Recovery

=HDD Recovery=

The Following Recovery Tools are briefly discussed here:

TestDisk & PhotoRec
sudo tesdisk sudo photorec imagefilename sudo photorec
 * TestDisk recover lost partitions and repair boot sectors
 * PhotoRec recover many types of files from tons of file systems

Foremost
Mount the external drive sdb sudo mount /dev/sdb1 /recovery sudo mkdir /recovery/foremost Run foremost: sudo foremost -i /dev/hda -o /recovery/foremost To run formost on an image, just substitute the filename for the device sudo foremost -i image-name -o /recovery/foremost The recovered files will then be owned by root. Change their ownership so that you can use them: sudo chown -R youruser:youruser /recovery/foremost Use the -w switch to obtain only an audit of recoverable files: sudo foremost -w -i /dev/hda -o /recovery/foremost To recover only specific file types, use the -t switch: sudo foremost -t jpg -i /dev/hda -o /recovery/foremost
 * Foremost and Scalpel are not interested in the underlying filesystem. They simply expect the data blocks of the files to reside sequentially in the image under investigation. The tools will find images in dd dumps, RAM dumps, or swap files.Carving will help to identify and reconstruct files on corrupt filesystems, in slack space, or even after installation of a new operating system, as long as the required data blocks still exist.
 * Foremost recovers files based on their headers and other internal structures, operates on hard drives or drive image files generated by various tools.
 * Recovery process:
 * Foremost is a console program to recover files based on their headers, footers, and internal data structures. This process is commonly referred to as data carving. Foremost can work on image files, such as those generated by dd, Safeback, Encase, etc, or directly on a drive. The headers and footers can be specified by a configuration file or you can use command line switches to specify built-in file types. These built-in types look at the data structures of a given file format allowing for a more reliable and faster recovery


 * Foremost:

Search for jpeg format skipping the first 100 blocks sudo foremost -s 100 -t jpg -i image.dd

Only generate  an audit file, and print to the screen (verbose mode) sudo foremost -av image.dd

Search all defined types sudo foremost -t all -i image.dd

Search for gif and pdf sudo foremost -t gif,pdf -i image.dd

Search for office documents and jpeg files in a Unix file sys-tem in verbose mode. sudo foremost -v -t ole,jpeg -i image.dd

Run the default case(image.dd means enter your harddisk mount point i.e /dev/sda1 or /dev/sda2) sudo foremost image.dd

Scalpel

 * Scalpel is focused on enhanced performance and lower memory usage.

A Frugal, High Performance File CarverA fast file carver that reads a database of header and footer definitions and extracts matching files from a set of image files or raw device files. Scalpel is filesystem-independent and will carve files from FATx, NTFS, ext2/3, or raw partitions. It is useful for both digital forensics investigation and file recovery.

By default, all file types in the database (/etc/scalpel/scalpel.conf) are commented out. To specify which filetypes you want to carve, you need to edit the file and uncomment each line.

sudo scalpel FILE -o Directory

Where FILE is the image file (or device) and Directory is the output directory.

Autopsy & Sleuthkit
Autopsy can be run from the "live" CD, but you must specify an address to which you can connect remotely. You must also specify an external disk on which it can save the extracted information. Here external disk is mounted to /media/disk with an autopsy folder on it and your IP address is 192.168.0.1: sudo autopsy -d /media/disk/autopsy 192.168.0.1

Extract unallocated (deleted) blocks from a disk or disk image. dls inputimage > outputimage

Use any data carving tool to search the output image for files.

List file and directory names in a forensic image. fls lists the files and directory names in the image and can display file names of recently deleted files for the directory using the given inode. This includes deleted files. If you have imaged your filesystem to a file named "loopfile", you can list the contents by running: fls loopfile -r -f fat -i raw r/r 3: test (Volume Label Entry) r/r * 5: sample.docx r/r * 7: sample.pptx r/r * 9: sample.xlsx

Copy file by inode. icat opens the named image(s) and copies the file with the specified inode number to standard output.

Example: fls has shown you the inode number of some files on an image. To recover a file by using th einode number run: icat -r -f fat -i raw loopfile 5 > sample.docx

sorter - Sort files in an image into categories based on file type. Sorter is a Perl script that analyzes a file system to organize the allocated and unallocated files by file type.

Example: This will sort all the files found in /dev/sdc1 and put image files in a directory named "out": sudo sorter -h -s -i raw -f fat -d out -C /usr/share/sleuthkit/windows.sort /dev/sdc1

Here is a description of a script that will pull all files from an image using fls and icat: http://forums.gentoo.org/viewtopic-t-365703.html
 * 1) !/bin/bash
 * 2) reconstruct.sh -- reconstruct lost but not overwritten FAT data

cat $1 | while read line; do  filetype=`echo "$line" | awk {'print $1'}` filenode=`echo "$line" | awk {'print $3'}` filenode=${filenode%:} filename=`echo "$line" | cut -f 2`

echo "$filename"

if [ $filetype == "d/d" ]; then mkdir -p "$filename" else icat -f fat -r -s fatImage "$filenode" > "$filename" fi done

Another, similar script which attempts to "rebuild" the filesystem directory structure plus file content: http://matt.matzi.org.uk/2008/07/03/reconstructing-heavily-damaged-hard-drives/ for inode in $(cat /tmp/inodes) ; do /KNOPPIX/usr/local/sleuthkit-2.09/bin/ffind /dev/hda1 $inode if [ $? -eq 0 ] then echo "INODE: $inode" INODEDIR=`/KNOPPIX/usr/local/sleuthkit-2.09/bin/ffind /dev/hda1 $inode` REALDIR=/mnt/out`dirname "$INODEDIR"` FILENAME="/mnt/out$INODEDIR" mkdir -p "$REALDIR" echo "FILENAME: $FILENAME" /KNOPPIX/usr/local/sleuthkit-2.09/bin/icat /dev/hda1 $inode > "$FILENAME" if [ `du "$FILENAME" | awk '{print $1}'` == 1 ] then rm "$FILENAME" mkdir -p "$FILENAME" fi echo "" fi done
 * 1) !/bin/sh

DD

 * DD is not a command you want to use unless you have no other choice. Unlike for deleting a partition or just files, dd can and will inflict permanent unrecoverable damage. Even data recovery professionals won't be able to help you if dd manages to annihilate a great deal of data on your hard disk. This is why dd is useful for truly wiping your disk.


 * DD is not a filesystem tool. It bypasses any and all filesystems and their drivers for raw low-level usage of your hard disk. That means when its told to write to your hard disk, it really, truly means it, and will do so completely ignoring the boundaries of whatever filesystem present. Indeed, dd can actually perform writes across filesystems in one usage if you do /dev/sda as a target instead of, say, /dev/sda2.


 * If you hard disk is zeroed out (dd if=/dev/zero of=/dev/sda) by dd, the there's nothing you can do.

dd if=/dev/sda of=/dev/sdb dd if=/dev/sda of=/dev/sdb conv=noerror,sync dd if=/dev/hda of=~/hdadisk.img dd if=hdadisk.img of=/dev/hdb dd if=/dev/hda1 of=~/partition1.img dd if=/dev/cdrom of=tgsservice.iso bs=2048 dd if=/dev/sdb of=~/usb-disk.iso
 * Backup Entire Harddisk
 * Copy everything using synchronized I/O
 * Create an Image of a Hard Disk
 * Restore using Hard Disk Image
 * Backup a Partition
 * CDROM Backup
 * Create ISO from USB(Bootable):

Do not use sdb1 instead of sdb otherwise image will not be bootable. Destination Machine: netcat -l -p 4444 | dd of=remote-machine.img
 * Use DD and NetCat to create an image and save it on another hard disk

Source Machine dd if=/dev/sda1 | netcat destination-machine-ip 4444 Push CTRL+C to cancel out after this is completed, as the netcat session will still be active

dd if=/dev/sda1 of=my-dd.img
 * DD Progress

find the process number of dd ps -ef | grep dd

run command to find the status of this dd, Open another terminal session kill -SIGUSR1 31733

looking back at dd page to find following results: dd if=/dev/sda1 of=my-dd.img 12574781+40555 records in  12601304+0 records out 6451867648 bytes (6.5 GB) copied, 224.634 s, 28.7 MB/s

sudo apt-get install gddrescue
 * Data recovery from failing HD using DD Rescue

Connect the failed disk to your system by either plugging the drive directly or using usb enclosure. We need failing hard disk connected and unmounted.

First you copy as much data as possible, without retrying or splitting sectors: ddrescue --no-split /dev/hda1 imagefile logfile ddrescue -C --no-split /dev/hda1 imagefile logfile  ## Resume from logfile

Now let it retry previous errors 3 times, using uncached reads: ddrescue --direct --max-retries=3 /dev/hda1 imagefile logfile

If that fails you can try again but retrimmed, so it tries to reread full sectors: ddrescue --direct --retrim --max-retries=3 /dev/hda1 imagefile logfile

We can now mount this image on our system and take a look at the files. sudo mount -t ext3 -o loop disk-image.img /mnt/tmp

Unmount: sudo umount /mnt

DDrescue
If /dev/sda is unreadable, get another HD with more space than on the failed disk. sudo ddrescue -r 3 /dev/sda /media/usbdrive/image /media/usbdrive/logfile
 * Recovery Process:

Run successive passes like this: sudo ddrescue -r 3 -C /dev/sda /media/usbdrive/image /media/usbdrive/logfile

gnuddrescue will use the log file to only read the gaps with errors. In both cases, the -r option determines the number of times gddrescue will try to read when it encounters an error (-1 = infinity).

From Forensics Wiki:

First you copy as much data as possible, without retrying or splitting sectors: ddrescue --no-split /dev/hda1 imagefile logfile

Now let it retry previous errors 3 times, using uncached reads: ddrescue --direct --max-retries=3 /dev/hda1 imagefile logfile

If that fails you can try again but retrimmed, so it tries to reread full sectors: ddrescue --direct --retrim --max-retries=3 /dev/hda1 imagefile logfile

Example 1: Rescue an ext2 partition in /dev/hda2 to /dev/hdb2 ddrescue -r3 /dev/hda2 /dev/hdb2 logfile e2fsck -v -f /dev/hdb2 mount -t ext2 -o ro /dev/hdb2 /mnt

Example 2: Rescue a CD-ROM in /dev/cdrom ddrescue -b 2048 /dev/cdrom cdimage logfile

Misc

 * If there space shortage while imaging the drive:

Using Gnu ddrescue with a log file, you can continue imaging to another drive and then span the images. In this example, you have imaged some of the drive to a file on one drive, and the rest of the drive to a file on another drive. Here is how you put the pieces together:

sudo losetup /dev/loop1 /media/Drive1/image sudo losetup /dev/loop2 /media/Drive2/image sudo mdadm -B /dev/md0 -l linear -n 2 /dev/loop1 /dev/loop2

Your complete image file be found at /dev/md0. And then to take the array down: sudo mdadm -S /dev/md0 sudo losetup -d /dev/loop1 sudo losetup -d /dev/loop2


 * Extract filesystem from recovered image:

Mounting partitions on the image: If you imaged the whole drive, you can mount the individual partitions on the image by using the "offset" option when mounting a loop filesystem. mmls from The Sleuth Kit can show you the partitions found within an image:

mmls file -b DOS Partition Table Offset Sector: 0 Units are in 512-byte sectors Slot   Start        End          Length       Size    Description 00: -   0000000000   0000000000   0000000001   0512B   Primary Table (#0) 01: -   0000000001   0000000031   0000000031   0015K   Unallocated 02: 00:01   0000000032   0001646591   0001646560   0803M   DOS FAT16 (0x06) 03: 00:00   0001646592   0002013183   0000366592   0179M   DOS FAT16 (0x06)

This shows several partitions. In this example, we want to mount the DOS partition starting at block 32. To calculate the number of bytes, multiply by 512: # bc bc 1.06 32 * 512 16384 quit

Mount the partition: sudo mount -o loop,offset=16384 file mnt (32 multiplied by 512 byte blocks = 16384)

For mounting a typical NTFS partition created by Windows use: sudo mount -t ntfs -o r,force,loop,offset=32256 file mnt (63 multiplied by 512 byte blocks = 32256)


 * Cleaning up

Sort certain types of files: sudo mkdir recovery/VID recovery/JPG find recovery/ -name "*.avi" | xargs -i mv {} recovery/VID/ find recovery/ -name "*.mpg" | xargs -i mv {} recovery/VID/ find recovery/ -name "*.jpg" | xargs -i mv {} recovery/JPG/

Eliminate small photos: sudo mkdir recovery/SMALL find recovery/JPG/ -name "*.jpg" -size -1024k | xargs -i mv {} recovery/SMALL/

Rename jpegs according to exif data: find JPG/ -name "*.jpg" | xargs -i jhead -nf%Y%m%d-%H%M%S {}

Then, remove duplicates. find /var/recovery/JPG/ -name "*a.jpg" | xargs -i mv {} /var/recovery/JPG/DUPS/

Copy files with matching strings: cd recovery mkdir ../copy/ grep -l "enter the string of text here" *.doc | xargs -i cp {} ../copy/

safecopy /video/folder/Vid001.avi /video/folder/n.avi recoverdm -t 1 -i /video/Vid001.avi -o /video/Vid001.avi
 * Recover Bad Sectors:

sudo apt-get install secure-delete
 * Secure Delete:

This has four tools: srm - securely delete an existing file smem - securely delete traces of a file from ram sfill - wipe all the space marked as empty on your hard drive sswap - wipe all the data from you swap space.

=Bad Sector= sudo badblocks -v /dev/sdc
 * Check a disk partition for errors

If bad sectors are found, proceed further. First write the location of the bad sectors into a file: sudo badblocks /dev/sdc > ~/bad-blocks

After that, feed the file into the FSCK command to mark these bad sectors as ‘unusable’ sectors: sudo fsck -l bad-blocks /dev/sdc