Ace128 has asked for the wisdom of the Perl Monks concerning the following question:

Hey Monks!

A 200 gigs hd went crazy on me, and it just has a RAW partiton now. I've managed to extract much data from it, but as you all know, text is another story as it doesnt have unique hex as other formats have...

So, I was thinking...
Hex editor that support disk access.. -> HxD!
Hmm, timeconsuming...
Regular expressions powerfull... Perl! Now I only need some way to access the hd in "raw", and then I'm able to "extract" the text from the screwed up hd.
This is were you monks come in!
Ideas?
Couldn't find a module for access hd raw! (And Im using Windows)

This may also be something for some application out there, but I dont think there is something like HxD with regular expression and batch support! Actually, doing this in Perl would be fonky as hell! Doesnt really seem I can link Perl with HxD either...

UPDATE: The RAW partition is its own unit letter.. (P: in this case :) )

Thanks,
Ace

Replies are listed 'Best First'.
Re: Accessing a RAW partition!
by EvanCarroll (Chaplain) on Oct 01, 2005 at 23:51 UTC
    Granted you "are using windows," and I hate to make this suggestion because it seems so typical, but if that changed this task would be trivial. On Linux you can access your hd as a block device, without mounting it (which would require a format). So you could literally read the device at /dev/hda1 directly. (assuming your root)

    This might be easier than getting it to work in windows NT/2k/XP, which to my knowledge won't allow direct access to *any* device. And it won't allow any access to a hard drive until you format it.
    There is also a tool called "testdisk" for linux which might be able to restore your partitions, and help recover your data. Check for a local Linux sig if you don't know how to use linux.


    Evan Carroll
    www.EvanCarroll.com
[reply]
      Even if it's there as "P:" ?
[reply]
        I believe it is there as P:/ so you *can* format it, not so you can access it. As I said before I don't believe windows allows access to the hard drive as a block device. To my knowledge you have to have a filesystem on it in windows. Accessing a hard drive as a block device is completely different than at the level of a filesystem. And if you could access it as a block device it would almost surly be some administration trickery not something a regular user can do. Accessing your hd as block means you could for instance grep the contents for the sting 'password.' There are no per file permissions, because your not at the file level, you could write right over kernel.dll or explorer.exe and by reading the device at that level those two files will be included in the dump in their entirety. I have since moved off of windows but I wasn't able to figure out how this was done when I was using it. You might have to install a driver to give you this functionality. The upside to this is no more bootsector viruses, and you can accidentally wipe your MBR.


        Evan Carroll
        www.EvanCarroll.com
[reply]
Re: Accessing a RAW partition!
by sauoq (Abbot) on Oct 01, 2005 at 23:45 UTC

    If this were me, I'd probably boot into linux from a CD and use dd (and maybe strings too, if I was really just looking for the text files.) I think there's a dd that comes with cygwin. And there may be other versions available too. I'm not sure how functional they are.

    Good luck.

    -sauoq
"My two cents aren't worth a dime.";
[reply]
[d/l]
[select]
      With apologies to Janis Joplin,
      Oh lord, won't you burn me a Knoppix CD.

      Really-- a Live distro like Knoppix is built for this kind of hardware hackery. Boot it off the CD, and you never have to become an expert at dual booting, or even install anything to the hard drive itself.

      --
      [ e d @ h a l l e y . c c ]

[reply]
Re: Accessing a RAW partition!
by Ace128 (Hermit) on Oct 02, 2005 at 23:29 UTC
    Perl is just so cool (well, thanks to all those nice modules! :) ).
    Anyway, since I havent been lazy waiting for a solution from you monks, Ive managed to do this: 
    use Win32API::File qw /:Func :IOCTL_DISK_ :MEDIA_TYPE/;
use Data::Dumper;

use strict;
use warnings;
use diagnostics;

my $sDosDeviceName = [];
my $osTargetPath;
my @devices = Win32API::File::QueryDosDevice($sDosDeviceName, $osTarge
+tPath, []) or  die "Can't open: $^E\n";

print Dumper($sDosDeviceName);

#foreach (@devices) {
#    print $_ . "\n";
#}

my $hObject = createFile( "//./PhysicalDrive3", "r", "rw")
                            or  die "Can't open: $^E\n";

#Usage: Win32API::File::DeviceIoControl(hDevice, uIoControlCode, pInBu
+f, lInBuf, opOutBuf, lOutBuf, olRetBytes, pOverlapped)
my $opOutBuf;
my $olRetBytes;
Win32API::File::DeviceIoControl($hObject, IOCTL_DISK_GET_DRIVE_GEOMETR
+Y, [], 0, $opOutBuf, [], $olRetBytes, []);

# Calculate the number of DISK_GEOMETRY structures returned:
my $cStructs= length($opOutBuf)/(4+4+4+4+4+4);
my @fields= unpack( "L l I L L L" x $cStructs, $opOutBuf );

my( @ucCylsLow, @ivcCylsHigh, @uMediaType, @uTracksPerCyl, @uSectsPerT
+rack, @uBytesPerSect ) = ();

print Dumper(@fields);

my $ucCylsLow = shift @fields;
my $ivcCylsHigh = shift @fields;
my $uMediaType = shift @fields;
my $uTracksPerCyl = shift @fields;
my $uSectsPerTrack = shift @fields;
my $uBytesPerSect = shift @fields;

if ($uMediaType eq FixedMedia) {
    print "FixedMedia";
}

    [download]
    Comments?

    Well, so far it seems good (although I cant make QueryDosDevice to work!)... But next step? To actually read sector by sector?

    (I've had some help from http://msdn.microsoft.com/library/default.asp?url=/library/en-us/devio/base/calling_deviceiocontrol.asp )

    Thanks,
    Ace
[reply]
[d/l]

Back to Seekers of Perl Wisdom