Image Files - Safety

The Acronis image setting on the external drive I was advised to buy for
backup contains an image file of my computer while it was infected. It also
contains an Outlook .pst and BCM file I need to retrieve. That image file
was scanned by the mechanic who put it there and scanned twice by me with
NOD32. But the file has never been restored to a condition that will permit
me to remove selected files. I'm about to buy Acronis True Image 9.0 Home
just for that purpose (it was created with True Image). I don't know what to
expect when I convert or restore that file. I obviously don't what it
restored in the true sense of the word because the machine it's on has been
reformatted, most of the programs and user files reinstalled, and is running
fine.

Q1) I'd appreciate a comment about what to expect when this file is
converted. I want to make sure it stays on that external drive and doesn't
try to replace what's there now. Of course, I'll read the instructions when
I download the program this morning but I'd like to get a thumbnail sketch
of what to expect from someone who has had experience in this area.

Q2) Can I feel assured - since the image file has been scanned so often,
that it's safe to copy user files from?

jaygreg

jaygreg wrote:

> The Acronis image setting on the external drive I was advised to buy for
> backup contains an image file of my computer while it was infected. It also
> contains an Outlook .pst and BCM file I need to retrieve. That image file
> was scanned by the mechanic who put it there and scanned twice by me with
> NOD32. But the file has never been restored to a condition that will permit
> me to remove selected files. I'm about to buy Acronis True Image 9.0 Home
> just for that purpose (it was created with True Image). I don't know what to
> expect when I convert or restore that file. I obviously don't what it
> restored in the true sense of the word because the machine it's on has been
> reformatted, most of the programs and user files reinstalled, and is running
> fine.
>
> Q1) I'd appreciate a comment about what to expect when this file is
> converted. I want to make sure it stays on that external drive and doesn't
> try to replace what's there now. Of course, I'll read the instructions when
> I download the program this morning but I'd like to get a thumbnail sketch
> of what to expect from someone who has had experience in this area.

An expert wouldn't use proprietary formats for backups. I'd used 'dd' and
'bzip2', such an image would be easily mountable (and even read-only) under
any operating system.

> Q2) Can I feel assured - since the image file has been scanned so often,
> that it's safe to copy user files from?

No. You should delete every executable (including DLLs, OCXs, ACMs, AXs and
alike) and you should carefully validate and/or normalize all data (be
aware that just one little number added to a list of financial transactions
can have devasting consequences). Of course, an expert would have a list of
cryptographic checksums of all files from even before the infection, so he
would be able to spot all changes against the trusted state.

"Sebastian Gottschalk" <> wrote in message
news:...
> jaygreg wrote:
>
> > The Acronis image setting on the external drive I was advised to buy for
> > backup contains an image file of my computer while it was infected. It
also
> > contains an Outlook .pst and BCM file I need to retrieve. That image
file
> > was scanned by the mechanic who put it there and scanned twice by me
with
> > NOD32. But the file has never been restored to a condition that will
permit
> > me to remove selected files. I'm about to buy Acronis True Image 9.0
Home
> > just for that purpose (it was created with True Image). I don't know
what to
> > expect when I convert or restore that file. I obviously don't what it
> > restored in the true sense of the word because the machine it's on has
been
> > reformatted, most of the programs and user files reinstalled, and is
running
> > fine.
> >
> > Q1) I'd appreciate a comment about what to expect when this file is
> > converted. I want to make sure it stays on that external drive and
doesn't
> > try to replace what's there now. Of course, I'll read the instructions
when
> > I download the program this morning but I'd like to get a thumbnail
sketch
> > of what to expect from someone who has had experience in this area.
>
> An expert wouldn't use proprietary formats for backups. I'd used 'dd' and
> 'bzip2', such an image would be easily mountable (and even read-only)
under
> any operating system.
>
> > Q2) Can I feel assured - since the image file has been scanned so often,
> > that it's safe to copy user files from?
>
> No. You should delete every executable (including DLLs, OCXs, ACMs, AXs
and
> alike) and you should carefully validate and/or normalize all data (be
> aware that just one little number added to a list of financial
transactions
> can have devasting consequences). Of course, an expert would have a list
of
> cryptographic checksums of all files from even before the infection, so he
> would be able to spot all changes against the trusted state.

>>An expert wouldn't use proprietary formats for backups. I'd used 'dd' and
'bzip2', such an image would be easily mountable (and even read-only) under
any operating system.<<

I really don't know the level of expertise of the guy. He has a shop... I
had a need at the time... I was up a creek... he said he could help. So he
made an image of the drive. I assume the "dd" and "bzip2" you refer to are
two alternative programs? Why would you use them?

>>No. You should delete every executable (including DLLs, OCXs, ACMs, AXs
and
alike) and you should carefully validate and/or normalize all data <<

I've never used the program so I don't know what to expect. When I get
Acronis installed on my machine, what do I do next? Select the image file
and hit some button that converts it to ... whatever? Or do I just go to the
directory he created, scroll to the directories I think contain what I want
then convert just them? Or search for every file you listed above plus .exe
and delete them?

How do I validate or normalize data?

jaygreg wrote:

> "Sebastian Gottschalk" <> wrote in message
> news:...
>> jaygreg wrote:
>>
>>> The Acronis image setting on the external drive I was advised to buy
>>> for backup contains an image file of my computer while it was
>>> infected. It
> also

Would you please fix your quoting? Thanks in advance.

>> An expert wouldn't use proprietary formats for backups. I'd used 'dd'
>> and 'bzip2', such an image would be easily mountable (and even
>> read-only) under any operating system.
>
> I really don't know the level of expertise of the guy. He has a shop...
> I had a need at the time... I was up a creek... he said he could help.
> So he made an image of the drive.

The problem is that this shitty software will only allow you to play back
the image to a drive, but not to mount it separately.

> I assume the "dd" and "bzip2" you refer to are two alternative programs?

Well, you really should know how to Google.

> Why would you use them?

As I already told you, 'dd' can be used to simply create a bytewise exact
copy of the raw partition or drive, which then in turn is also trivially
mountable. Bzip2 obviously serves for data compression.

>> No. You should delete every executable (including DLLs, OCXs, ACMs, AXs
>> and alike) and you should carefully validate and/or normalize all data
>
> I've never used the program so I don't know what to expect. When I get
> Acronis installed on my machine, what do I do next? Select the image
> file and hit some button that converts it to ... whatever?

AFAIK it doesn't support anything like conversion or mounting or
extraction, so I'm afraid to tell you that you most liklely need to buy or
borrow another drive or sufficient size.

> Or do I just go to the directory he created, scroll to the directories I
> think contain what I want then convert just them? Or search for every
> file you listed above plus .exe and delete them?

Obviously, if you're just interested in data not containing any code at
all, you can just extract those.

> How do I validate or normalize data?

By using the relevant minimalistic tools for the formats and reprocessing
everything.
Par example an SVGZ image file would require being decompressed with 'gzip'
to an uncompressed SVG, then validated with an XML parser against the XML
format and the SVG DTD, then opened with a comparably minimalistic SVG
editor (like Inkscape), then saved and recompressed. This procedure would
ensure that every part of the format follows its specification (the gzip
stream being valid) and has a normal form (f.e. with all entities in the
XML part being fully expanded, all superfluos entries discarded), so any
modified data won't be able to cause havok when being processed later by
more complex (and therefore potentially more vulnerable) programs.

Of course it will still require semantic validation. You should take a look
at your "tax declaration.odt" to ensure that not just only little number
was added.

>>Would you please fix your quoting? Thanks in advance.<<
Sorry, Sebastian. I don't know what you mean. Explain please.

>>Well, you really should know how to Google.<<
A simple "Yes" or "No" would suffice. The purpose of language is to
communicate. not impress. I'm not as familiar with this subject mater as you
and defer to your expertise. I did Google both, found "Bzip2" compression
software but in the time I cared to devote to the search, found only
"designated driver" for "dd" . which I rejected as being your reference.
Nevertheless, you did go on in your reply to give enough of an explanation
for me to understand that "dd" is a software program that has the ability to
include in the copies it makes, all (I assume) the code necessary to put the
copy back on a clean machine and enable it to execute as it did prior to
having created the copy.. hopefully after having being "cleaned" in some
manner by the user.

>>\AFAIK it doesn't support anything like conversion or mounting or
extraction, so I'm afraid to tell you that you most likely need to buy or
borrow another drive or sufficient size.<<

I did buy another external drive; that's where the image file resides. The
"mechanic" put it there with Acronis True Image then gave me a copy with the
key. I don't want to use his copy; I want a legitimate copy; the authors of
that software deserve their royalties. though the level of profit merchants
may be "entitled" to could be cause for lengthy discussion judging from the
range of retail prices for this software.

>>Obviously, if you're just interested in data not containing any code at
all, you can just extract those<<

Awha! Here's my answer! Extracting a user file is all I want to do from what
I know at this point. The objective is to recover a .pst file from Outlook
2003 and whatever file I need to make my BCM file (Business Contact Manager
in Outlook 2003) work again.

I appreciate your taking time to give me that explanation of the validation
and normalization process. I hope I never find myself in that desperate a
need to reconstruct files. If I'm unsuccessful in recovering what I'm after
at present, I may be angry, but I won't be lost. I can rebuild if necessary.
No financial data lost. though I am curious about your reference to "tax
declaration.odt". What the "odt" extension associated with?

I appreciate your taking the time to help, Sebastian. I got my answer and
then some. Thank you.

"Sebastian Gottschalk" <> wrote in message
news:...
> jaygreg wrote:
>
> > "Sebastian Gottschalk" <> wrote in message
> > news:...
> >> jaygreg wrote:
> >>
> >>> The Acronis image setting on the external drive I was advised to buy
> >>> for backup contains an image file of my computer while it was
> >>> infected. It
> > also
>
> Would you please fix your quoting? Thanks in advance.
>
> >> An expert wouldn't use proprietary formats for backups. I'd used 'dd'
> >> and 'bzip2', such an image would be easily mountable (and even
> >> read-only) under any operating system.
> >
> > I really don't know the level of expertise of the guy. He has a shop...
> > I had a need at the time... I was up a creek... he said he could help.
> > So he made an image of the drive.
>
> The problem is that this shitty software will only allow you to play back
> the image to a drive, but not to mount it separately.
>
> > I assume the "dd" and "bzip2" you refer to are two alternative programs?
>
> Well, you really should know how to Google.
>
> > Why would you use them?
>
> As I already told you, 'dd' can be used to simply create a bytewise exact
> copy of the raw partition or drive, which then in turn is also trivially
> mountable. Bzip2 obviously serves for data compression.
>
> >> No. You should delete every executable (including DLLs, OCXs, ACMs, AXs
> >> and alike) and you should carefully validate and/or normalize all data
> >
> > I've never used the program so I don't know what to expect. When I get
> > Acronis installed on my machine, what do I do next? Select the image
> > file and hit some button that converts it to ... whatever?
>
> AFAIK it doesn't support anything like conversion or mounting or
> extraction, so I'm afraid to tell you that you most liklely need to buy or
> borrow another drive or sufficient size.
>
> > Or do I just go to the directory he created, scroll to the directories I
> > think contain what I want then convert just them? Or search for every
> > file you listed above plus .exe and delete them?
>
> Obviously, if you're just interested in data not containing any code at
> all, you can just extract those.
>
> > How do I validate or normalize data?
>
> By using the relevant minimalistic tools for the formats and reprocessing
> everything.
> Par example an SVGZ image file would require being decompressed with
'gzip'
> to an uncompressed SVG, then validated with an XML parser against the XML
> format and the SVG DTD, then opened with a comparably minimalistic SVG
> editor (like Inkscape), then saved and recompressed. This procedure would
> ensure that every part of the format follows its specification (the gzip
> stream being valid) and has a normal form (f.e. with all entities in the
> XML part being fully expanded, all superfluos entries discarded), so any
> modified data won't be able to cause havok when being processed later by
> more complex (and therefore potentially more vulnerable) programs.
>
> Of course it will still require semantic validation. You should take a
look
> at your "tax declaration.odt" to ensure that not just only little number
> was added.

jaygreg wrote:

>>>Would you please fix your quoting? Thanks in advance.<<
> Sorry, Sebastian. I don't know what you mean. Explain please.

You're quoting by putting the entire text in tripple brackets instead of
line quoting it with single brackets. Not even Outlook Express, which
you're misusing as a newsreader, does such a strange thing on it's own.

<http://learn.to/quote>

>>>Well, you really should know how to Google.<<
> A simple "Yes" or "No" would suffice. The purpose of language is to
> communicate. not impress. I'm not as familiar with this subject mater as you
> and defer to your expertise. I did Google both, found "Bzip2" compression
> software but in the time I cared to devote to the search, found only
> "designated driver" for "dd" . which I rejected as being your reference.

Both Bzip2 and 'dd' belong to the Bin Utils, one of the most common
collection of software utilities on Unix environments, despite also being
available and very useful on Windows.

See <http://en.wikipedia.org/wiki/Dd_(Unix)>

> I did buy another external drive; that's where the image file resides.

Well, the problem is that you'll need to restore the image to some drive
for accessing the contained file system, and that's where you need an extra
drive. Or does Acronis TrueImage offer some methods for extracting data
directly from the image, or at least mounting it? You need to tell me, I
don't own this software and neither the operating system it runs on.

> though I am curious about your reference to "tax
> declaration.odt". What the "odt" extension associated with?

OpenDocument, the most common standardized free document exchange format.

>does Acronis TrueImage offer some methods for extracting data
directly from the image, or at least mounting it?<

Hummm. Another good point. I don' know. I haven't bought the software yet
but I certainly need to get the answer to this one. I'll call that mechanic
who put the file there. Thanks, Sebastian. And for the references as well.

"Sebastian Gottschalk" <> wrote in message
news:...
> jaygreg wrote:
>
>>>>Would you please fix your quoting? Thanks in advance.<<
>> Sorry, Sebastian. I don't know what you mean. Explain please.
>
> You're quoting by putting the entire text in tripple brackets instead of
> line quoting it with single brackets. Not even Outlook Express, which
> you're misusing as a newsreader, does such a strange thing on it's own.
>
> <http://learn.to/quote>
>
>>>>Well, you really should know how to Google.<<
>> A simple "Yes" or "No" would suffice. The purpose of language is to
>> communicate. not impress. I'm not as familiar with this subject mater as
>> you
>> and defer to your expertise. I did Google both, found "Bzip2" compression
>> software but in the time I cared to devote to the search, found only
>> "designated driver" for "dd" . which I rejected as being your reference.
>
> Both Bzip2 and 'dd' belong to the Bin Utils, one of the most common
> collection of software utilities on Unix environments, despite also being
> available and very useful on Windows.
>
> See <http://en.wikipedia.org/wiki/Dd_(Unix)>
>
>> I did buy another external drive; that's where the image file resides.
>
> Well, the problem is that you'll need to restore the image to some drive
> for accessing the contained file system, and that's where you need an
> extra
> drive. Or does Acronis TrueImage offer some methods for extracting data
> directly from the image, or at least mounting it? You need to tell me, I
> don't own this software and neither the operating system it runs on.
>
>> though I am curious about your reference to "tax
>> declaration.odt". What the "odt" extension associated with?
>
> OpenDocument, the most common standardized free document exchange format.