Recovering content from old drives

Would like suggestions on safe approach to do the following:

We have about 10 old drives floating around, some which have "mixed" content, i.e. stuff we want to keep mixed in with stuff that's "unknown" and some folders that definitely have virus content mixed in (e.g. "mail > attachment" folders). These aren't drives with backup files created by any utility, they're just used drives. In almost all cases we know the directory structures that would be "to be retained", but in some cases such as the "downloads" or Attachments folders, we'll need to open/view many of the files, jpgs, gifs, zips, pdfs, html, etc etc.

Aside from just running antivirus scans on the drives, we'd also like to weed out the accumulated unwanted files.

My first idea is to run a sandboxing app ( Sandboxie ) to do the browsing/looking, but .... with so many files to browse through, so many file types and directories to go through I'm concerned about time-efficiency, as there's just much good stuff proportionally compared to the bad stuff, so moving files to a Quick or Instant recover zone will be pretty time-consuming (not to mention wrist-intensive).

Can anybody suggest a better way to approach this process?

 

Hello,

Seriously? Use a Linux machine running 2-3 anti-viruses, mount the drives, scan, disinfect, use Linux tools to properly identify files by type, size, data etc.

Do not use these drives in a Windows environment, especially since you do not know what they may contain.

Mrk

 

Point taken about Linux, yes that would be a very secure approach .

So in the absence of Linux, then ...?

 

Could be hooked up as a slave drive. Either internal or in an external USB device. Even if hooked up to a Windows machine anything on the slave drive should remain dormant and harmless. You can then scan the drive in question with any number of good free applications and remove the malware.

Still seems to me though that when it comes down to the final recovery of the wanted data it will be a bit wrist intensive.

 

confession: haven't 100% assimilated reading from the Sandboxie site, still working on it.

If, after running antivirus scans etc. on the drive, I create a sandbox where I have access to the apps I need to open/view the various file types on the drive. Is it then possible to delete files on the drive from within the sandbox and not have to move the rest of the "files to be retained" into the Instant/Quick recover zone? In other words, do what sounds like the opposite of the typical usage?

 

As long as you are only planning on saving\viewing non-executable files then you should be safe, even without pre-scanning.

If I totally understand your plan, yes, it should work.

 

I would think a very simple solution would be to take another computer, and make it a sandbox. Image it or whatever. Take it off the network. Plug in those drives as slaves. Run AV if you desire. Check for your data. Sort your data. Etc etc etc. Even on the sandbox machine, since you are using it for a special purpose, put many protections on it. Run it in LUA or LUA+SRP, or use HIPS or whatever you really want to. Does not matter. If you aren't saving executables you should have no problem. If you are saving executables. then scan them with one of those online super scanner websites. Or just run them in the sandbox and see if your AV/HIPS/whatever catches anything.

For me I have many computers and many harddrives, so it is easy to just keep a spare machine around with an image for it. I can do things like that then no problem. Works very easy.

Sul.