Network hard disk data protection and recovery genie practices

I. Protection and Restoration of software systems

For a long time, there has been a large flow of staff in school data centers, Internet cafes, and other places where there are many machines, and the work of system administrators is very cumbersome. We often need to reinstall the system and kill viruses. How to protect and restore the existing operating systems and software on the hard disk has become a topic.

In principle, the protection and restoration methods of the system are divided into three types: protection, restoration, and virtual restoration.

1. System Protection

System Protection is to prevent important information on the hard disk from being damaged, and prevent registry rewriting and file I/O operations. Users are placed in a preset environment and can only do what the software system allows you to do. Relatively speaking, this method imposes too many constraints on users and has great limitations. It also has a lot of interventions on operating system processes, which affects the running efficiency. Software representatives based on this idea include: Meiping, master of network management, and Fang Zhu. In addition, you can manually modify the Registry to hide some system functions.

System Protection is like flood protection. The system vulnerabilities cannot be prevented because the system is damaged by the ant nest. In fact, users with high levels have a way to defend against these vulnerabilities. In addition, the upgrade of the operating system brings about some functional changes in the system, and these software must be modified accordingly, which is very passive. In general, such software is a form of passive defense in terms of thinking, and the effect is not very satisfactory.
System protection only limits some operations. The data on the hard disk changes dynamically and cannot be restored to the system content at a certain point in time as needed.

2. System Restoration

System Restoration means to back up all or part of the System Content in advance. When the system crashes or becomes chaotic and needs to be re-installed, the original backup will be restored, restore the system content to the backup point. This method does not interfere with user operations or system processes. The simplest and most primitive method based on restoration is to clone or copy the system one by one with an identical large hard disk. A better way is to use a GHOST or WINIMAGE image to make an image of the system partition (usually the C disk) and save it to another hard disk or partition.

System Restoration is compared with system protection. Although it has many advantages, it also has obvious disadvantages: it takes a lot of hard disk space and requires a lot of restoration time. These shortcomings actually impede its application in practical work. In addition to family users and some important departments using this method for important data, schools and Internet cafes seldom adopt this "stupid" approach.

The System Recovery feature is that you can restore the system to the backup point as needed.

3. virtual restoration

The principle of virtual restoration is actually based on system protection, but its protection is at the bottom of the system, prior to the operating system, similar to the boot virus (a virus ). It may interfere with system processes, but this interference is almost imperceptible. It does not interfere with any user's operations. For common users, it can be transparent-it does not exist at all.

The virtual restoration method is similar to system restoration. You can "Back up" the system as needed. This backup is very fast and can be completed in at most 10 seconds. It occupies a small amount of hard disk space, which is less than 1‰ of the data volume. At the same time, the restoration speed is amazing. It also takes up to a dozen seconds.

Because Virtual restoration has both the advantages of system protection and System Restoration, and avoids some important disadvantages as much as possible, the software based on virtual restoration is becoming more and more favored by users. These software representatives include: the recovery genie, virtual restoration, and hard disk recovery cards (in fact, software is used on hardware, mainly to prevent piracy.

The protection of virtual restoration looks amazing. If you understand how the system restores, the speed from hard disk usage to restoration is absolutely incredible. Its protection principles will be further analyzed in the next section.

Ii. Working Principle of Virtual Restoration

I don't know the author of these virtual restoration software and have no chance to ask them, so the following discussions about its working principles are based on the conjecture and speculation of yuren, if you are not interested in the principle, you can skip this part.

1. Principles of file storage allocation

We know that apart from BOOT, the most important data zone on the hard disk is ROOT and FAT ), the ROOT file records the attributes, sizes, dates, and the starting cluster of the file or subdirectory (the sector in the floppy disk ). The FAT table records the usage and distribution of each cluster.

Normally, when we add a new file to the hard disk, the OS (operating system) First fills in the file attributes in the ROOT file, find an empty cluster in the FAT table according to certain algorithms, mark it as occupied by this file, and record this cluster in the ROOT as the starting cluster, then write the file content to the cluster. If the file is not written, the system finds an empty cluster in the FAT, marks it as occupied, and then makes a pointer to the new cluster at the end of the previous cluster, form a single-chain table and continue writing content in the new cluster. Repeat until the file content is fully recorded. Finally, the system calculates the file size based on the total number of clusters occupied, and writes the current time to the ROOT.

When we delete a file, the system does not actually clear the content in each cluster. Instead, we only Replace the first character of the file name in the ROOT with the & symbol, which marks the file as deleted, the linked list is extended to release all the clusters occupied by the file in the FAT table (marked as empty), so that these released clusters can be used when new files are written.

When we change the attribute or name of a file, the system actually only makes some changes in the ROOT file.

Files in sub-directories are slightly more complex. Their directory information is not recorded in the ROOT directory, but in the first cluster indicated by the sub-directory. It is actually a SUBROOT.

The actual hard disk storage is much more complex. For example, its FAT table also has a sub-table for fault tolerance Processing. We will not discuss the principles of virtual restoration in depth here, just a brief description.

2. Protection Principle of Virtual Restoration

Based on Rain Man's speculation, virtual restoration software works like this:

It first backs up the ROOT, SUBROOT, and FAT tables. Then, the Software saves the backup data and its working parameters (password, automatic recovery time, etc.) on the hard disk. These spaces are also protected.

When you delete, rename, or modify the attributes of a file, the system processes the file as normal, and the Restoration software does not interfere with the file. Because these operations only target the ROOT and FAT tables and do not tamper with any data in the data zone. The two table software has been backed up and can be completely restored when necessary.

The most complex is the addition of new files. To protect the original data, the restoration software does not allow any overwriting operations on the protected cluster, even if the current FAT table is marked as empty, by comparing the backup FAT table, the restoration software requires the OS (operating system) to find a new cluster as long as the cluster is in the table. In this way, the data in the data zone will not be overwritten.

In fact, this is simple, but the OS does not know that a RECOVERY (virtual restoration software) has been installed in the system, so it will find the same cluster according to the same algorithm. In this case, an infinite loop will be formed and the task will not work.

In another way, if RECOVERY does not release the FAT table When deleting files, the OS naturally avoids the protected cluster when looking for a new cluster, but there are new problems: we will report many lost clusters when doing SCANDISK.

Or, the RECOVERY is just like a virus. It shows us a fake ROOT, so that we think that the file has been deleted. In fact, the ROOT on the hard disk does not move anything. This is very similar to the previous DIR2 virus.

In fact, I have always felt that RECOVERY is working like a VIRUS. At least after installation, the system's ANTI-VIRUS (ANTI-VIRUS function) must be DISABLE. Otherwise, the system will trigger an alarm and cannot work.

When we want to recover data, it is actually quite simple. RECOVERY restores all the backup ROOT, SUBROOT, and FAT tables. This is a little bit of content, and it is natural to restore it.

We do not need to have a deep understanding of how rediscovery works in concert with the OS. The methods used by different rediscovery software may vary, and the degree of interference to system work may vary. We only need to understand that it is actually working in the way of system protection, and it saves a small amount of data and can quickly restore protected content. This is enough.

3. One Note

The content in the first two sections is more theoretical and boring. It is estimated that many friends are reluctant to read it. Too many friends, including technicians from yuren company, have been asking this question: How does RECOVERY work? So I did not bother writing so much.
In addition, the classification of protection methods is coming out of the head of the rain people. It may be a bit ridiculous if they have not referenced authoritative writings. Similarly, the working principle of the hard disk was just that Yu learned a long time ago, and there was a bit of an impression in his head. When I wrote the hard disk, I did not check the relevant information. I just watched the ceiling and wrote it back, errors are inevitable. I hope you can understand the spirit. I am very grateful if you can correct me!

Let's start with the next section.

Iii. Introduction to virtual restoration Software

In fact, I only use one of the most used software: Recovery Genius (Recovery genie). However, I have studied three versions of it separately, so I have a little bit of experience. Another software called "virtual restoration" was tried by a friend, which is similar to Recovery Genius and has not been carefully compared. As for Hard Disk Recovery cards, I think like the Chinese cards and anti-virus cards of the past, they are specific products of a specific period. software can only be made into hardware to sell well, in order to buy a well-known item.

1. CD Recovery Genius

The first version I got is a CD, and the serial number is required during installation. It is installed on a CD. The entire micron disc only has a very little bit of content in the middle, it is a huge waste (waste of my CD-R disc ). This disc is actually encrypted. The size of the Boot. img file, which is an important file above, is 1.8gb (fake !). But under my Nero5.5.0.4, this protection is vulnerable and I simply copied it. It was only when I wanted to take out something useful on the CD that I found that it had moved hands and feet on the file size. I thought at the time that the Recovery Genius was as small as a virus. Does it need to use a large disc as a carrier? The things on this CD are actually useless, and only the boot part of it is actually useful.

Therefore, I used Nero to create an image file for the CD (WinImage and so on), read it using Cdmage, and separate the BOOTUP part of it, is an image of a M boot floppy disk. Finally, the separated imgfile is written to a floppy disk using WinImage, and the Recovery Genius is changed to a floppy disk.

Take a closer look at this floppy disk. Besides a Command.com disk, the entire disk is empty. The remaining space is more than MB, which is almost an empty disk. The software can only be installed at startup. Needless to say, everything is still in the Boot sector-the more you see the virus!

If you are interested in this floppy disk, when can I find a space to upload this image for your download. The serial number is not provided. The current Crack site