data recovery

Data recovery blog

I came across a couple of pretty good sites detailing some of the tools and processes I use for data recovery.

Basically this wiki steps you through recovering data via a bootable Linux CD/USB. This wiki recommends RIPLinux, though I personally use SystemRescueCd which is just another bootable Linux distribution designed for data and system recovery.

The utilities which are important are ddrescue, badblocks, and smartctl.  I also use foremost, autopsy, ntfs-3g, ssh/scp, rsync, samba, 7z when doing data recovery work. 

Essentially the first task is to see just what kind of shape the drive is in.  For this we use smartctl to query the drive's S.M.A.R.T. statistics.  These numbers will tell us just how many errors the drive is producing, and can give us an estimate of how much time we have to work with. 

a "smartctl --all /dev/<device>" will print the stats from that particular drive. 

For example, on one of my systems I run the following:

Using dd to extract a partition from a disk image

I came across this little problem today. I had an image of an entire hard drive, but all I wanted was to extract a single partition.

Most of what I wanted to do was described in this post.

First, I needed to see what was on the disk image, using fdisk:

fdisk -lu /path/to/image.bin
Device Boot Start End Blocks Id System
myimage.bin1 * 63 275225579 137612758+ 83 Linux
myimage.bin2 275225580 17117257+ 7 HPFS/NTFS

and so on.

The "u" option tells fdisk to display the results in units of 512 bytes, which should match the block size. This may not be true of disks imaged that are 3 terabytes or larger.

What I then did was use dd to extract only partition 1

  1. dd if=myimage.bin of=myimage-1.bin bs=512 skip=$[Start-1] count=$[Stop-Start+1]

Below is a real world example based on the output of dd above.

  1. dd if=myimage.bin of=myimage-1.bin bs=512 skip=$[63-1] count=$[275225579-63+1]

I now have a second file myimage-1.bin which I can then mount and copy files off of.

  1. mount myimage-1.bin /mnt/tmp -o loop

Syndicate content