Data Recovery

From Indie IT Wiki
Jump to: navigation, search

Introduction

Deleted or lost files can sometimes be recovered from failed or formatted drives and partitions, CD-ROMs and memory cards using the free/libre software available in the Ubuntu repositories. The data is recoverable because the information is not immediately removed from the disk. Follow these steps to recover lost data.

Caution

You should NOT write to the failed device, as it can worsen a hardware failure, and overwrite existant data in case of lost files.

Shut down the affected machine as soon as possible, and restart it from a LiveCD or LiveUSB. Be certain that the "live" cd does not automatically mount any partition or swap space.

TestDISK Partition Recovery

Introduction...

NAME
      testdisk - Scan and repair disk partitions

SYNOPSIS
      testdisk [/log] [/debug] [/dump] [device|image.dd|image.e01]

      testdisk /version

      testdisk /list [/log]

DESCRIPTION
         TestDisk checks and recovers lost partitions
         It works with :
         - BeFS (BeOS)
         - BSD disklabel (FreeBSD/OpenBSD/NetBSD)
         - CramFS, Compressed File System
         - DOS/Windows FAT12, FAT16 and FAT32
         - HFS and HFS+, Hierarchical File System
         - JFS, IBM's Journaled File System
         - Linux ext2/ext3/ext4
         - Linux Raid
           RAID 1: mirroring
           RAID 4: striped array with parity device
           RAID 5: striped array with distributed parity information
           RAID 6: striped array with distributed dual redundancy information
         - Linux Swap (versions 1 and 2)
         - LVM and LVM2, Linux Logical Volume Manager
         - Mac partition map
         - Novell Storage Services NSS
         - NTFS (Windows NT/2K/XP/2003/Vista/...)
         - ReiserFS 3.5, 3.6 and 4
         - Sun Solaris i386 disklabel
         - Unix File System UFS and UFS2 (Sun/BSD/...)
         - XFS, SGI's Journaled File System

Install the software...

sudo aptitude install testdisk

Run...

sudo testdisk /dev/sdX

Thanks - http://www.dedoimedo.com/computers/linux-data-recovery.html

DDRescue Latest Version

Your Linux distro will probably not have the latest stable version, so just download it and it will install in /usr/local/bin...

sudo aptitude install lzip
curl http://ftp.heanet.ie/mirrors/gnu/ddrescue/
wget http://ftp.heanet.ie/mirrors/gnu/ddrescue/ddrescue-1.19.tar.lz
tar --lzip -xvf ddrescue-1.19.tar.lz
cd ddrescue-1.19/
./configure
make
sudo make install
/usr/local/bin/ddrescue --version

http://ftp.heanet.ie/mirrors/gnu/ddrescue/

Backup Single Partition To Local Disk

/usr/local/bin/ddrescue -d /dev/hda1 imagefile logfile

Backup Whole Disk To Local Disk

/usr/local/bin/ddrescue -d /dev/hda imagefile logfile

Backup Single Partition To Network Server

On the server...

nc -l 12345 | pv -b -p -s 263m > laptop_hda1.img

Next we tell the client to begin copying data to the server.

On the client...

sudo dd if=/dev/hda1 | nc 192.168.140.11 12345

Backup Whole Disk To Network Server

On the server...

nc -l 12345 | pv -b -p -s 263m > laptop_hda.img

Next we tell the client to begin copying data to the server.

On the client...

sudo dd if=/dev/hda | nc 192.168.140.11 12345

https://nfolamp.wordpress.com/2010/06/14/performing-backups-with-netcat/

Mounting A Drive Image

METHOD A

Kpartx: a tool for mounting partitions within an image file

Kpartx can be used to set up device mappings for the partitions of any partitioned block device. It is part of the Linux multipath-tools. With kpartx -l imagefile you get an overview of the partitions in the image file and with kpartx -a imagefile the partitions will accessible via /dev/mapper/loop0pX (X is the number of the partition). You can mount it now with mount /dev/mapper/loop0pX /mnt/ -o loop,ro. After unmounting you can disconnect the mapper devices with kpartx -d imagefile.

https://nfolamp.wordpress.com/2010/08/16/mounting-raw-image-files-and-kpartx/

METHOD B

Check the drive image...

file harddrive.img

harddrive.img: x86 boot sector; GRand Unified Bootloader, stage1 version 0x3, stage2 
address 0x2000, stage2 segment 0x200, GRUB version 0.97; partition 1: ID=0x83, 
active, starthead 1, startsector 63, 33640047 sectors, code offset 0x48

Examine the drive image...

fdisk -l harddrive.img
                   Device Boot      Start         End      Blocks   Id  System
harddrive.img                *          63    33640109    16820023+  83  Linux

Since we need to go 63 sectors ahead, and each sector is 512 bytes long, we need to use an offset of 32,256 bytes.

mount -o ro,loop,offset=32256 harddrive.img /mnt/loop
mount | grep harddrive.img
/root/harddrive.img on /mnt/loop type ext3 (ro,loop=/dev/loop1,offset=32256)

If you made this image under duress (due to a failing drive or other emergency), you might have to check and repair the filesystem first. Doing that is easy if you make a loop device:

losetup --offset 32256 /dev/loop2 harddrive.img
fsck /dev/loop2

Once that’s complete, you can save some time and mount the loop device directly:

mount /dev/loop2 /mnt/loop

Thanks - https://major.io/2010/12/14/mounting-a-raw-partition-file-made-with-dd-or-dd_rescue-in-linux/

Fix MSDOS VFAT System SD Card

fsck.vfat -l -v -a -t /dev/sdx1

Thanks - https://help.ubuntu.com/community/FilesystemTroubleshooting

Links

https://help.ubuntu.com/community/DataRecovery

https://www.technibble.com/guide-using-ddrescue-recover-data/