May 8, 2006

Review: Trinity Rescue Kit

Author: Mayank Sharma

Anyone who dual-boots, runs, or manages a heterogeneous network with Windows and Linux workstations must occasionally contend with offline or dead systems. Of course, the open source world has plenty of good tools to help get these boxes back on track, or at least recover valuable data. Trinity Rescue Kit (TRK) is a small yet powerful bootable Linux distribution that rescues, repairs, resets passwords, and clones dead Linux and Windows installations.

Based on binaries from Mandriva 2005, the latest version, TRK 3.1, has been reinforced with heavily adapted bootup scripts. TRK includes scripts that download updates from the Internet and rebuild the ISO, so it's wise to burn the 85.3MB downloaded ISO onto a rewriteable CD (CD-RW).

Hardware and network detection

When TRK boots, you'll see a graphical boot menu with a few options to control the startup. You can make TRK run entirely from memory, if you need to mount a CD to assist in the recovery process or to burn the rescued data. TRK can also look for scripts on a USB or diskette and run those, scan all detected drives for viruses, or configure itself as a SSH server. You can combine several of these options, but you're better off doing that from the non-graphical boot screen, since the graphical one doesn't print what you type.

The rescue kit will detect network cards and try to mount them using DHCP. TRK comes with kernel with most default options left on in order to support important hardware, such as network cards and disk controllers. I tried it on various machines, and the wired Ethernet card detection success rate was 100%. But it couldn't detect all wireless hardware, such as the Broadcom adapter on the Acer laptop or the Linksys on the desktop, both of which lack native Linux drivers. It did, however, pick up the PC Card wireless card with ease. TRK also supports USB network cards.

On my humble 1.3GHz Celeron laptop with 256MB of RAM, it took about 30 seconds for TRK to get me the shell.

Rescue operations

TRK's kernel is patched with lufs for NTFS support. The mountallfs script will detect and mount all NTFS partitions on the disk, giving you read access. The rescue kit also supports the Captive-NTFS drivers. Using mountallfs -c will mount NTFS partitions using these drivers to give read and write access.

Due to legal restrictions, though, TRK cannot pack the files needed by Captive-NTFS. The captive-install-acquire utility will search for the required files on the hard disk, and if it can't find them locally, it will download them from the Microsoft Web site. To avoid doing this over and over, TRK runs this utility from within the updatetrk script. When this script finishes, it generates a new ISO image with the Captive files included. Another option for gaining write access to NTFS partitions is to use the NTFS-fuse drivers. This doesn't require any Windows files and gives limited NTFS write access. Using this driver, you can create only as many as 10 files or subdirectories per folder.

Of course, TRK's update script does more than just getting the files required by Captive. Among other things, it also downloads the latest virus definitions for the built-in scanner ClamAV. ClamAV is a detect-only scanner that doesn't clean the files, so the script also downloads another virus scanner, F-Prot, along with its latest updates, which isn't included in the original ISO again due to its restrictive distribution license. Once downloaded, all these are also included in the new ISO image.

The updatetrk script searched my hard disk for the essential ntoskrnl.exe and ntfs.sys files, and though it found them, it suggested I download 24MB of files. Apart from the latest versions of these two files, it also downloaded cdfs.sys ad fastfat.sys. Once these were done, it proceeded on to F-Prot. While installing F-Prot's signatures, it gave me an error saying "disk full." It turns out that the F-Prot updater downloads its files to /var/tmp/, which resides on the root drive, which is an initial RAM disk of 32MB. To get around that problem, run these commands:

rm -rf /var/tmp/
mkdir /dev/shm/vartmp
ln -s /dev/shm/vartmp /var/tmp

Now, run the script. This gives it access to the shared memory filesystem, which is at least half the size of your RAM.

To scan the disks, use the virusscan script, which by default uses the ClamAV scanner. If it detects an Internet connection, it tries to get updates. This script also quarantines infected files, puts them in a directory on the drive where they were discovered under /TRK-INFECTED/infected-.tar.gz, then deletes all infected files. If this method is too radical for you, download and use F-Prot with virusscan --f-prot, which can disinfect files non-destructively. Unfortunately, it cannot do so using the ntfs-fuse driver. If you need either scanner to get rid of or disinfect your infected NTFS-based files, you'll need to use captive-ntfs. Very smartly though, TRK does virus detection using the read-only Linux NTFS driver, as it is much faster than the captive-ntfs and can record a log of infected files. It then remounts using captive-ntfs, refers to the log file, and rescans only infected files in disinfection mode.

In case the box you are rescuing has a bad disk, try using ntfsundelete to recover deleted files. For example, use ntfsundelete /dev/hda1 -s -m '*.xls' to scan for recoverable Excel files under /dev/hda1. Make sure the partition from which you wish to recover files isn't mounted.

Another useful script is winpass; it resets all Windows administration and user passwords. The script searches for all Windows installations on the box and prints them with the partition they are under for easy recognition. You then select the installation whose passwords you want to reset, and the script passes control to another utility, chntpw, which prints information such as syskey status and then prompts you for a new password. You can choose to enter a new password, stick to the existing one, or enter * for no password.

Another useful script is clonexp, which can duplicate a Windows partition on one computer to another on the network securely through SSH. Both boxes need to be running TRK, with the one receiving the data booted with SSH enabled through Option 8 at the boot screen. To ensure smooth sailing, make the target partition bigger than the source partition. The script runs from the source partition and will prompt you first for the partition that needs to be cloned, then the target computer's IP address, followed by the target partition.

And, yes, there's QtParted for all your partition editing and resizing needs. TRK's kernel has been compiled with framebuffer support specifically for QtParted and the Links command-line browser.


Trinity Rescue Kit is a great lightweight Linux live CDs for resuscitating a dying box. With a long development history and a developer who knows what he is doing, its various scripts make the job of using the tools easy for users of all experience levels.

TRK's developer is working on a hard disk install option for the next version. While most of the tools come with online documentation on their respective Web sites and the scripts have good usage pages, the TRK usage howto needs a little attention and structure, and an offline copy should be distributed along with the ISO, updatable through updatetrk.

Click Here!