Backup & Recovery

By admin, 12 April, 2025

Storage Check and Recovery

There are two powerful available rescue utilities from cgsecurity:

TestDisk: checks the partition and boot sectors of your disks. It is very useful in forensics, recovering lost partitions.

PhotoRec: a file data recovery software designed to recover lost files including video, documents and archives from hard disks, CD-ROMs, and lost pictures (thus the Photo Recovery name) from digital camera memory. PhotoRec ignores the file system and goes after the underlying data, so it will still work even if your media's file system has been severely damaged or reformatted.

Secure Delete Right Click Menu

This option has ability in three different levels to wipe data to prevent others to recover deleted files after using the secure-delete command.

  1. Installing secure-delete with Administration Privilege
  2. Downloading Secure Delete Extension for Dolphin File Manager

Chkrootkit Scanner

The chkrootkit security scanner searches the local system for signs that it is infected with a 'rootkit'. Rootkits are set of programs and hacks designed to take control of a target machine by using known security flaws.

  • chkrootkit: a shell script that checks system binaries for rootkit modification.
  • ifpromisc.c: checks if the network interface is in promiscuous mode.
  • chklastlog.c: checks for lastlog deletions.
  • chkwtmp.c: checks for wtmp deletions.
  • check_wtmpx.c: checks for wtmpx deletions. (Solaris only)
  • chkproc.c: checks for signs of LKM trojans.
  • chkdirs.c: checks for signs of LKM trojans.
  • strings.c: quick and dirty strings replacement.
  • chkutmp.c: checks for utmp deletions.

chkwtmp and chklastlog *try* to check for deleted entries in the wtmp and lastlog files, but it is *not* guaranteed that any modification will be detected.

Aliens tries to find sniffer logs and rootkit config files. It looks for some default file locations -- so it is also not guaranteed it will succeed in all cases.

chkproc checks if /proc entries are hidden from ps and the readdir system call. This could be the indication of a LKM trojan. You can also run this command with the -v option (verbose).

Rootkits, Worms and LKMs detected

For an updated list of rootkits, worms and LKMs detected by chkrootkit please visit: http://www.chkrootkit.org/