GuARD Toolkit

GuARD Toolkit

1. Introduction

The GuARD Toolkit is primarily a launcher that allows you to start all of GuARD's various recovery, rescue and analysis tools. In the following all of these are explained.

2. Where is Windows?

This is just a simple tool that will show you on which drives Windows installations were found.

3. List PCI devices

This tool gives a list of all hardware using the PCI bus. Essentially this is pretty much everything that is neither a drive nor connected via USB. The original output is delivered by lspci, the List PCI devices tool just sorts the output and shows it in a more human readable form.

This can be useful to identify hardware and search drivers accordingly

4. clamscan

ClamAV is the anti virus software included in GuARD, it's commandline interface is called clamscan and so is the GUI.

When you start clamscan you have to select what to do with infected files. Currently there are three options:

only report infected files, don't do anything else all infected files are moved to "<selectedpath>/infected" delete all infected files

To prevent duplicate findings, directories with the name "infected" are ignored.

You may then choose if you want to search for probably unwanted software. This is software that is not per se harmful but may be. An example that can be found on the ClamAV website is a program that allows to retrieve stored passwords. While this can be useful if the person using it is authorized to do so, but it may also be used to steal passwords.

Finally you need to select where you actually want to search for malicious software

Once you selected all options, clamscan will try to update its database, this means you need to be connected to the internet, otherwise it will fail. The update is only executed the first time you run clamscan, since the second time it is not needed. This means once you ran clamscan one time, you can safely disconnect your computer from any network connection. Depending on your internet connection this update may take some time

Afterwards clamscan will start the scan automatically. A log window will appear so you can track the progess. Once clamscan completes, the log window will include a summary of the scan.

If you run multiple times, the logs of previous scans can still be found in the log window. The log is also saved in "/tmp/scan.log", you can view it by opening it in Leafpad.

5. gparted

gparted is the GNU partition editor. With this you can format your hard disk, enlarge or shrink partitions and issue filesystem checks. In the upper right corner of the interface, you can select the respective disk.

In the lower part you will see a list of partitions with information like size, used space and the file system. For Windows these are usually ntfs, or for older installations fat32.

If you right click on a partition you get a context menu, there you can choose an action for that partition. Before you will be able to perform any action, you have to choose "Unmount", later you can remount it using the "Mount on" option. Except for mount and unmount, no actions are performed immediately, they are queued and executed once you hit the "Apply" button and confirm them.

The relevant options are:

If you select unallocated space you can use this to create a new partition remove the partition format the partition (see below) Issue a file system check. If the file system is damaged this option can repair it. If the hard disk is the source of trouble, it's most likely the file system

If you choose to format a drive you have to select the file system. For Windows you should choose ntfs, you may also use fat32. The other file system are either for other operating systems or exist since the dawn of time and are therefore deprecated.

Once you made all changes (or file system checks) you can click the "Apply" button, after which you will be asked to confirm your choice. You can always review the selected actions in the list at the bottom. If you right click the list, you can remove the last selected action.

6. GSmartControl

GSmartControl is a program that allows you to read a drive's SMART information and issue tests. SMART stands for Self-Monitoring, Analysis and Reporting Technology. This is a feature supported by all modern hard drives that enables them to detect when a disk is about to fail.

Unfortunately Windows does not include a tool to read the SMART data, thus most users don't benefit from it. Luckily smartmontools and GSmartControl are available for Windows as well.

Note: Since I usually work with GuARD in a virtual machine and the virtual hard drives don't support SMART, the following screenshots were made on my build system.

GSmartControl will first scan your system for hard drives and then show a list of these. If a drive failed the basic health check, it will be marked red. In this case you should backup all important data from that drive as soon as possible. Keep in mind that a drive only shows up as failing once it failed a self-test. If no test has been run yet, it's possible the drive never had a chance to fail anyway. So it's advised to run a self-test first.

If you double-click on a drive a window with many tabs will show up. We are only interested in two of them.

The first interesting tab is the "Perform Tests" tab. Here you can start self-tests. These self-tests usually come in three flavors: short, extended and conveyance. As the names suggest, the short test doesn't take much time, the extended test takes longer but collects more data and the conveyance test is used to check if the drive took damage from transporting it. Naturally, the conveyance test is only needed when you physically moved the disk over a longer distance.

The "Attributes" tab is second tab containing valuable information. It lists all SMART attributes that can be checked, together with a current value and a threshold that - once exceeded - marks the beginning of a failure. Most of these values are pretty cryptic and are in fact of little interest. The interesting part is, that a failed attribute is highlighted red. This can give you an estimate on how much time you have left, if you know how to interpret them.

I am no expert on this topic, so I can only cover a few attributes:

Each disk has a few extras sectors as a reserve in case a sector fails. If you get an error here it means, that already many of them have been used. It will usually take a few weeks until you will experience data loss The two mean that your drives gets too warm. In most cases that's not the disks fault but is due to lack of sufficient cooling. If you experience this error you should first check if your fans (or water cooling) work correctly/if you have a fan cooling the hard drive in question.

In all other cases I would assume the worst: failure within 24 hours.

7. Reset Windows Password

As the name suggests, you can reset your Windows password with this tool.

First you will have to select the Windows system partition, the tool will then try to find the appropriate authentification file in the default location

You then have to select the user you want to modify.

You now have several options. Most of these options are risky, the best option is to clear the password and make all other changes in Windows itself. In any case it's use at own risk, since the exact structure of the authentification file is not public.

If you selected "Edit Password", you will be prompted for the new password. You won't have to confirm the new password. For one you may simply edit it again with this tool, but you can also uncheck the "Hide typing" check box and check if you typed the password correctly.

Once you entered all necessary information, you will be asked to confirm your actions. If you click "yes" here, the actions will be executed. You will only get further feedback, if the action fails.

8. Network Setup

As the name suggests, this allows you to setup network connections. Currently only cable-based connections are supported. Wireless support may be added in the future.

First you will need to select you network card. For most systems there is just one, so the choice is easy. If you have several cards and are unsure which one to use, you can try them one after another.

Once you selected the card you have two options: Either use an automatic configuration via DHCP or set up the card manually. If you did not use a manual configuration in you Windows system (or whatever your main OS may be), you don't need to use it here either.

8.1 DHCP

If you select this option, netsetup will try to find a DHCP server and receive its settings from there. If it fails, try the manual setup.

8.2 Manual setup

Manual setup requires a little more input. you will have to make all settings by hand. Not all setups require a gateway, but all other entries are required. If your configuration does not work, you can edit it later.

Once you have your configuration, netsetup will check if you have internet access. If you don't, you will see an error message asking you to reconfigure.

If you need to access a local network, but cannot connect to the internet, you can cancel the netsetup and configure it via command line.

9. ntfsundelete

ntfsundelete s a tool that can recover deleted files from NTFS partitions. NTFS is the standard filesystem since Windows XP, so most newer systems use it. Older systems use FAT16 or FAT32, as do many USB drives. In this version of GuARD (v0.6) there is no graphical interface to recover deleted files from these or other filesystems.

The usage of ntfsundelete is pretty straight forward: You select the appropriate drive, define a mask to prefilter the list of files, then select files to undelete and where to put them. These steps will explained in the following passage.

When starting ntfsundelete you will receive a list of all available NTFS filesystems, these are shown with their linux name, e.g. sda1. The window will also state in which drives contain Windows installations. Just select the appropriate drive and press the OK button.

The next window allows you to filter the file names using a mask. This can be an exact name like example.txt but can also contain wildcards. An example would be e*.txt, this finds any .txt file that also starts with an "e", e.g. example.txt, excellent example.txt or e.txt. The "*" stands for zero or more arbitrary characters. A mask can contain multiple wildcards, this means e*p*3.txt is a valid mask. If you are unsure leave this empty, in which case a list of all files, that can be recovered, is created. This will take a little longer, though.

Now you can select the files you want to recover by either selecting them file by file or by using the select all button. Note that due to the limitations of the Xdialog, the program used to render the windows, the window will disappear and reappear with all entries selected. Depending on the length of the list, this can take some time.

Finally, just select the location where you want to save the files. If you want to save them on the source drive, choose /tmp as target. Once ntfsundelete is finished you can copy it.

Now just wait until it is finished.

10. dd

With dd you can create backups and restore them. There are several options: First you may select the backend that is used.

Currently you can choose between dd and dd_rescue. The main difference between those is in the way data is copied: dd_rescue uses extensive error correction and is able to skip corrupted portions of a disk but is much slower than dd, which lacks error correction and will fail on the first corrupted block. So unless you are trying to backup a damaged drive, it's advised to use dd.

What happens then depends on what you want to do.

10.1 Backup drive to image

When you backup a drive you are first asked to select the drive you want to backup, afterwards you can choose where to store the image. The file extension should be .iso or .img.

10.2 Restore drive from image

When restoring a backup, it's the other way around. You first select the image and then the drive.

10.3 Clone disk

Cloning a disk means create an exact copy of the disk's data on another disk. You will be asked to select first select the source drive and afterwards the target drive.

Which ever you chose, you will be asked to confirm your choice, so you don't accidently destroy your data. Caution is still advised!

11. wipedisk

wipedisk does exactly what you think it would: it permanently destroys all data on a specific hard drive or partition. This is useful if you want to sell a drive or computer, but don't want anybody to be able to recover your personal data. Please not that due to this ALL DATA will be destroyed PERMANENTLY! So at least double check if you selected the correct device! If it's gone, it's gone.