• Posted on February 8, 2017 11:55 am
    Joseph Forbes
    No comments

    Do you suspect your email account has been hacked? Can't login to your email account? Are you getting undeliverable and bounce messages for email you never sent? Are friends and family complaining of receiving email you never sent? Is it malware? A hacker? Here's how to tell. Undeliverable and Bounce Messages Spammers frequently spoof the From sender on the email they send. They just substitute their real email address with a random email address found on a mailing list or one just randomly made up. Some poorly configured email gateway products don't distinguish between the manually editable "From" address and the actual sender origin, so they simply send any undeliverable messages to the spoofed From address. To better understand how this works, and help you track down the real origin of an email, see: Reading Email Headers. Best defense: Simply delete the undeliverable/bounce messages. In other cases, email worms will send themselves disguised as an undeliverable/bounce message. The bogus email contains either a link or an attachment. Clicking the link or opening the attachment leads directly to a copy of the worm. Your best course is to learn to overcome curiosity. Best defense: If you receive an undeliverable or bounce message for an email you know you did not send, resist the temptation to open the attachment or click the link. Just delete the email. Unable to login to your email account If you are unable to login to your email account due to an invalid password, it's possible that someone has gained access and changed the password. It's also possible that the email service is experiencing a system outage of some sort. Before you panic, make sure your email provider is functioning normally. Best defense: Prevention is key. Most email providers offer a password recovery option. If you have even a hint of concern that your email password has been compromised, change your password immediately. If you specified an alternate email address as part of the password recovery, make sure that address is active and be sure to monitor the account regularly. In some cases, you may need to call your email provider and request a reset. If you go that route, be sure to change your password from the one provided during the phone call. Be sure to use a strong password. Email appearing in Sent Items folder If copies of the sent email are appearing in your Sent Items folder, then it's likely that some type of email worm might be involved. Most modern-day malware won't leave such tell-tale signs behind, so it, fortunately, would be indicative of an older, more easily removed threat. Best defense: Update your existing antivirus software and run a full system scan. Email is sent to address book, does not appear in the Sent folder, and it's a webmail account The most likely cause is phishing. Chances are at some point in the past, you were tricked into divulging your email username and password. This enables the attacker to login to your webmail account and send spam and malicious email to everyone in your address book. Sometimes they also use the hijacked account to send to strangers. Generally, they remove any copies from the Sent folder to avoid easy detection. Best defense: Change your password. Make sure you've checked the validity of any alternate email addresses included in the password recovery settings first. Symptoms don't match the above Best defense: Make sure you do a thorough check for a malware infection. Fully scan your system with installed up-to-date antivirus software and then get a second opinion with one of these free online scanners. Receiving complaints from friends, family, or strangers One of the problems with spoofed, hijacked or hacked email is that it can also lead to responses from angry recipients. Stay calm - remember, the recipients are just as much a victim as you. Best defense: Explain what happened and use the experience as an educational opportunity to help others avoid the same plight.

    Blog Entry, Data Recovery, Hacking
  • Posted on January 5, 2017 11:24 am
    Joseph Forbes
    No comments

    You’re not really sure How the Heck They Got Your Password, but they did, and now you’re freaking out. The password to one of your accounts has been cracked and you don’t know what to do to get control back of your account. Let’s look at several things you can do to get control of your account and get things back to a secure state: If Someone Cracked Your Password But You Can Still Log Into Your Account The worst case scenario is that your account password gets hacked and the hackers change your password. Hopefully the security questions that you answered when you set up your account will help you regain control of your account and allow you to reset your password back and lock them out. What if there aren’t any security questions? Many accounts have a password reset process that will allow you to initiate a reset using an email account that you have on file with the account provider. Unless the hacker has changed this email address, you should be able to regain control of your account by having the password reset link sent to your email. If They’ve Taken Control Of Your Account and Locked You Out By Changing The Password If the person who cracked your password has locked you out by changing your password then getting it reset might be a little more complicated. You may need to contact the account support line of the account provider and explain the situation, they should be able to verify that you are who you say you are via other means such as by looking at the phone numbers you have on file, verifying your address, or reviewing the answers to your security questions. Make sure that you inform the account provider that this just happened and that any new information recently added to your account is false and that you want to place your account on hold until everything is sorted out. Reporting the password hack quickly is essential to limiting the damage. If The Account Was Your Main Email Account If your main email account is hacked then things can become even more complicated because, chances are, you have a lot of other accounts pointing to your email account for password reset purposes. Thankfully most email providers have multiple ways of verifying that you are whom you say you are. Follow their account password reset procedures and if all else fails contact their account support. The next step you should take after resetting your main (hacked) email account password is to change all passwords for any other account that you have that point to that account for password reset purposes. The reason: the password crackers could have initiated password resets for those other accounts. Steps to Take To Prevent it From Happening Again: Make Your Next Password Much Stronger When creating passwords to replace ones that have been cracked, you need to create a much stronger, longer, and more complex password. For tips on creating strong passwords, check out our article: How to Make a Strong Password. Use Two-factor Authentication If It’s Offered Another way to prevent future account compromises is to enable two-factor authentication on the accounts that support it. Two-factor authentication usually requires some kind of token, such as a PIN that is sent by the account provider via an already established communication line that you have verified, such as a mobile phone or secondary email account. Other methods of two-factor authentication use fingerprint readers such as those featured on newer iPhones, iPads, and some Android devices. Linking these devices to your account works in two ways.  If you never lose your phone, you will always be notified of when someone or you are accessing online accounts.  If you lose your phone, then someone has your whole life in their hands.

    Blog Entry, DATA, Data Recovery
  • Posted on January 3, 2017 12:00 pm
    Joseph Forbes
    No comments

    Keeping track of passwords can seem like a hassle. Most of us have multiple sites we visit which require password logins. So many, in fact, that it's tempting to use the same username/password combo for all of them. Don't. Otherwise, it takes only the compromise of a single site's credentials to have a toppling domino effect on the security of all your online assets. Fortunately, there is a fairly straightforward way to have different passwords for each site you use but still make the passwords easy enough to remember. Creating Unique Passwords Before you begin creating strong passwords, you need to consider the use of those passwords. The intent is to create strong passwords unique to each account, but easy enough to memorize. To do this, first begin by splitting the sites you frequently login to into categories. For example, your category list might read as follows: social networking sites auction sites ecommerce sites email accounts banking sites forums A word of note here about forums. Never use the same password for a site's forum as you would for logging into the site itself. Generally speaking, the security on forums is not as strong as it is (or should be) for the regular site and thus the forum becomes the weakest link in their security. This is why, in the example above, forums are split into a separate category. Now that you have your categories, under each appropriate category, list the sites to which you must log in.  For example, if you have a Hotmail, Gmail, and Yahoo account, list these under the category 'email accounts'. After you've completed the list, you're ready to begin creating the strong, unique, and easy-to-remember passwords for each. Creating Strong Passwords A strong password should be 14 characters. Each character less than that makes it a little easier to compromise. If a site absolutely won't allow a password that long, then adapt these instructions accordingly. Using the 14 character password rule, use the first 8 characters as the common portion to all passwords, the next 3 to customize by category, and the last 3 to customize by site.  So the end result ends up like this: common(8)|category(3)|site(3) Following this simple rule, when you change your passwords in the future - which, remember, you should do often - you'll only need to change the first common 8 characters of each. One of the commonly recommended means of remembering a password is to first create a passphrase, modify it to the character limit, then begin swapping characters for symbols. So to do that: Come up with an 8 letter passphrase that is easy to remember. Take the first letter of each word to form the password. Substitute some of the letters in the word with keyboard symbols and caps (symbols are better than caps). Tack on a three letter abbreviation for the category, also replacing one of the letters with a symbol. Tack on a site specific three letter abbreviation, again replacing a single letter with a symbol. As an example: In step 1 we might use the pass phrase: my favorite uncle was an air force pilot Using the first letters of each word, we end up with: mfuwaafp Then we swap some of those characters with symbols and caps: Mf{w&A5p Then we tack on the category, (i.e. ema for email, and swap out one character of ema: e#a Finally, we add the site abbreviation (i.e. gma for gmail) and swap out one character: gm% We now have a password for our gmail account of Mf{w&A5pe#agm% Repeat for each email site, so perhaps you end up with: Mf{w&A5pe#agm% Mf{w&A5pe#aY%h Mf{w&A5pe#aH0t Now repeat these steps for the additional categories and sites within those categories. While this may look hard to remember, here's a tip to simplify - decide in advance what symbol you will equate with each letter.

    Blog Entry, Data Recovery, Hacking
  • Posted on December 30, 2016 10:00 am
    Joseph Forbes
    No comments

      It's a really awful way to start a day: you press the power button on your computer and nothing happens. Few computer problems are more frustrating than when your computer won't boot. There are many reasons why a computer won't turn on and often very few clues about what might be the problem. The only symptom is usually the simple fact that "nothing works" which isn't much to go on. Add to this the fact that whatever is causing your computer not to start could be an expensive part of your PC to replace - like the motherboard or CPU. Do not fear because all may not be lost! Here's what you need to do: Read #1 below (it'll make you feel better). Pick the best troubleshooting guide (#2 - #9) based on how your computer is acting or #10 if your PC stops at any point because of an error message. Note: The "computer won't start" troubleshooting guides below apply to all PC devices. In other words, they'll help if your desktop or laptop won't turn on, or even if your tablet won't turn on. I'll call out any important differences along the way. Also, all are applicable no matter what Windows operating system you have installed on your hard drive, including Windows 10, Windows 8, Windows 7, Windows Vista, and Windows XP. Steps 1 through 5 even apply to other PC operating systems like Linux.   Don't Panic! Your Files are Probably OK When faced with a computer that won't start most people tend to panic, worried that all the data on their PC is gone forever. It's true that the most common reason a computer won't start is because a piece of hardware has failed or is causing a problem but that hardware isn't usually a hard drive, the part of your computer that stores all of your files. In other words, your music, documents, emails, and videos are probably safe - just not accessible at the moment. So take a deep breath and try to relax. There's a good chance you can figure out exactly why your computer won't start and then get it back up and running. 1.  Don't Want to Fix This Yourself? See How Do I Get My Computer Fixed? for a full list of your support options, plus help with everything along the way like figuring out repair costs, getting your files off, choosing a repair service, and a whole lot more. 2.  Computer Shows No Sign of Power Try these steps if your computer will not turn on and is showing no sign at all of receiving power - no fans running and no lights on the laptop or tablet, nor on the front of the computer's case if you're using a desktop. Important: You may or may not see a light on the back of your desktop PC depending on the kind of power supply you have and the exact cause of the problem. This goes for the power adapter you may be using for your tablet or laptop as well. How To Fix a Computer That Shows No Sign of Power Note: Don't worry about the monitor yet, assuming you're using a desktop or an external display. If the computer is not turning on because of a power issue then the monitor certainly can't display anything from the computer. Your monitor light will likely be amber/yellow if your computer has stopped sending information to it. 3.  Computer Powers On... and Then Off Follow these steps if, when you turn your computer on, it promptly powers back off. You'll probably hear the fans inside your computer turn on, see some or all of the lights on your computer turn on or flash, and then it will all stop. You won't see anything on the screen and you may or may not hear beeps coming from the computer before it shuts off by itself. How To Fix a Computer That Turns On and Then Off Note: As in the previous scenario, don't worry about the state your external monitor is in, if you have one. You may have a monitor issue as well but it's not possible to troubleshoot it quite yet. 4.  Computer Powers On But Nothing Happens If your computer seems to be receiving power after turning it on but you don't see anything on the screen, try these troubleshooting steps. In these situations, the power lights will stay on, you'll likely hear the fans inside your computer running (assuming it has any), and you may or may not hear one or more beeps coming from the computer. How To Fix a Computer That Turns On But Displays Nothing This situation is probably the most common in my experience working with computers that won't start. Unfortunately it's also one of the most difficult to troubleshoot. 5.  Computer Stops or Continuously Reboots During the POST Use this guide when your computer powers on, shows at least something on the screen, but then stops, freezes, or reboots over and over again during the Power On Self Test (POST). The POST on your computer may happen in the background, behind your computer maker's logo (as shown here with the Dell laptop), or you may actually see frozen test results or other messages on the screen. How To Fix Stopping, Freezing, and Reboot Issues During the POST Important: Don't use this troubleshooting guide if you encounter an issue during the loading of the operating system, which occurs after the Power On Self Test is complete. Troubleshooting Windows related reasons why your computer won't turn on begin with #6 below. 6.  Windows Begins to Load But Stops or Reboots on a BSOD If your computer begins to load Windows but then stops and displays a blue screen with information on it then try these steps. You may or may not see the Windows splash screen before the blue screen appears. This kind of error is called a STOP error but is more commonly referred to as a Blue Screen of Death or a BSOD. Receiving a BSOD error is a common reason why a computer won't turn on. How To Fix Blue Screen of Death Errors Important: Choose this troubleshooting guide even if the BSOD flashes on screen and your computer restarts automatically without giving you time to read what it says. 7.  Windows Begins to Load But Stops or Reboots Without an Error Try these steps when your computer powers on, starts to load Windows, but then freezes, stops, or reboots over and over again without generating any kind of error message. The stopping, freezing, or reboot loop may happen on the Windows splash screen (shown here) or even on a black screen, with or without a flashing cursor. How To Fix Stopping, Freezing, and Reboot Issues During Windows Startup Important: If you suspect that the Power On Self Test is still going on and that Windows has not yet started to boot, a better troubleshooting guide for why your computer won't turn on might be #5 above. It's a fine line and sometimes hard to tell. Note: If your computer won't start and you see a blue screen flash or remain on the screen, you're experiencing a Blue Screen of Death and should use troubleshooting guide #6 above. 8.  Windows Repeatedly Returns to Startup Settings or ABO Use this guide when nothing but the Startup Settings(Windows 8 - shown here) or Advanced Boot Options(Windows 7/Vista/XP) screen appears every time your restart your computer and none of the Windows startup options work. In this situation, no matter which Safe Mode option you choose, your computer eventually stops, freezes, or restarts on its own, after which you find yourself right back at the Startup Settings or Advanced Boot Options menu. How To Fix a Computer That Always Stops at Startup Settings or Advanced Boot Options This is a particularly annoying way in which your computer won't turn on because you're trying to use Windows' built-in ways to solve your problem but you're getting nowhere with them. 9.  Windows Stops or Reboots On or After the Login Screen Try this troubleshooting guide when your computer powers on, Windows shows the login screen, but then freezes, stops, or reboots here or anytime after. How To Fix Stopping, Freezing, and Reboot Issues During Windows Login The stopping, freezing, or reboot loop may happen on the Windows login screen, as Windows is logging you in (as shown here), or any time up to Windows fully loading. NTLDR is Missing. 10.  Computer Doesn't Fully Start Because of an Error Message If your computer turns on but then stops or freezes at any point, showing an error message of any kind, then use this troubleshooting guide. Error messages are possible at any stage during your computer's boot process, including during the POST, at any time during the loading of Windows, all the way up to the Windows desktop appearing. How To Fix Errors Seen During the Computer Startup Process Note: The only exception to using this troubleshooting guide for an error message is if the error is a Blue Screen of Death. See #6 above for a better troubleshooting guide for BSOD issues.

    Blog Entry, DATA, Data Recovery
  • Posted on May 22, 2016 11:52 am
    Joseph Forbes
    No comments

    Recover Deleted Files with Recycle Bin or File Recovery Software First things first: recovering deleted files from your hard drive, media card, flash drive, iPhone, or some other device is very possible. While I can't guarantee that your accidentally deleted file can be recovered, there's a good chance it can be, especially if it hasn't been too long since it's been deleted. Files that get deleted aren't usually truly deleted but are instead just hidden, waiting to be overwritten by something else. You can take advantage of this fact and recover deleted files you want back. Follow the steps below, in order, to maximize your chances of recovering deleted files from your device: Difficulty: Easy Time Required: Depending on how long ago the file was deleted, your habits on emptying the Recycle Bin, and some other factors recovering files you've deleted could take a few minutes or up to an hour or more. How to Recover Deleted Files Stop using your computer! Aside from the specific tasks I outline during the rest of this tutorial, the smartest thing you can do is to stop writing data to the drive that contained the deleted file.As I mentioned above, files that are deleted are actually just hidden. The only way the file you want to recover disappears completely is if the same physical space it occupied on the drive is overwritten. So... don't do anything that might cause that to happen. Most "write heavy" are things like installing software, downloading or streaming music or videos, etc. Doing those things won't necessarily overwrite your file but the chances go up the more you do them. Restore the deleted files from the Recycle Bin. You've probably already looked in the Recycle Bin, but if not, do so now. If you're lucky enough to have not emptied it since you deleted the file, it might be here and in perfect working order.Tip: Files you delete from media cards, USB based drives, external hard drives of any kind, and network shares will almost never be stored in the Recycle Bin. The same goes, more obviously, for things like your smartphone. Very large files from any source are also often deleted outright, skipping the Recycle Bin. Download a free file recovery program and use it to search for and recover your deleted files. If the files you're looking for have already been emptied from the Recycle Bin, a file recovery tool can typically help.I'm a big fan of Recuva, my top pick in my list, but if you don't like it for some reason, or if you try it and it doesn't find the file you need to recover, by all means work down the list. Important: I highly recommend downloading the "portable" version of Recuva, or whatever program you choose, directly to a flash drive or some drive other than the one with the missing file(s) on it. Extract the portable version of the file recovery tool you chose. Portable programs usually come in ZIP format which Windows natively supports (i.e. unzipping is easy in Windows).If you downloaded it to a flash drive, extracting it right there onto the flash drive is great. If you had no choice but to use your hard drive, extract it there. If you had to use your hard drive and choose an installable version of a file recovery tool, go ahead and install it as directed. Use the file recovery tool to scan for files that can be recovered, a process that could take a few seconds to several minutes or longer depending on how large the drive is.The exact procedure differs from program to program but this typically involves choosing the drive you want to scan for deleted files on and then tapping or clicking a Scan button. Once the scan is complete, locate the file from the list of recoverable files, select it, and then choose to Restore it.Again, the details on recovering files you want to recover are specific to the tool you chose to use in Step 3 above. Important: While you hopefully found the file you needed to recover in this list, it's possible you didn't. When that happens, the paid for versions of these data recovery programs could have the potential to successfully recover. There is a reason why Free data recovery isn't always Free. Tips & More Information The Recycle Bin should be the first place you look to recover deleted files. If you skipped Step 2 above because you "know" it's not there, just humor me and check again. You never know! As I mentioned a few times above, recovering files from devices like smartphones, music players, flash drives, and network drives is possible but can sometimes require some extra steps. You do not need to have a data recovery software program installed before you delete the file to use one, which is great news. A dead hard drive, or a non-working computer, presents an extra layer of trouble when you need to recover a file. While this is possible in most cases, see my Can I Recover Files From a Dead Hard Drive? for more on figuring out what to do. Still Having Trouble Restoring That Deleted File? See Get More Help for information about contacting me on social networks or via email, posting on tech support forums, and more. Let me know exactly what you've already tried doing to recover the deleted files, what program (if any) you've already tried, and how you think they went missing. That'll help me help you!

    Blog Entry, Data Recovery
  • Posted on May 18, 2016 12:30 pm
    Joseph Forbes
    No comments

    One of the biggest misconceptions about computers is that it takes a rocket scientist to fix any problem that might show up on one. I'm here to tell you that fixing your computer is something you can do. Now, in no way am I calling down your local computer repair person (I am one, remember) - they're by and large a very smart bunch of people, usually with a lot of education and experience. However, the fact remains that a large portion of the problems that computer users encounter can be easily solved by following freely available advice on this and many other sites online. Even more difficult problems can be solved if you're willing to invest a little time to learn a few things about your computer along the way. Important: At very least, before you take your computer in for service, there are some really simple things that anyone can do that tend to fix most of the common problems I've seen. Fixing Your Own PC Will Save You Money! Saving money is probably an obvious advantage of fixing your own computer. Getting your computer serviced at a local shop will usually run you from $60 to $90/per hour or more. Some are less expensive but that's not the normal when it comes to repairs. Remote computer support options are typically cheaper but they can only help fix some software related problems and are useless in cases where hardware is to blame. Also I noticed that scammers are using Remote Support Tools more often to ADD more problems to your existing issues. So Remote Help might not be as reliable as it used to be.  (So hire someone you know, and trust, when it comes to Remote Help) If you fix your computer problem yourself, you can completely avoid what might end up being a several hundred dollar bill. No matter what your financial situation, free is a pretty good deal. That's a lot of money you can save by investing some time in trying to fix it yourself. The best part, is you learned how to solve a problem. A skill that can only improve as you get to know your computer more. You Don't Need Expensive Tools to Fix Your Own Computer Many people think that they have to buy lots of expensive diagnostic hardware and software to fix a computer. This is absolutely not the case. Expensive tools do exist but they're usually used to help computer repair services test or solve things quickly or in bulk.  Chances are you already have 95% of the physical tools you would ever need to fix any computer problem in your toolbox or garage. Computer repair services also use many software diagnostic tools to determine what might be wrong with a computer but most of the very best ones they use are available for free online! Here are a few of my favorite free, professional level diagnostic tools available for download by anyone: Free Memory Testing Tools Free Hard Drive Testing Tools Free Tools already included with your Operating System Also, while there are a number of reasons why owning a second computer, or at least having temporary access to one, could help a lot when you need to fix yours, it's not always necessary. Your "smaller" computer - aka your smartphone or tablet - is often a huge help, at very least as a research tool. You'll Probably Be Back Up and Running Faster You might be thinking to yourself at this point that surely it'll take days or weeks to learn enough to repair your own computer and that it won't be worth the trouble. You need your computer working right now, right? First of all, unless you're lucky, after you drop your computer off at the repair shop you'll likely be waiting at least an entire day, usually longer, before you'll be able to pick it back up. You are your only client when you've become the repair person yourself so my guess is that you can get on it a bit more quickly. Secondly, you might be surprised to know that most common problems are solved by relatively simple steps. The more time you spend looking for solutions to computer problems online the more you'll see that this is true. Finally, and I really want to stress this one, you don't need to learn to solve every computer problem to solve this computer problem. A knowledgeable computer repair person has a lot of experience and education and can solve a multitude of problems with ease. You don't need to reach this level of knowledge about repairing computers. You need to solve your single problem as quickly as possible. Well written, easy to follow troubleshooting information online will get you that. You Know More Than You Think If you're having trouble using the mouse, keyboard, or screw driver then you might have a problem repairing your computer. Otherwise, you're only a step-by-step troubleshooting guide away from solving pretty much any computer problem you might see. So much great information is available to help people solve computer problems online, from self-help troubleshooting guides and tutorials like you'll find on my site here, to personal help on social networks and forums, something you can read more about on my Get More Help page on this website. If you can think logically, follow instructions in order, and ask questions when you're not sure about something or don't understand, then you should feel confident enough to try to fix your own computer problems before you even think about paying someone else to. Not Going to Happen? If all the confidence building I've done to this point isn't doing the trick, and you're absolutely sure that you'd rather have a professional tackle this computer issue, at least read through some helpful pieces about getting your computer repaired. I know the professionals can be busy at times, but to keep an open mind on most common problems people encounter, can teach you how to prevent the issue from happening again.

    Blog Entry, DATA, Data Recovery
  • Posted on May 15, 2016 10:25 am
    Joseph Forbes
    No comments

    To wipe a hard drive means to completely erase the drive of all information. Deleting everything does not wipe a hard drive and formatting does not [always] wipe a hard drive. You'll need to take an extra step to wipe the hard drive completely. When you format a hard drive or delete a partition, you're usually only deleting the file system, making the data invisible but not gone. A file recovery program or special hardware can easily recover the information. If you want to make sure that your private information is gone forever, you'll need to wipe the hard drive using special software. Important: See Tip #2 at the bottom of the page for information on a "simple" wipe using the format command in Windows 10, Windows 8, Windows 7, and Windows Vista. Follow the easy steps below to completely wipe a hard drive: Time Required: It could take several minutes to several hours to wipe a hard drive, depending on how big the drive is and what software/method you choose to wipe it with. How to Wipe a Computer Hard Drive Back up anything you want to keep. When the hard drive wipe is complete, there will be no way to get anything on the drive back.Important: Sometimes multiple drives exist on a single hard drive. You can view the drives (volumes) that sit on a hard drive from the Disk Management tool in Windows. Download a free data destruction program. Any of the first nine programs I recommend in that list will work great because they can be used to wipe a hard drive from outside of Windows, a necessary feature if you want to wipe the hard drive that Windows is installed on.Note: There are actually several ways to completely erase a hard drive but using data destruction software is the easiest and still allows the hard drive to be used again. Next, complete whatever steps are necessary to install the software or, in the case of bootable program like DBAN, get the ISO image on a CD or DVD disc or a USB device like a flash drive:If you're using a CD or DVD, this usually involves burning the ISO image to a disc and then booting from the disc to run the program. If you're using a flash drive or other USB drive, this usually involves burning the ISO image to the USB device and then booting from that USB drive to get started. Wipe the hard drive according to the program's instructions.Note: Most data destruction program utilize several different methods to wipe a hard drive. If you're curious about the effectiveness or methods used to complete the hard drive wipe, see Data Sanitization Methods. After properly wiping a hard drive, you can be confident that whatever information was on the drive is now gone for good.You can now install Windows on the drive, create a new partition, sell or give away the hard drive or computer, recycle or dispose of it, or whatever else you need to do. Tips & More Information on Wiping Hard Drives Wiping a hard drive is operating system independent, so long as you use one of the bootable tools from my list. That means that you can use this same general process to wipe a hard drive if you have Windows 10, Windows 8, Windows 7, Windows Vista,Windows XP, Linux, or any other PC operating system. Beginning in Windows Vista, the format process changed and a single write zero pass is applied to each standard (non-quick) format. In other words, a very basic hard drive wipe is performed during a format.If a single write zero pass is good enough for you, consider your drive wiped after a regular format in Windows 10, back through Windows Vista. If you want something even more secure, go ahead and follow the hard drive wipe instructions above. Keep in mind, too, that this is a wipe of just the partition you're formatting. If you have more than one partition on a physical hard drive, you'll need to format those additional drives as well if you want to consider the entire physical disk as "wiped". If what you really want to do is just make sure that files you delete are really gone, a data wiping tool is more than you need. See my Free File Shredder Software Programs list for programs that "destroy" individual files on an as-needed basis.Many of those "shredder" programs also do what's called a free space wipe, which is a wipe of all of the free space on your hard drive, which would of course include any of your previously deleted files.

    Blog Entry, DATA, Data Recovery
  • Posted on June 26, 2015 11:36 am
    Joseph Forbes
    No comments

    Test Microsoft's next operating system while keeping your current one. If you want to play with Windows 10 or Office 2016 but aren't ready to abandon Windows 7 or 8 or Office 2013 just yet, there's an easy solution: a virtual machine. Broadly speaking, a virtual machine (VM) is a sandbox that tricks one operating system into running inside another. Setup requires a more-than-entry-level PC, since you'll be running two resource-hungry OSes at once. But a virtual machine is well worth the effort, because it means fewer headaches than fully upgrading to beta software or running a second version of Windows on a drive partition. Also, if a VM gets a virus or starts acting weird, you can just delete it and reinstall, assuming it doesn't contain any important data. There are a number of virtual machine apps you can choose from, but for simplicity's sake, this tutorial sticks to VirtualBox. These instructions are for Windows 7 and 8.1, but you can apply this process to other Windows versions. What you need: A CPU prepped for running a virtual machine. A broadband Internet connection to download up to 4GB of files. 50GB or more of free space on your PC. Up to one hour of free time. Step 1: Verify virtual machine support Oddly, your CPU's virtualization features are often disabled by default. Fixing that can be a hassle, but the process of getting Windows 10 up and running in a virtual machine gets easier after this step. To make sure that virtualization is enabled in your hardware, you need to go into the motherboard BIOS interface. To do that, hit the F2 or Delete key while your PC is booting up. The timing can be tricky if you have a solid-state drive, because your window of opportunity is only a few seconds. If F2 and Delete don't work, you may need to try F10 or F12 -- your motherboard manual will tell you. If you don't have your manual, you can usually download it from the manufacturer's website. If you don't know who made your motherboard or which model it is, download Speccyand click the Motherboard tab. If you have a laptop, the model is usually printed on the device itself. Then you can Google the motherboard name to find the manual, which will also show you where in the BIOS you will find the setting to toggle your CPU's virtualization settings. Once you've enabled virtualization in the BIOS, press F10 (unless the manual tells you to use a different key) to save your settings and reboot. You may have a basic BIOS with no CPU virtualization setting. In that case, just hit the Escape key to leave the BIOS and boot into Windows. Step 2: Download Windows 10 Insider Preview There are two ways to get Windows 10: (1) install it as an upgrade to your current OS (Windows Vista, 7, or 8.1) or (2) download an ISO file. An ISO is a package of files that's usually installed from an optical disc, but a virtual machine basically tricks your computer into thinking that the files are on a CD or DVD. The virtual machine will install the ISO's contents much faster than an optical drive can. Go to Microsoft's site to get the Windows 10 ISO. Sign up as a Windows Insider, if you haven't already, and choose your file language. Next, select either the 32-bit (x86) or 64-bit (x64) version. If you're not sure which one is compatible with your PC, hold down the Windows key and press the Pause/Break key to bring up the System window. Look for the System type entry, which will tell you if you have 64-bit or 32-bit Windows: 64-bit Windows can use either ISO, but 32-bit Windows can use only the 32-bit ISO. If you plan to test 64-bit software or to dedicate more than 4GB of system RAM to your virtual machine, you'll need 64-bit Windows running on your PC. Some older CPUs cannot support a 64-bit virtual machine, even if the CPU is technically 64 bits. If you bought your PC more than five years ago, we recommend Googling your CPU (revisit the instructions in Step 1 to find your CPU name in the System) to check if it has 64-bit guest support. The guest is the OS running inside the virtual machine. The host is the computer the VM is running on. Step 3: Get your virtual machine software While your ISO is downloading, you can queue up VirtualBox. Once that's downloaded, install it and set it up for Windows 10. With the program open, click the New button in the upper-left corner to get started. Name the virtual machine anything you like. The second entry field will default to Windows, if you use thatword in the description above it, or you can select Windows from the drop-down menu. In the Version menu, select Windows 10 (32-bit) or Windows 10 (64-bit), depending on which ISO you downloaded. Now you select your system RAM usage. The green section of the slider is considered safe, and the red zone may cause performance issues. We'd recommend at least 2GB of RAM, preferably 4GB. But if you have only 4GB to start with, give the virtual machine 2GB. If you have 6GB of system RAM, 3GB is great. Click Next, and you'll be asked to create a virtual hard drive. You're installing a full operating system, so you'll need a healthy amount of room on your PC's storage device. The default for Windows 10 is 32GB; we recommend at least 25GB to install Windows 10 correctly. Click Create to go to the next menu. If you want to use more or less space, click Hide Description to open an advanced menu with a slider. Click Show Description to return to the hard drive file-type selection. It defaults to VDI, which is fine for basic testing. Other types are compatible with other VM software, such as VMware or Parallels. Click Next, and you'll see that VirtualBox defaults to dynamic allocation. As the description states, this method will not automatically take up all 32GB (or whatever size you chose). Choosing Fixed size will immediately take up all the drive space that you reserved for the virtual machine. The next window will ask you to confirm the name and size of the VM. Click Create to finish setting up the essentials. Step 4: Make optional tweaks The tweaks in this step are optional. All VM apps have customizable settings to improve performance and change how the guest (the virtual machine) interacts with the host (your computer). In the left-hand column of VirtualBox's interface, you'll see the new VM you just set up. It's preselected, since you presumably have no other VMs to choose from right now, so just hit the Settings button to start tweaking. Settings sends you to a General menu, where most options will be grayed out when the VM is running, so you need to set it all up before you've booted it. There are lots of things that you can fiddle with here, but we'll focus on a few highlights. First, click the Advanced tab to look at how the guest (VM) can talk to the host (PC). If you want to copy and paste between the two, go to Shared Clipboard and select Bidirectional from the drop-down menu. You can also choose your drag-and-drop behavior from the drop-down menu right below that. Since the VM version of Windows can't see the other storage devices and drive partitions on your PC, you'll need drag and drop to transfer files between the guest and the host. Now click the System item in the left-hand column. Click the Processor tab to choose how many CPU threads you want to dedicate to the VM. VirtualBox defaults to one thread to stay on the safe side. But if you have more threads in the green zone, you can select them here by moving the slider to the right. The last point of interest is the Display menu, again listed in the left-hand column. On the Video tab, you can increase how much video memory the VM uses, and you can enable acceleration. (Acceleration can create visual glitches, though, so you must disable it later.) As before, choices within the green zone shouldn't have a negative performance impact on the host PC, unless you're doing processing-intensive tasks while running the VM. Once you've made your selections in the three areas of the Settings menu that we've talked about here, click OK to save your changes. Step 5: Set up the ISO Now you're ready to boot your virtual copy of Windows 10. In the left column of VirtualBox, double-click your virtual machine to start it, as if it was a Windows installation disc. VirtualBox will ask for the location of your ISO. Don't remember where you downloaded it? In Google Chrome or Mozilla Firefox, press Ctrl-J to open the Downloads menu. Your downloaded files will be listed in chronological order. In Chrome, click Show in folder. In Firefox, hover your mousepointer over the ISO and double-click to open its folder. Want to get fancy? Click the folder location in Windows Explorer and press Ctrl-C to copy the location. Go back to VirtualBox, click the little folder icon with the green arrow, click the location window, and press Ctrl-C to paste the ISO's location. Press the Enter key to go to the ISO's folder. Select the ISO and click Open. If you don't want to try this copy-paste trick, you'll need to manually navigate to the folder containing the ISO. Once you've set up your ISO location, click the Start button in VirtualBox's main window to run your VM copy of Windows 10. After a few seconds, you'll see a light blue Windows icon on a black background. The ISO is setting up the installer. This may take a few minutes, depending on how speedy your PC is. Then the screen will go black, and you'll see several menus on a purple background. Click the Next button and select Install Now. VirtualBox will tell you about available settings to detect key presses and mouse pointers in the guest (VM). Click the blue-and-white X button in the upper right to make those messages go away. Microsoft will ask you to agree to an end-user license agreement. Check the box if you agree, and click Next. Step 6: Install Windows 10 in your VM You have two installation options. Select the Custom option (the second one) and click Next to install Windows in the VM. This step can take a long time, depending on your computer's speed. Our test systems have solid-state storage devices and a dual-core laptop CPU with Hyper-threading, so for us installation took less than five minutes -- a lot faster than installing Windows from a DVD. You're almost done! The VM may reboot a few times while it sets up, and then you'll see an operating system setup menu on a white background. You can use express settings here or go through each choice -- you can always adjust these settings later. To do that, finish installing Windows, then click the Windows icon in the lower left-hand corner of the screen, choose Settings, and click Privacy. In the next section, tell the installer that this PC belongs to you, then sign in with your Microsoftaccount. Don't have one or don't want to use one? Hit the Sign Up button and choose Connect My Account Later. Now give Windows a username to log in with, decide if you want to set a password, and click Next. (You may get an error right after you click Next, but we clicked the OK button, and Windows kept installing.) Windows will take a few minutes to make some final adjustments in the background, and then you'll finally be on the Windows 10 desktop. From here, you can do anything you want, but we recommend checking for updates first. To do that, click the Windows icon in the lower left-hand corner, choose Settings in the upper left of the menu that pops up (yes, the Windows Start menu is back), and select Update & Security. This will automatically check for the latest updates for Windows 10. There's one last optional item you can try: installing Guest Additions (GA) so that you have more aspect-ratio choices for your VM window, or so that you can maximize the VM window and have it automatically scale to the corect resolution for your display. VirtualBox version 4.3.26, which we used for this tutorial, wouldn't scale with GA on our test laptops runningWindows 7 and 8.1, but you may have better luck. With the Windows 10 VM running, click the Devices menu at the top of the window, select CD/DVD Devices, and select Remove Disk From Virtual Drive. This disk is just the ISO that you used to install Windows, which you don't need anymore. Next, in the Devices menu, go to the bottom and select Insert Guest Additions CD image. Windows will pop up a notification in the lower right-hand corner of the screen. Click it and select the first option (the one with the VirtualBox icon next to it). Click Yes, Next, Next again, and Install to start the process. Windows will ask you to confirm some device-driver installations. Click the Install button to do that. The VM's screen may flicker a few times. This is normal. Finally, click Finish to reboot with the Guest Additions installed. Step 7: Run Windows 10 You're now done setting up your virtual machine and Windows 10. You can shut down Windows 10 by clicking the Windows icon, selecting Power, and choosing Shut Down. To quickly run the VM next time, go back to VirtualBox's Manager screen, which comes up when you launch thesoftware, right-click your VM in the left-hand column, and choose Create Shortcut on Desktop. That lets you skip the Manager screen and directly boot the VM from your host computer's desktop. Now that you have a sandboxed version of Windows 10 running inside your main operating system, you can do things like test virus/malware protection or run experimental softwarewithout worrying about wrecking your whole system. You can learn how to navigate Windows 10 and decide if you like it before committing to the full upgrade or a fresh installation. You can check out Microsoft Edge, previously known as Project Spartan, which will replace Internet Explorer. Edge is preinstalled in Windows 10 and is supposed to support add-ons intended forFirefox and Chrome, so it's worth checking out. You can use your VM to test the preview version of Microsoft Office 2016, which would otherwise require you to uninstall your current copy of Office first. If you told VirtualBox to use the default 32GB installation of Windows 10, you have about 22GB left over after Windows is installed, so there's lots of room to play in your sandbox.

    Blog Entry, DATA, Data Recovery
  • Posted on April 28, 2013 10:44 am
    Joseph Forbes
    No comments

    Russell Chozick owns a small company in Austin. TX, called Flashback Data that recovers data from messed-up hard drives. And SSDs and Flash memory, too. How badly damaged does a drive have to be to defeat Russell and his crew? Apparently, smashed to bits. Not long aqo we did a video about a company that destroys data on hard drives, and we've had at least one Ask Slashdot where the question was, "What's the Best Way To Destroy Hard Drives?" In today's video, Russell is talking about the opposite of destruction -- except that he destroys data upon request, too. Obviously, checking the wrong box on a customer order form could cause big problems at Flashback Data, couldn't it? Let's hope they never do that -- and let's hope we all back up all of our data so we never need to use a data recovery service. You do back up all your data, don't you?   Russell Chozick: I am Russell Chozick, from Flashback Data, data recovery and computer forensics firm in Austin, Texas. Robin Miller: So, if I accidentally were to remove the hard drive from this computer and throw it out in the thrash and waste management corporation took it to their landfill, you would go through that landfill and find it for me. Russell Chozick: I don’t know if I want to go through a landfill, but if that drive is bent in half or completely smashed into millions of pieces, then if we find that thing, I’ll get data from it. Robin Miller: Okay. Because actually there’s another video interview we did not that long ago with a company that destroys data. Russell Chozick: Yeah. Robin Miller: They destroy hard drives. Russell Chozick: Yeah, we do it sometimes here ourselves. Robin Miller: So, how destroyed a hard drive can you save? Russell Chozick: No, there’s varying levels of unrecoverableness that we come across, if the physical platters are destroyed, i.e. the data is actually completely scraped off of them because of a full-on head crash where there’s little filters inside of a hard drive that filter in until no dirty air can get into them and that thing looks black, that means your data just got scraped off of that hard drive platter right into that filter and no one is going to get that back. As far as lot of laptop drives have blast platters, if you throw that thing on the ground hard enough, that glass shatters, no one is going to get that data, but the stuff we have recovered from that is pretty severe, for example, drives that have been submerged in salt water for a long time after Hurricane Sandy, Katrina, any of the big natural disasters, we’ve recovered from fire damage where that drive looks like it’s completely melted. But we’re still able to save it. So there’s definite ways to destroy it and obviously the destruction company is ____2:19. I think I looked at their video. They talk about degaussing and when you degauss a hard drive, you also erase the servo track, so not only is it unrecoverable and it’s never even usable again. So then you just got to send it to the recyclers. But what we do here to destroy data is either overwrite it by writing data over the entire portion of the hard drive, but completely overwriting it or we crush them or we send them to a destruction company as well if we’ve done whole lot that we need to get rid off. Robin Miller: Obviously destroying as a number of people, Slashdot readers, yes, you know, how you are, you guys pointed out, you could have a lot of fun with a sledge hammer instead of spending money to destroy hard drives. Russell Chozick: Yeah, you got to make sure that thing is good and smashed, because especially with the larger desktop drives and SCSI drives, those things are pretty durable, and you got to really beat that thing up to make a dent in those platters because they’re pretty strong. Robin Miller: What do you do with SSDs, what do you do with the digital drives? Russell Chozick: Well, it’s kind of evolved through our business; when we first started we didn’t have the technology to read directly from NAND Flash memory, so what we do and it was fairly common was pretty simple part replacement type stuff where Flash drives controller fails, we would take the actual memory chip itself, find an identical circuit board, take the Flash memory, put it on the new circuit board or make electronic repairs on the actual board itself and then recover the data that way. But it’s evolved quite a bit. So we’ve done a lot of research and development over years and we are pretty much on the forefront of Flash technology where what we started to do is, you know what let’s get a device programmer and start reading the data into the computer raw and see what it looks like. Now when you look at Flash media read in raw straight from a USB drive, it’s completely mixed up. The way that Flash controllers work is they are constantly reorganizing the data for wear-leveling and encryption and all kinds of different algorithms to make to; one, speed up the Flash memory and two, make sure that you’re not going to wear out certain cells before other cells to make it last long time. So what you get when you read just the Flash memory is take the controller out of the situation you get, just the whole bunch of scramble data that is not only the data area, but there’s also portions of each sector that contain information about error correction and kind of clues on how the data is reassembled. So what we started to look at was how we can kind of reverse engineer the controllers once we have the raw data read in, and that’s how it’s evolved. Now what we can do is as long as the data is not encrypted we can pull the Flash memory itself off. The actual data chips, for example, here is an SSD drive and these are the data chips, pull those off and look for markers that – common markers on a file system. For example, we know what FAT32 file system looks likes typically in a linear format. So we may find part of the FAT file system on one chip and part of the FAT file system in another chip, and what we have to do is rearrange the data to where it kind of lines up and gets an order and then the computer can – and then kind of reimage that and then we can use that image to rebuild the file system on the Flash. And it sounds very complicated and Robin Miller: It sounds expensive actually. Russell Chozick: It sounds very complicated than it is, but basically what we’ve done is we’ve built kind of an internal wiki of cases, so once we crack one, we see it again, it’s much easier for us to do it again, and we have thousands of it. I mean, so we see it a lot and so it’s starting to get to the point where the costs are coming down, but new challenges keep arising as new chip form factors start coming out and they keep making these devices smaller, I know you probably seen micro SD cards. They’re extremely small and there’s actually no independent Flash memory on those. It’s basically a monolithic chip that contains the controller and the Flash in one chip. So in order to recover something like that it requires a lot of patience. We basically have to take sand paper and find all the traces on the device, sand it down until it’s just to its bare traces, and then use a logic analyzer and find out where all the data points are to actually connect straight to the Flash, which now in that example those are the types of recoveries that are extremely expensive right now because it’s a lot of manual work, whereas, if it’s a typical type of NAND Flash memory, those are starting to get where we’ve got nerves where we can get them in and get them out pretty quickly. Robin Miller: I’m assuming that people who come to you that the data is valuable. I had one ever hard drive failure where I didn’t have stuff backed up, that’s critical, just one and I spent $600 to get my data. Russell Chozick: And you know that to backup and then back up your back ups. We will FTP people critical information, but we’re not going to let them download 40 gigs of information what they’ve recovered. So what we found now is we started using – any time speed increases happen we started using the newest technology, so anyone that comes in with a MacDrive will it out of whatever enclosure that they have and we’ll put it right in our thunderbolt dock and use thunderbolt to a thunderbolt source and a thunderbolt destination to make sure that we can move data as fast as possible and then all of our systems are – the PCs are all the USB 3 in any status, so we can move data as fast as possible. It’s just going to take very less time for us to move data and get it in the mail overnight than it is to use the Internet . Austin is getting Google fiber here soon, so... Robin Miller: Isn’t that special. Are you all happy? Why doesn't Manatee County, where we have more cows than people, Manatee County, Florida, we need that more than you guys.... Russell Chozick: Well, I mean I know the cows use a lot of bandwidth, so maybe that’s why they won’t let you guys. This industry is a bit strange and you really have to be careful on who you use, because your first chance of data recovery is always usually the best. There’s a lot of people out there that claim to do it all and maybe they can and that’s great, and I know there’s lot of great companies out there. But there’s a lot that see dollar signs in this and they maybe can only do low level or logical stuff, logical recoveries recovered from corrupt files systems and things like that, and they can’t work on the stuff that I’m talking about here where I have to wire up memory chip from an Android phone to pull data off of it. You can’t tell me that a one man shop somewhere is going to be able to have the resources to do that, this is an expensive business to run, we have expensive equipment, we have large lab space, lot of computers, lot of overhead, we have laminate flow benches to open hard drives underneath, we have a huge parts inventory, so there’s just – you just got to be careful on who you use, and there are several reputable companies out there. Robin Miller: Well, look we can see right behind you, those are some very uncheap looking racks with monitors on top of them. Russell Chozick: Yeah, I mean, and to be honest, those computers are typical every day computers, but there’s hardware in there for imaging computers that is very expensive, what’s running right back here are we got three different computers all imaging hard drive sector-by-sector and what it does is when it runs into bad sectors, it can dig deeper, it can skip that, it can come back to that later, we could even say it, oh we really want to image everything that’s on one certain surface of the platter of the hard drive and things like that. So we can get real granular and we could also go forwards and we can go backwards and then we could say, set the time out for a little bit longer. So we can kind of create our own algorithm for how a driver is behaving. And this stage is even after we’ve done the physical work to the drive. So pretend the read/write heads failed on a particular drive, we bring it into our clean room, we do any kind of part replacement that may need to be done to repair, temporarily repair the drive and then it goes to back here where we image the drive. It’s a non-tech savvy that really just think that the devices are invincible and that or it’s not going to happen to them, but it does, and we do recoveries for a wide range of people anywhere and like you said, the data is got to be valuable, but the most irreplaceable data is sometimes what lot of people would consider not that valuable in a sense of this is going to take my whole business down. It’s more like pictures of your kids since they were a baby and if someone has that only in the digital format that’s the kind of data that it’s not only irreplaceable, you can’t create that again

    Data Recovery, Hardware, Technical Support
  • Posted on April 19, 2013 2:15 pm
    Joseph Forbes
    No comments

    Windows 8 has been out for a while, featuring an interface that's as cool as it is annoying . . . until you get the hang of it. But, like any computer operating system, it can fall over. Luckily, there is an easy way to solve the cause of most crashes; just call up WinDbg, the Windows debugger; a free tool to diagnose the most common causes of Windows crashes -- misbehaved third party drivers. In W8, the Blue Screen of Death/BSOD has been modified to include a large, simple : ( emoticon and a short message in human (if not very informative) language. (Watch a slideshow version that walks you through any crash.] The Windows 8 Blue Screen of Death has become the frown of frustration. Also, Microsoft has made advancements in the dump file creation and management process. While this article focuses on W8, the information applies to both RT and Server 2012. For earlier operating systems, see Solve Windows 7 crashes in minutes or, for XP and 2000, see How to solve Windows crashes in minutes. About Windows crashes Operating system crashes are quite different from applications crashes, system hangs or other problems. In most cases, operating systems crash as a protective measure. When the OS discovers that critical devices are failing or that an internal operating system state has been identified as inconsistent because of possible viruses, bad device drivers or even RAM failures, it is generally safer to stop immediately. Otherwise, continuing operations would allow far more serious damage, such as application data corruption or loss. Two out of three system crashes are caused by third party drivers taking inappropriate actions (such as writing to non-existent memory) in Kernel mode where they have direct access to the OS kernel and to the hardware. In contrast, drivers operating in User Mode, with only indirect access to the OS kernel, cannot directly cause a crash. A small percentage of crashes are caused by hardware issues such as bad memory, even less by faults in the OS itself. And some causes are simply unknown. Thanks for the memory dump A memory dump is the ugliest best friend you'll ever have. It is a snapshot of the state of the computer system at the point in time that the operating system stopped. And, of the vast amount of not-very-friendly looking data that a dump file contains, you will usually only need a few items that are easy to grasp and use. With the introduction of Windows 8, the OS now creates four different memory dumps; Complete, Kernel, and Minidumps and the new Automatic memory dump. 1. Automatic memory dump Location: %SystemRoot%\Memory.dmp Size: ≈size of OS kernel The Automatic memory dump is the default option selected when you install Windows 8. It was created to support the "System Managed" page file configuration which has been updated to reduce the page file size on disk. The Automatic memory dump option produces a Kernel memory dump, the difference is when you select Automatic, it allows the SMSS process to reduce the page file smaller than the size of RAM. 2. Complete memory dump Location: %SystemRoot%\Memory.dmp Size: ≈size of installed RAM plus 1MB A complete (or full) memory dump is about equal to the amount of installed RAM. With many systems having multiple GBs, this can quickly become a storage issue, especially if you are having more than the occasional crash. Normally I do not advise saving a full memory dump because they take so much space and are generally unneeded. However, there are cases when working with Microsoft (or another vendor) to find the cause of a very complex problem that the full memory dump would be very helpful. Therefore, stick to the automatic dump, but be prepared to switch the setting to generate a full dump on rare occasions. 3. Kernel memory dump Location: %SystemRoot%\Memory.dmp Size: ≈size of physical memory "owned" by kernel-mode components Kernel dumps are roughly equal in size to the RAM occupied by the Windows 8 kernel. On my test system with 4GB RAM running Windows 8 on a 64-bit processor the kernel dump was about 336MB. Since, on occasion, dump files have to be transported, I compressed it, which brought it down to 80MB. One advantage to a kernel dump is that it contains the binaries which are needed for analysis. The Automatic dump setting creates a kernel dump file by default, saving only the most recent, as well as a minidump for each event. 4. Small or minidump Location: %SystemRoot%\Minidump Size: At least 64K on x86 and 128k on x64 (279K on my W8 test PC) Minidumps include memory pages pointed to them by registers given their values at the point of the fault, as well as the stack of the faulting thread. What makes them small is that they do not contain any of the binary or executable files that were in memory at the time of the failure. However, those files are critically important for subsequent analysis by the debugger. As long as you are debugging on the machine that created the dump file, WinDbg can find them in the System Root folders (unless the binaries were changed by a system update after the dump file was created). Alternatively the debugger should be able to locate them automatically through SymServ, Microsoft's online store of symbol files. Windows 8 creates and saves a minidump for every crash event, essentially providing a historical record of all events for the life of the system. Configure W8 to get the right memory dumps While the default configuration for W8 sets the OS to generate the memory dump format you will most likely need, take a quick look to be sure. From the W8 Style Menu simply type "control panel" (or only the first few letters in many cases) which will auto-magically take you to the Apps page where you should see a white box surrounding "Control Panel"; hitting Enter will take you to that familiar interface. Make your way to Control Panel in W8. The path to check Windows 8 Memory Dump Settings, beginning at Control Panel, follows: Control Panel | System and Security | System | Advanced system settings | Startup and Recovery | Settings Once at the Startup and Recovery dialogue box ensure that "Automatic memory dump" is checked. You will probably also want to ensure that both "Write an event to the system log" and "Automatically restart" (which should also be on by default) are checked. Install WinDbg System Requirements To set your PC up for WinDbg-based crash analysis, you will need the following: • 32-bit or 64-bit Windows 8/R2/Server 2012/Windows 7/Server 2008 Depending on the processor you are running the debugger on, you can use either the 32-bit or the 64-bit debugging tools. Note that it is not important whether the dump file was made on an x86-based or an x64-based platform. • The Debugging Tools for Windows portion of the Windows SDK for Windows 8, which you can download for free from Microsoft. • Approximately 103MB of hard disk space (not including storage space for dump files or for symbol files) • Live Internet connection Download WinDbg First download sdksetup.exe, a small file (969KB) that launches the Web setup, from which you select what components to install. • Standard download. • Automated download (the download will start on its own): Space required Ignore the disk space required of 1.2GB; you will only be installing a small portion of the kit. On my test machine the installation process predicted 256.2MB but only needed 103MB according to File Explorer following installation. Run skdsetup.exe Install the Software Development Kit (SDK) to the machine that you will use to view memory dump files. A. Launch sdksetup.exe. B. Specify location: The suggested installation path follows: C:\Program Files (x86)\Windows Kits.0\ If you are downloading to install on a separate computer, choose the second option and set the appropriate path. C. Accept the License Agreement D. Remove the check marks for all but Debugging Tools for Windows What are symbols and why do I need them? Now that the debugger is installed and before calling up a dump file you have to make sure it has access to the symbol files. Symbol tables are a byproduct of compilation. When a program is compiled, the source code is translated from a high-level language into machine code. At the same time, the compiler creates a symbol file with a list of identifiers, their locations in the program, and their attributes. Since programs don't need this information to execute, it can be taken out and stored in another file. This reduces the size of the final executable so it takes up less disk space and loads faster into memory. But, when a program causes a problem, the OS only knows the hex address at which the problem occurred, not who was there and what the person was doing. Symbol tables, available through the use of SymServe, provide that information. SymServ (SymSrv) From the Windows 8 UI, right-click on WinDbg then select "Run as administrator" from the bar that pops up from the bottom of the screen. SymServ (also spelled SymSrv) is a critically important utility provided by Microsoft that manages the identification of the correct symbol tables to be retrieved for use by WinDbg. There is no charge for its use and it functions automatically in the background as long as the debugger is properly configured, and has unfettered access to the symbol store at Microsoft. Running WinDbg From the W8 UI, right-click on the version of WinDbg you will use (x64 or x86) then select "Run as administrator" from the bar that pops up from the bottom of the screen. You will then see a singularly unexciting application interface; a block of gray. Before filling it in with data you must tell it where to find the symbol files. Setting the symbol File Path There is a massive number of symbol table files for Windows because every build of the operating system, even one-off variants, results in a new file. Using the wrong symbol tables would be like finding your way through San Francisco with a map of Boston. To be sure you are using the correct symbols, at WinDbg's menu bar, select the following: File | Symbol file path In the Symbol search path window enter the following address: srv*c:\cache*http://msdl.microsoft.com/download/symbols Note that the address between the asterisks is where you want the symbols stored for future reference. For example, I store the symbols in a folder called symbols at the root of my c: drive, thus: srv*c:\symbols*http://msdl.microsoft.com/download/symbols Make sure that your firewall allows access to msdl.microsoft.com. How WinDbg handles symbol files When opening a memory dump, WinDbg will look at the executable files (.exe, .dll, etc.) and extract version information. It then creates a request to SymServ at Microsoft, which includes this version information and locates the precise symbol tables to draw information from. It won't download all symbols for the specific operating system you are troubleshooting; it will download what it needs. Space for symbol files The space needed to store symbols varies. In my W8 test machine, after running numerous crash tests, the folder was about 35MB. On another system, running W7, and on which I opened dump files from several other systems the folder was still under 100MB. Just remember that if you open files from additional machines (with variants of the operating system) your folder can continue to grow in size. Alternatively, you can opt to download and store the complete symbol file from Microsoft. Before you do, note that - for each symbol package - you should have at least 1GB of disk space free. That's because, in addition to space needed to store the files, you also need space for the required temporary files. Even with the low cost of hard drives these days, the space used is worth noting. • Each x86 symbol package may require 750 MB or more of hard disk space. • Each x64 symbol package may require 640 MB or more. Symbol packages are non-cumulative unless otherwise noted, so if you are using an SP2 Windows release, you will need to install the symbols for the original RTM version and for SP1 before you install the symbols for SP2. Create a dump file What if you don't have a memory dump to look at? No worries. You can generate one yourself. There are different ways to do it, but the best way is to use a tool called NotMyFault created by Mark Russinovich. Download NotMyFault To get NotMyFault, go to the Windows Internals Book page at SysInternals and scroll down to the Book Tools section where you will see a download link. The tool includes a selection of options that load a misbehaving driver (which requires administrative privileges). After downloading, I created a shortcut from the desktop to simplify access. Keep in mind that using NotMyFault WILL CREATE A SYSTEM CRASH and while I've never seen a problem using the tool there are no guarantees in life, especially in computers. So, prepare your system and have anyone who needs access to it log off for a few minutes. Save any files that contain information that you might otherwise lose and close all applications. Properly prepared, the machine should go down, reboot and both a minidump and a kernel dump should be created. Running NotMyFault Launch NotMyFault and select the High IRQL fault (Kernel-mode) then . . . hit the Crash button. Your Frown-of-Frustration will appear in a second, both a minidump and a kernel dump file will be saved and - if properly configured - your system will restart. When Windows 8 crashes, you see (1) the Frown-of-Frustration in the new BSOD. After restart you see (2) the offer to send crash files to Microsoft. The final screen (3) lists the files that would be sent, displays the privacy statement and asks you for permission to send them. Over the W8 UI will be a band of blue with the message that "Your PC ran into a problem . . . ". If you click the "Send details" button, Microsoft will use WinDbg and the command "!analyze" as part of an automated service to identify the root cause of the problem. The output is combined with a database of known driver bug fixes to help identify the failure. Launch WinDbg and (often) see the cause of the crash Launch WinDbg by right-clicking on it from the W8 UI then select "Run as administrator" from the bar that pops up at the bottom of the screen. Once the debugger is running, select the menu option File | Open Crash Dump and point it to open the dump file you want to analyze. Note that WinDbg will open any size dump file; a minidump, kernel dump or complete dump file. When offered to Save Workspace Information, say Yes; it will remember where the dump file is. A command window will open. If this is the first time you are using WinDbg on this system or looking at a dump file from another system you have not loaded files for before, it may take a moment to fill with information. This is because the debugger has to identify the precise release of Windows then go to SymServ at Microsoft and locate the corresponding symbol files and download the ones it needs. In subsequent sessions this step is unneeded because the symbols are saved on the hard drive. Once WinDbg has the symbols it needs it will run an analysis and fill the window with the results. This will include basic information such as the version of WinDbg, the location and name of the dump file opened, the symbol search path being used and even a brief analysis offering, in this case, Probably caused by : myfault.sys which, of course, we know to be true (myfault.sys is the name of the driver for NotMyFault). WinDbg Error Messages If WinDbg reports a *** WARNING or an *** ERROR, the solution is usually simple. The following lists the common messages, what they mean and how to resolve them. *** WARNING: Unable to verify timestamp for ntoskrnl.exe *** ERROR: Module load completed but symbols could not be loaded for ntoskrnl.exe This is important. When you see these two messages near the beginning of the output from WinDbg, it means that you will not get the analysis that you need. This is confirmed after the "Bugcheck Analysis" is automatically run, and the message ***** Kernel symbols are WRONG. Please fix symbols to do analysis is displayed. Likely causes follow: • No path/wrong path; a path to the symbol files has not been set or the path is incorrect (look for typos such as a blank white space). Check the Symbol Path. • Failed connection; check your Internet connection to make sure it is working properly. • Access blocked; a firewall blocked access to the symbol files or the files were damaged during retrieval. See that no firewall is blocking access to msdl.microsoft.com (it may only be allowing access to www.microsoft.com). Note that if a firewall initially blocks WinDbg from downloading a symbol table, it can result in a corrupted file. If unblocking the firewall and attempting to download the symbol file again does not work; the file remains damaged. The quickest fix is to close WinDbg, delete the symbols folder (which you most likely set at c:\symbols), and unblock the firewall. Next, reopen WinDbg and a dump file. The debugger will recreate the folder and re-download the symbols. Do not go further with your analysis until this is corrected. If you see the following error, no worries: *** WARNING: Unable to verify timestamp for myfault.sys *** ERROR: Module load completed but symbols could not be loaded for myfault.sys WinDbg automatically suggests the culprit as shown. This means that the debugger was looking for information on myfault.sys. However, since it is a third-party driver, there are no symbols for it, since Microsoft does not store all of the third-party drivers. The point is that you can ignore this error message. Vendors do not typically ship drivers with symbol files and they aren't necessary to your work; you can pinpoint the problem driver without them. So, what caused the crash? As mentioned above, when you open a dump file with WinDbg it automatically runs a basic analysis that will often nail the culprit without even giving the debugger any direct commands as shown in the screen where it says "Probably caused by : myfault.sys" More information Getting a little more information about the crash event and the suspect module is easy. Often, all you need is two commands among the hundreds that the rather powerful debugger offers: !analyze -v and lmvm. A new way to command WinDbg Normally, you would type in the commands and parameters you need. Things have changed, however, and Windows too. If you take a good look at the WinDbg interface, just below the "Bugcheck Analysis" box, it says "Use !analyze -v to get detailed debugging information" and that the command is underlined and in blue. Yes, it's a link. Just touch it and the command will be run for you. But, in case you don't have a touch screen, a mouse will work fine or resort to the traditional method of typing the command into the window at the bottom of the interface where you see the prompt "kd>" (which stands for "kernel debugger"). Be sure to do it precisely; this is a case where syntax is key. For instance, note the space between the command and the "-v". The "v" or verbose switch tells WinDbg that you want all the details. You can do the same where you see the link for myfault which will display metadata for the suspect driver. Output from !analyze -v The analysis provided by !analyze -v is a combination of English and programmer-speak, but it is nonetheless a great start. In fact, in many cases you will not need to go any further. If you recognize the cause of the crash, you're probably done. Output from !analyze -v The !analyze -v command reveals the cause of the crash and the likely culprit. The !analyze -v provides more detail about the system crash. In this case it accurately describes what the test driver (myfault.sys) was instructed to do; to access an address at an interrupt level that was too high. Analysis DRIVER_IRQL_NOT_LESS_OR_EQUAL (d1) An attempt was made to access a pageable (or completely invalid) address at an interrupt request level (IRQL) that is too high. This is usually caused by drivers using improper addresses. Under Debugging Details the report suggests that the problem was a "WIN_8_DRIVER_FAULT" and that NotMyFault.exe was active. Stack dump An important feature of the debugger's output using !analyze -v is the stack text. Whenever looking at a dump file always look at the far right end of the stack for any third-party drivers. In this case we would see myfault. Note that the chronologic sequence of events goes from the bottom to the top; as each new task is performed by the system it shows up at the top. In this rather short stack you can see that myfault was active, then a page fault occurred, and the system declared a BugCheck, which is when the system stopped (Blue Screened). One way to look at this is that when you see a third-party driver active on the stack when the system crashed, it is like walking into a room and finding a body on the floor and someone standing over it with a smoking gun in his hand; it doesn't mean that he is guilty but makes him suspect No.1. Output from lmvm (or by selecting myfault) Knowing the name of a suspect is not enough; you need to know where he lives and what he does. That's where lmvm comes in. It provides a range of data from this image path (not all drivers live in %systemroot%\system32\drivers.), time stamp, image size and file type (in this case a driver) to the company that made it, the product it belongs to, version number and description. Some companies even include contact information for technical support. What the debugger reports, though, is solely dependent upon what the developer included, which, in some cases, is very little. After you find the vendor's name, go to its Web site and check for updates, knowledge base articles, and other supporting information. If such items do not exist or do not resolve the problem, contact them. They may ask you to send along the debugging information (it is easy to copy the output from the debugger into an e-mail or Word document) or they may ask you to send them the memory dump (zip it up first, both to compress it and protect data integrity). If you have any questions regarding the use of WinDbg, check out the WinDbg help file. It is excellent. And, when reading about a command be sure to look at the information provided about the many parameters such as "-v" which returns more (verbose) information. The other third While it's true that, by following the instructions above, you'll likely know the cause of two out of three crashes immediately; that does leave that annoying other third. What do you do then? Well, the list of what could have caused the system failure is not short; it can range from a case fan failing, allowing the system to overheat, to bad memory. Sometimes it's the hardware If you have recurring crashes but no clear or consistent reason, it may be a memory problem. Two good ways to check memory are the Windows Memory Diagnostic tool and Memtest86. Go to Control Panel and enter "memory" into its search box then select "Diagnose your computer's memory problems". This simple diagnostic tool is quick and works great. Many people discount the possibility of a memory problem, because they account for such a small percentage of system crashes. However, they are often the cause that keeps you guessing the longest. Is Windows the culprit? In all probability: no. For all the naysayers who are quick to blame Redmond for such events, the fact is that Windows is very seldom the cause of a system failure. But, if ntoskrnl.exe (Windows core) or win32.sys (the driver that is most responsible for the "GUI" layer on Windows) is named as the culprit -- and they often are - don't be too quick to accept it. It is far more likely that some errant third-party device driver called upon a Windows component to perform an operation and passed a bad instruction, such as telling it to write to non-existent memory. So, while the operating system certainly can err, exhaust all other possibilities before you blame Microsoft. What about my antivirus driver? Often you may see an antivirus driver named as the culprit but there is a good chance it is not guilty. Here's why: for antivirus code to work it must watch all file openings and closings. To accomplish this, the code sits at a low layer in the OS and is constantly working so that he will often be on the stack of function calls that was active when the crash occurred. Missing vendor information? Some driver vendors don't take the time to include sufficient information with their modules. So if lmvm doesn't help, try looking at the subdirectories on the image path (if there is one). Often one of them will be the vendor name or a contraction of it. Another option is to search Google. Type in the driver name and/or folder name. You'll probably find the vendor as well as others who have posted information regarding the driver. Summary Bear in mind that the time it took you to read this primer and to configure WinDbg on your system is far more effort than you will need to solve two of three crashes. Indeed, most crash analysis efforts will take you less than one minute. And, while the other third can certainly be more challenging, at least you'll have more time to try.

    Blog Entry, Data Recovery, KnowledgeBase (KB)
  • Posted on March 5, 2013 11:26 am
    Joseph Forbes
    No comments

    from the burrs-on-the-heel-of-the-foot-would-be-mercy dept. It appears that two weeks ago my email address got into the wrong database. Since that time there have been continuing attempts to access my accounts and create new accounts in my name. I have received emails asking me to click the link below to confirm I want to create an account with Twitter, Facebook, Apple Games Center, Facebook mobile account, and numerous pornographic sites. I have not attempted to create accounts on any of these services. I have also received 16 notices from Apple about how to reset my Apple ID. I am guessing these notices are being automatically generated in response to too many failed login attempts. At this point I have no reason to believe any of my accounts have been compromised but I see no good response. -A Slashdot user Something very similar to this situation has happened to me a few months ago.  In my situation it turned out to be a 12 year old boy with the same name as me, trying to recover access to my gmail account. I could immagine a fresh internet user attempt to register their name as their email address, (that is what I did), but for this kid, I had already registered the email address.   He persisted by making multiple attempts over a period of two weeks. It wasn't until later on did I realize the kid had signed up to some 'red light' dating websites, and had used my email address for the user registration email address.  At first thought I thought someone was trying to actually cause harm to my identity by registering me to smutty websites, and attempting to recover existing accounts I had already had over many years.  The kid made a major mistake in his attempt s which was he had accosited his cellphone number with his twitter account.  When I found out after tracing all the password recoveries, and newly received newsletters from this account signup, he had filled in the profiles with his information. So it did not take long for me to realize I wasn't actually a victim of an attack, bur more of a misunderstood kid who didn't know there would be another Joseph Forbes in another state who registered gmail and twitter accounts.   After patiently waiting and hoping the kid would stop trying, to recover access to my account, I had to call him. To my surprise, I ended up with the kid's mother who answered the phone, which I proceeded to inform her of my discoveries.  The mother didn't really understand much of what I was saying, but she did confirm her son's name, and that he has a computer.   After getting off the phone with the mother, I just kept a record of the event, and if I ever have any more problems, I know who my first suspect will be. I ended up realizing the kid was just trying to look up porn, and didn't realize someone had the same name, and already registered the gmail and twitter accounts.   Now, I just have to get the two capstone students who are trying to start up "JFTITAN" as a corp, and this one dude on skype.  I was a bit late on the skype user hijacking exploit.  MS fixed it, but only LONG after did I know about the isutation I could have reported one of my accounts.

    Blog Entry, Data Recovery, Hacking
  • Posted on March 1, 2013 12:37 pm
    Joseph Forbes
    No comments

    Once you've gone through a few computers, you probably have more than a few old hard drives lying around. You don't have to let them go to waste, though! Here's how to combine multiple hard drives into one, huge volume that'll hold just about anything. Storage is pretty cheap these days, and buying a new hard drive is always going to be the best way to increase your storage. However, maybe you're on a strict budget and can't afford a new drive. In that case, you might be better off combining some old drives you have lying around. Or, maybe you have other specific needs that require lots of space on one volume. For example, perhaps you're: You're storing terabytes worth of of movies, TV shows, music, or other media you've ripped and want it all on one volume You need lots of consecutive storage for video editing, photo editing, or other "scratch disk" needs You have a lot of games that have to be stored on the same volume (e.g., Steam games) but can't fit them all on one drive In this guide, we'll discuss three options for combining multiple hard drives, how to do each, and their advantages and disadvantages to one another. Option One: Use Symbolic Links By far the easiest method is to use symbolic links, which are similar to shortcuts, but "fool" your system into thinking its the actual folder it links to. So, this allows you to store a folder on your second drive, create a symbolic link to it on your first drive, and it'll feel like all the files are on that first drive (even though they aren't). And, unlike shortcuts, programs on your computer won't know that one folder isn't the real deal. Let's take the video game example from above: Steam requires all your games to reside on the same drive, but if you have more games than can fit on one drive, you can move some of them to a second drive and set up symbolic links on the first drive so Steam is none the wiser. To do this in Windows: Find one of the folders that you want to move to your second drive. In this case, let's say it's C:\Games\Steam\steamapps\common\Portal. Move that folder to your second drive, and note its location (in this case, we'll say it's D:\Games\Portal. Open up the Start menu and type cmd. Press Enter to open up a Command Prompt window. Type the following command and press Enter: mklink /J C:\Games\Steam\steamapps\common\Portal D:\Games\Portal Notice that the first path is the location of the link, and the second path is the location of the moved folder. Obviously, replace the two file paths with the paths on your system. If you were creating a hard link to a file instead of a folder, you would use /H instead of /J after the command. Reopen Steam and try to launch your game. It will look in the old path, find the hard link, and be directed to the game's new location. You can also use free software like Link Shell Extension (or, in the case of video games, Steam Mover) to perform the same task without the command line. To do this in OS X: Find one of the folders that you want to move to your second drive. In this case, let's say it's /Users/yourusername/Library/Application Support/Steam/SteamApps/common/Portal. Move that folder to your second drive, and note its location (in this case, we'll say it's /Volumes/Games/Portal). Open up a Terminal window (through /Applications/Utilities/Terminal). Type the following command and press Enter: ln -s /Volumes/Games/Portal "/Users/yourusername/Library/Application Support/Steam/SteamApps/common/Portal" Notice that the first path is the location of the moved folder, and the second path is the location of the link. Obviously, replace the two file paths with the paths on your system. Reopen Steam and try to launch your game. It will look in the old path, find the hard link, and be directed to the game's new location. Of course, you can also perform this function on just about any OS out there, including Linux. Windows users can also mount an entire drive to a folder using built-in Windows features. Search around for instructions on your specific OS for more information. Pros: This method's biggest advantage is that it's easy, and allows you to control the location of each specific file or folder. It works with any number of drives of any capacity and speed. If one of your drives fails, you only lose the data on that drive, and the other drives stay intact. Cons: If you need to do this with a lot of files or folders, it can get to be very tedious and annoying. If you're storing hundreds of videos (like movies and TV shows), this probably wouldn't be optimal. Option Two: Create a Spanned Volume If you have a lot of files and folders to work with and you want them all on one volume (and symbolic links aren't ideal), you have another option: creating a spanned volume (also known as disk concatenation). Spanned volumes are like the opposite of partitioning: you create one volume that starts at the beginning of your first disk, and ends at the end of your last disk, creating one giant volume. This is often also referred to as Just a Bunch of Disks (JBOD). There's a lot of controversy over whether it is actually correct to call it this, so we won't use it here—just know that elsewhere around the net, you may see these two terms used interchangeably. To create a spanned volume in Windows: Back up any data on your drives, since you'll need to erase the ones you're spanning. Open the Start menu and type diskmgmt.msc. Click on the option that appears and find the disks you want to combine. If your disks have data on them, right-click on each and choose "Delete Volume." Make sure you're deleting the correct volumes! Right-click on the first of the now-empty drives you want to add to your span and choose "Create New Spanned Volume." When the New Spanned Volume wizard starts, click Next until you get to the Select Disks screen. Highlight the second disk you want to add to the span, then click the Add button. Continue this process until all the disks you want are on the right size of the selection wizard, then click Next. Assign your spanned volume a drive letter, then click Next. Format it as NTFS and give it a name. When it's finished, you're ready to use your new spanned volume. To create a spanned volume in OS X: Back up any data on your drives, since you'll need to erase the ones you're spanning. Open up /Applications/Utilities/Disk Utility and click on one of the drives you're going to use. Head to the "Erase" tab, choose "Mac OS Extended (Journaled)" from the dropdown menu, and click Erase. Repeat this process for the other drives you want to include in the span. Click on one of the now-empty drives you're going to use, and click the "RAID" tab. Give your set of disks a name, choose "Mac OS Extended (Journaled) as the format, and choose "Concatenated Disk Set" for "RAID type." Click the plus sign to add the array to the list. Drag your hard drives one-by-one from Disk Utility's left sidebar into the right pane, under the disk set you just created. When all the disks are in place, click Create to create the spanned volume. Spanned volumes are a little different in every operating system, but the process is similar. Linux users can use a feature called Logical Volume Management, and most other OSes should have an option for this too—heck, even Nas4Free has it built right in. Google your own OS for instructions on how to perform similar functions (and remember, it might be referred to as JBOD or disk concatenation). Pros: Managing a spanned volume is much easier than managing symbolic links, since once you've created it, you don't actually have to "manage" anything. It just shows up on your computer as one big drive. When it runs out of space on the first physical disk, it moves onto the second without you having to worry about it. This also works with any number of drives at any combination of speeds, unlike RAID. Cons: The biggest problem with spanned volumes is that they introduce a greater probability of drive failure. If you have a volume spanned over three drives, that's three drives that could fail instead of just one, and if one of your drives fails, you lose all of the data in that spanned volume (though some of it may be recoverable). As such, we don't recommend this option for most scenarios. However, if you have a lot of data that isn't particularly important—or is backed up elsewhere (like a bunch of DVDs and Blu-Ray discs that you've ripped)—this might be an okay option. Just be aware of the downsides and the necessary precautions to keep your data safe. Option Three: Set Up a RAID Array The last option is using a Redundant Array of Independent Disks, also known as RAID. It offers a lot of benefits that disk spanning doesn't, like speed, reliability, and protection against drive failure. There are a number of different types of RAID, though, and they each serve slightly different purposes. Here are the most common: RAID 0 is similar to a spanned volume: its main goal is to combine multiple drives into one big volume. However, instead of spanning your volumes, it uses something called striping: instead of filling up one drive and moving onto the next, it writes data across all of your drives. This means read speeds are faster than a spanned volume, since you can read multiple parts of the data at one time. However, if one drive fails, then you lose all your data with little hope of recovery. RAID 1 doesn't actually combine multiple disks into one big volume at all. Instead, it implements a concept called mirroring: Whenever your main drive is written to, your computer writes the same data to your second drive. Your second drive is a mirror of your first one so that if one fails, you can pick right up with the second drive as if nothing went wrong. RAID 10 combines the best of RAID 0 and RAID 1: you create a mirrored RAID 1 array, then combine that with other RAID 1 arrays for one big, mirrored volume. This type of RAID requires quite a few disks (two to combine and another two to mirror, at the minimum), so it can be quite costly. RAID 5 introduces a feature called parity, which is another method for keeping your data protected from drive failure. Unlike RAID 10, in which you need to use half of your drives for redundancy, RAID 5 can store that recovery data in much smaller parity bits, spread across your drives. That means you can use more of your drives for data and hopefully save a bit of money. RAID 5 will be much slower to write data than RAID 10, though, so there is a tradeoff. These aren't the only types of RAID, but they are the most common. We could do a whole set of features on each type of RAID, so we won't go into a ton of detail here, but you get the general concept: with RAID 10 or RAID 5, you can expand a volume across multiple disks without worrying about an increased risk of failure, as you would with disk spanning. There are a number of ways to set up a RAID array. You can use software RAID, which is built-in to many motherboards and follows very similar instructions to creating a spanned volume (you would just choose a striped, mirrored, or RAID 5 array instead). Many people argue that hardware RAID, however, is more reliable, which involves installing a RAID card into your PC and setting up RAID using that. The process varies from computer to computer and from RAID card to RAID card. Windows 8 users might also check out the new Storage Spaces feature, which isn't RAID, but has a lot of similar goals and features. Pros: Higher levels of RAID offer the ability to turn multiple drives into one, big, often fast volume without worrying about losing your data. RAID is not a replacement for backup, but it does make your life a lot easier if one of those drives fails. RAID 0 does not provide this redundancy, but is still faster than a spanned volume. Cons: Unfortunately, RAID has a few downsides too. To start, higher levels of RAID can be expensive, since you need quite a few drives to pull it off. They'd also have to be the same size and speed, or you'd have to sacrifice some of their size and speed. That is, in a RAID array, you're stuck using the smallest disk's capacity for each drive, and the slowest disk's speed for each drive. As such, it isn't ideal if you have a bunch of disks lying around and you're trying to save some money. But, if your data is important, it can help keep that data safe, too. RAID 0's biggest downside is not only the lack of redundancy, but the fact that if you lose one drive, you lose all your data—with little to no hope of recovering it. Combining multiple disks into one volume is a fairly controversial practice, as it can increase the risk of drives failing. However, if the situation is right—that is, if your data is unimportant, if you have it all backed up, or if you have redundancy built-in—combining those drives can be pretty handy. Images by Spectrum (Shutterstock) and NasonovVasiliy (Shutterstock).

    Blog Entry, DATA, Data Recovery