From: David Brown on
mynick wrote:
> On Jan 20, 11:51 pm, David Brown <da...(a)>
> wrote:
>> mynick wrote:
>>> On Jan 19, 11:59 pm, David Brown <da...(a)>
>>> wrote:
>>>> mscotgr...(a) wrote:
>>>>> On Jan 19, 10:04 pm, David Brown
>>>>> <> wrote:
>>>>>> mscotgr...(a) wrote:
>>>>>>> On Jan 19, 3:23 pm, mynick <anglom...(a)> wrote:
>>>>>>>> On Jan 19, 1:56 am, Arno <m...(a)> wrote:
>>>>>>>>> In mynick <anglom...(a)> wrote:
>>>>>>>>>> Is there some undelete software that can run only locally and undelete
>>>>>>>>>> from a mapped network ntfs disk without the aid of an client/agent
>>>>>>>>>> installed/running on thatremotecomputer?
>>>>>>>>> I doubt that very much, as the filesystem will not export
>>>>>>>>> the required information over the network.
>>>>>>>>> Arno
>>>>>>>>> --
>>>>>>>>> Arno Wagner, Dr. sc. techn., Dipl. Inform., CISSP -- Email: a...(a)
>>>>>>>>> GnuPG: ID: 1E25338F FP: 0C30 5782 9D93 F785 E79C 0296 797F 6B50 1E25 338F
>>>>>>>>> ----
>>>>>>>>> Cuddly UI's are the manifestation of wishful thinking. -- Dylan Evans
>>>>>>>> why not send info from hdd directly over tcp/ip instead of an agent
>>>>>>>> doing the hdd search remotely and just sending the resulting list to
>>>>>>>> local- Hide quoted text -
>>>>>>>> - Show quoted text -
>>>>>>> Could you expand on this please.
>>>>>>> To undelete a file it is necessary to access the hard drive on a
>>>>>>> sector level, and rewrite the MFT entry. There is no way I am aware
>>>>>>> of doing this over a general purpose ethernet link. If this was
>>>>>>> easily possible, network security would be a complete nightmare.
>>>>>> It is perfectly possible to do this over Ethernet - the most common way
>>>>>> is to use iSCSI (network block devices with *nix are another
>>>>>> possibility). Of course, this involves making the partition effectively
>>>>>> invisible to the host (server) machine, and mounted on the guest machine
>>>>>> as though it were a local drive. I don't know what sort of support
>>>>>> windows has for iSCSI, either as a target or initiator. And it is
>>>>>> clearly impractical for the issue at hand. But it /is/ possible to give
>>>>>> direct low-level access to a hard drive over a network.- Hide quoted text -
>>>>>> - Show quoted text -
>>>>> The question asked for access without a "client /agent
>>>>> installed/running on thatremotecomputer"
>>>>> I think you will find that iSCSI has to be set up on BOTH ends -
>>>>> please say if I am wrong
>>>> You are entirely correct - iSCSI needs to be configured at both ends. I
>>>> was just pointing out that such low-level disk sharing is certainly
>>>> possible, if you choose to use it.
>>>>> With a client app installed, there is no problem, but as a straight
>>>>> mapped drive, I think it is impossible.
>>>> One possibility is that windows has a number of backdoors that allow
>>>> execution of software on aremotemachine without actively installing
>>>> something there. The simplest and safest tools are probably things like
>>>> psexec from the SysInternals Suite (download from MS). psexec lets you
>>>> execute commands directly on aremotemachine, assuming you have an
>>>> administrator password for the machine.
>>> what do you think of nbd protocol?
>>> running nbdsrvr on remote if that does not require special privilleges
>>> on remote
>>> and than using Selfimage which supports nbd (but perhaps not the
>>> nbdsrvr.exe version)
>> I've only used nbd with Linux systems (to give an embedded Linux system
>> a swap disk) - I have no idea about support in windows for nbd. But
>> generally speaking, if you are using nbd to "share" a partition, the
>> partition cannot also be accessed locally.
> nbdsrvr for win can be found at
> however nbd readme says
> Do *NOT* share partitions/files that are already in mounted/in use! It
> is
> almost for sure that corruptions will occure???
> -is that what 'cannot' meant
> and would it make difference if there would be only 1 PC accesing the
> remote share ?

When I say "cannot", I really mean "should not" - and the OS should
hopefully enforce that limitation. The rule is that only one writer
should ever have low-level access to a partition (or file used as a
block device - that's the common usage for nbd). You can have multiple
read-only connections at a time, but if you try to allow two different
file system drivers to write to the same partition, you are guaranteed
chaos and corruption.

> Another idea might be using running locally and remotely dd command
> for win- perhaps that could go through smb
> (and after copying dd to mapped share it could be started via telnet
> because above mentioned psexec expects it on remote in c:\windows
> which is not accessible)

The trick is to use "psexec \\remoteserver cmd" to start a remote
command prompt - a poor man's telnet. But if you have a telnet or ssh
server on the remote machine, use that.