complete? Close them. Are they still there in Windows Explorer? Can you reopen them?
If yes, then whatever else the virus may have done, it did not immediately mass-delete all data files. Therefore you can use the affected PC to go online and run an online virus scan or do other research to identify the virus and see whether specific tools exist to fix its effects. Online virus scans are offered by Trend Micro Housecall (http://housecall.trendmicro.com); Symantec (www.symantec.com/securitycheck); and Panda (www.pandasofware.com/activescan/com), among others. Log whatever the antivirus program does, and list all files it reports having cleaned or quarantined. You will need to check those files for possible partial data loss.
Check Your Data Without Windows
If Windows crashed and won't restart, not even in Safe mode, all is not lost: There are other ways to inspect a drive's contents to see whether your data files still exist, even without Windows. For example, you can use a tool called the "Recovery Console" in NT, 2k, or XP to get a DOS-like command line. But if you've never heard of the Recovery Console before, stop; it is not a good time to learn when your data is on the line. Another way to get a command line is by booting from an appropriate CD or a boot floppy. Either way, the idea is the same as under Windows Explorer: Look at a few known folders and see whether they display all the data files they should, with reasonable file sizes.
If so, the virus didn't delete files, but given that Windows isn't starting, it's likely done something else. You or your tech support may be able to fix the problem by working directly on the affected disk, without the risk of overwriting data files. But it would be prudent to first copy all data files to another drive (i.e., make a backup).
If, however, you find that files were deleted; or the command line tells you it can't even see a hard drive or partitions; or the computer won't even turn on, let alone boot, then recovering the data becomes iffier. (To avoid unduly alarming yourself, be sure to use a bootable floppy that can read your drive's file system: A Windows 98 boot floppy won't understand an NTFS-formatted drive.)
Again, there is good news and bad news. The good news is that your data most likely is still there on the drive and may be recoverable. The bad news is that almost any attempt to work on the drive itself will begin causing data loss. Do not try to install any kind of program on it.
Using a Second PC
Instead, a safer approach is to take the hard drive out and install it as a second (slave) drive on a second PC. The second PC's original drive must have an empty, separate partition with as much empty space as in all of your sick PC's drive. On the second PC install a data recovery program that can copy the contents of your sick, infected drive sector by sector to the second PC's empty partition. Then-and only then-attempt data recovery from the copied bits on the no-longer-empty partition. The important point is never do anything to the virus-affected drive except read from it; never write to it. Even with a data-recovery program, work only on a copy of the bits, not on the drive you took out. A mistake on the copy is no big deal; a mistake while working directly on the affected drive may end the show.
Can you do this yourself? Probably not. The easiest way to decide may be to look at a few relevant web pages and see whether you feel comfortable with what they expect you to know and do (see sidebar "Recovery: Proceed at Your Own Risk," below). But if you weren't making backups to begin with, it's likely you'll struggle with the tech gobbledygook of MBRs, partition tables, boot sectors, FAT vs. NTFS, hex editing, sigma characters, ERDs and EBDs, Recovery Consoles, and so on. If sigmas are Greek to you, find someone to whom that talk is the mother tongue, or send the drive in to one of the reputable recovery companies.
If Worse Comes to Worst
Suppose, though, there's been a misstep along the way. Say that you rashly tried "fdisk/mbr" but your computer was infected by Monkey. Bad news. This brings us to what some would call a "worst" case: no data can be recovered from the disk. Someone or something wiped all data by overwriting it multiple times with random nonsense (beyond mere file deletion); encrypted it with a non-recoverable key; or physically damaged the surface beyond readability.
Such complete data loss has the virtue of clarity-you won't get sidetracked hoping for a tech miracle. You can simply proceed as you would have if your office had burned to the ground in the days before you had a computer.
Honestly-that perspective is meant to be reassuring. It takes the situation out of a semi-magical tech realm and emphasizes the need to think of all solutions, not just tech-colored ones. There is a way to get at least some of your data back: locating your coincidental backup systems.
A fire gutted a Minneapolis law firm a couple of decades ago, before computerization. The firm was able to rebuild many files with copies of paper documents that existed in other people's offices: counsel for opposing parties, court or agency files, and clients. You can do the same with data that you stored electronically, by getting the word out about your need for copies in either electronic or paper form. You won't get all your data back. You'll have to go to scores of people to ask for copies, and you'll need their goodwill and cooperation. It may be embarrassing. But the odds of retrieving the most crucial data are reasonably good.
Data loss still may be significant-time and billing entries come to mind, or items that were keyed directly into the computer and never copied or printed. But these would have been lost in a precomputer fire, too. The main difference, unfortunately, is that an insurer might not pay for computer data loss. A typical policy covers only tangible property damage and may condition "loss of use" coverage on such tangible damage.
In short, it's often possible to recover data even after a virus has deleted files and destroyed partitions, boot records, and file tables. The odds are in your favor if you regularly defragment your hard drive, are lucky with which virus hits, have emergency disks, can afford expert advice, or have the skill and time to take away from your practice to learn how to use data recovery tools or hex editing. But good odds aren't a guarantee. Wouldn't it be easier to back up and test your backups often?
RECOVERY: PROCEED AT YOUR OWN RISK
If you find the following articles easy to read and their directions clear, you may try the recovery yourself. If you find them too technical, you'll be better off hiring a data recovery expert. (P.S. If you find it too techie, don't worry. Most people do. But in that case, you should start backing up. Mastering backup is a lot easier than data recovery.)
Using a Disk Editor
Generally (a three-article series):
Acronis DiskEditor user manual:
General Data Recovery How-tos
Recovering photos (but instructive for other data):
www.robgalbraith.com, Click "Archives" for January 2002 calendar, Click "23," go to "Building the Ultimate Photo Recovery Kit
If you've decided, after looking at the articles at left, that you would like to try to do the recovery yourself, here are some of the leading data recovery products and online data recovery services.
DTI Data RecoverItAll: