Recovery
HDD Recovery
The Following Recovery Tools are briefly discussed here:
TestDisk & PhotoRec
- TestDisk recover lost partitions and repair boot sectors
sudo tesdisk
- PhotoRec recover many types of files from tons of file systems
sudo photorec imagefilename sudo photorec
Foremost
- Foremost and Scalpel are not interested in the underlying filesystem. They simply expect the data blocks of the files to reside sequentially in the image under investigation. The tools will find images in dd dumps, RAM dumps, or swap files.Carving will help to identify and reconstruct files on corrupt filesystems, in slack space, or even after installation of a new operating system, as long as the required data blocks still exist.
- Foremost recovers files based on their headers and other internal structures, operates on hard drives or drive image files generated by various tools.
- Recovery process:
Mount the external drive sdb
sudo mount /dev/sdb1 /recovery sudo mkdir /recovery/foremost
Run foremost:
sudo foremost -i /dev/hda -o /recovery/foremost
To run formost on an image, just substitute the filename for the device
sudo foremost -i image-name -o /recovery/foremost
The recovered files will then be owned by root. Change their ownership so that you can use them:
sudo chown -R youruser:youruser /recovery/foremost
Use the -w switch to obtain only an audit of recoverable files:
sudo foremost -w -i /dev/hda -o /recovery/foremost
To recover only specific file types, use the -t switch:
sudo foremost -t jpg -i /dev/hda -o /recovery/foremost
- Foremost is a console program to recover files based on their headers, footers, and internal data structures. This process is commonly referred to as data carving. Foremost can work on image files, such as those generated by dd, Safeback, Encase, etc, or directly on a drive. The headers and footers can be specified by a configuration file or you can use command line switches to specify built-in file types. These built-in types look at the data structures of a given file format allowing for a more reliable and faster recovery
- Foremost:
Search for jpeg format skipping the first 100 blocks
sudo foremost -s 100 -t jpg -i image.dd
Only generate an audit file, and print to the screen (verbose mode)
sudo foremost -av image.dd
Search all defined types
sudo foremost -t all -i image.dd
Search for gif and pdf
sudo foremost -t gif,pdf -i image.dd
Search for office documents and jpeg files in a Unix file sys-tem in verbose mode.
sudo foremost -v -t ole,jpeg -i image.dd
Run the default case(image.dd means enter your harddisk mount point i.e /dev/sda1 or /dev/sda2)
sudo foremost image.dd
Scalpel
- Scalpel is focused on enhanced performance and lower memory usage.
A Frugal, High Performance File CarverA fast file carver that reads a database of header and footer definitions and extracts matching files from a set of image files or raw device files. Scalpel is filesystem-independent and will carve files from FATx, NTFS, ext2/3, or raw partitions. It is useful for both digital forensics investigation and file recovery.
By default, all file types in the database (/etc/scalpel/scalpel.conf) are commented out. To specify which filetypes you want to carve, you need to edit the file and uncomment each line.
sudo scalpel FILE -o Directory
Where FILE is the image file (or device) and Directory is the output directory.
Autopsy & Sleuthkit
Autopsy can be run from the "live" CD, but you must specify an address to which you can connect remotely. You must also specify an external disk on which it can save the extracted information. Here external disk is mounted to /media/disk with an autopsy folder on it and your IP address is 192.168.0.1:
sudo autopsy -d /media/disk/autopsy 192.168.0.1
Extract unallocated (deleted) blocks from a disk or disk image.
dls inputimage > outputimage
Use any data carving tool to search the output image for files.
List file and directory names in a forensic image. fls lists the files and directory names in the image and can display file names of recently deleted files for the directory using the given inode. This includes deleted files. If you have imaged your filesystem to a file named "loopfile", you can list the contents by running:
fls loopfile -r -f fat -i raw r/r 3: test (Volume Label Entry) r/r * 5: sample.docx r/r * 7: sample.pptx r/r * 9: sample.xlsx
Copy file by inode. icat opens the named image(s) and copies the file with the specified inode number to standard output.
Example: fls has shown you the inode number of some files on an image. To recover a file by using th einode number run:
icat -r -f fat -i raw loopfile 5 > sample.docx
sorter - Sort files in an image into categories based on file type. Sorter is a Perl script that analyzes a file system to organize the allocated and unallocated files by file type.
Example: This will sort all the files found in /dev/sdc1 and put image files in a directory named "out":
sudo sorter -h -s -i raw -f fat -d out -C /usr/share/sleuthkit/windows.sort /dev/sdc1
Here is a description of a script that will pull all files from an image using fls and icat:
http://forums.gentoo.org/viewtopic-t-365703.html
#!/bin/bash # reconstruct.sh -- reconstruct lost but not overwritten FAT data cat $1 | while read line; do filetype=`echo "$line" | awk {'print $1'}` filenode=`echo "$line" | awk {'print $3'}` filenode=${filenode%:} filename=`echo "$line" | cut -f 2` echo "$filename" if [ $filetype == "d/d" ]; then mkdir -p "$filename" else icat -f fat -r -s fatImage "$filenode" > "$filename" fi done
Another, similar script which attempts to "rebuild" the filesystem directory structure plus file content:
http://matt.matzi.org.uk/2008/07/03/reconstructing-heavily-damaged-hard-drives/
#!/bin/sh for inode in $(cat /tmp/inodes) ; do /KNOPPIX/usr/local/sleuthkit-2.09/bin/ffind /dev/hda1 $inode if [ $? -eq 0 ] then echo "INODE: $inode" INODEDIR=`/KNOPPIX/usr/local/sleuthkit-2.09/bin/ffind /dev/hda1 $inode` REALDIR=/mnt/out`dirname "$INODEDIR"` FILENAME="/mnt/out$INODEDIR" mkdir -p "$REALDIR" echo "FILENAME: $FILENAME" /KNOPPIX/usr/local/sleuthkit-2.09/bin/icat /dev/hda1 $inode > "$FILENAME" if [ `du "$FILENAME" | awk '{print $1}'` == 1 ] then rm "$FILENAME" mkdir -p "$FILENAME" fi echo "" fi done
DD
- DD is not a command you want to use unless you have no other choice. Unlike for deleting a partition or just files, dd can and will inflict permanent unrecoverable damage. Even data recovery professionals won't be able to help you if dd manages to annihilate a great deal of data on your hard disk. This is why dd is useful for truly wiping your disk.
- DD is not a filesystem tool. It bypasses any and all filesystems and their drivers for raw low-level usage of your hard disk. That means when its told to write to your hard disk, it really, truly means it, and will do so completely ignoring the boundaries of whatever filesystem present. Indeed, dd can actually perform writes across filesystems in one usage if you do /dev/sda as a target instead of, say, /dev/sda2.
- If you hard disk is zeroed out (dd if=/dev/zero of=/dev/sda) by dd, the there's nothing you can do.
- Backup Entire Harddisk
dd if=/dev/sda of=/dev/sdb
- Copy everything using synchronized I/O
dd if=/dev/sda of=/dev/sdb conv=noerror,sync
- Create an Image of a Hard Disk
dd if=/dev/hda of=~/hdadisk.img
- Restore using Hard Disk Image
dd if=hdadisk.img of=/dev/hdb
- Backup a Partition
dd if=/dev/hda1 of=~/partition1.img
- CDROM Backup
dd if=/dev/cdrom of=tgsservice.iso bs=2048
- Create ISO from USB(Bootable):
dd if=/dev/sdb of=~/usb-disk.iso
Do not use sdb1 instead of sdb otherwise image will not be bootable.
- Use DD and NetCat to create an image and save it on another hard disk
Destination Machine:
netcat -l -p 4444 | dd of=remote-machine.img
Source Machine
dd if=/dev/sda1 | netcat destination-machine-ip 4444
Push CTRL+C to cancel out after this is completed, as the netcat session will still be active
- DD Progress
dd if=/dev/sda1 of=my-dd.img
find the process number of dd
ps -ef | grep dd
run command to find the status of this dd, Open another terminal session
kill -SIGUSR1 31733
looking back at dd page to find following results:
dd if=/dev/sda1 of=my-dd.img 12574781+40555 records in 12601304+0 records out 6451867648 bytes (6.5 GB) copied, 224.634 s, 28.7 MB/s
- Data recovery from failing HD using DD Rescue
sudo apt-get install gddrescue
Connect the failed disk to your system by either plugging the drive directly or using usb enclosure. We need failing hard disk connected and unmounted.
First you copy as much data as possible, without retrying or splitting sectors:
ddrescue --no-split /dev/hda1 imagefile logfile ddrescue -C --no-split /dev/hda1 imagefile logfile ## Resume from logfile
Now let it retry previous errors 3 times, using uncached reads:
ddrescue --direct --max-retries=3 /dev/hda1 imagefile logfile
If that fails you can try again but retrimmed, so it tries to reread full sectors:
ddrescue --direct --retrim --max-retries=3 /dev/hda1 imagefile logfile
We can now mount this image on our system and take a look at the files.
sudo mount -t ext3 -o loop disk-image.img /mnt/tmp
Unmount:
sudo umount /mnt
DDrescue
- Recovery Process:
If /dev/sda is unreadable, get another HD with more space than on the failed disk.
sudo ddrescue -r 3 /dev/sda /media/usbdrive/image /media/usbdrive/logfile
Run successive passes like this:
sudo ddrescue -r 3 -C /dev/sda /media/usbdrive/image /media/usbdrive/logfile
gnuddrescue will use the log file to only read the gaps with errors. In both cases, the -r option determines the number of times gddrescue will try to read when it encounters an error (-1 = infinity).
From Forensics Wiki:
First you copy as much data as possible, without retrying or splitting sectors:
ddrescue --no-split /dev/hda1 imagefile logfile
Now let it retry previous errors 3 times, using uncached reads:
ddrescue --direct --max-retries=3 /dev/hda1 imagefile logfile
If that fails you can try again but retrimmed, so it tries to reread full sectors:
ddrescue --direct --retrim --max-retries=3 /dev/hda1 imagefile logfile
Example 1: Rescue an ext2 partition in /dev/hda2 to /dev/hdb2
ddrescue -r3 /dev/hda2 /dev/hdb2 logfile e2fsck -v -f /dev/hdb2 mount -t ext2 -o ro /dev/hdb2 /mnt
Example 2: Rescue a CD-ROM in /dev/cdrom
ddrescue -b 2048 /dev/cdrom cdimage logfile
Misc
- If there space shortage while imaging the drive:
Using Gnu ddrescue with a log file, you can continue imaging to another drive and then span the images. In this example, you have imaged some of the drive to a file on one drive, and the rest of the drive to a file on another drive. Here is how you put the pieces together:
sudo losetup /dev/loop1 /media/Drive1/image sudo losetup /dev/loop2 /media/Drive2/image sudo mdadm -B /dev/md0 -l linear -n 2 /dev/loop1 /dev/loop2
Your complete image file be found at /dev/md0. And then to take the array down:
sudo mdadm -S /dev/md0 sudo losetup -d /dev/loop1 sudo losetup -d /dev/loop2
- Extract filesystem from recovered image:
Mounting partitions on the image: If you imaged the whole drive, you can mount the individual partitions on the image by using the "offset" option when mounting a loop filesystem. mmls from The Sleuth Kit can show you the partitions found within an image:
mmls file -b DOS Partition Table Offset Sector: 0 Units are in 512-byte sectors Slot Start End Length Size Description 00: ----- 0000000000 0000000000 0000000001 0512B Primary Table (#0) 01: ----- 0000000001 0000000031 0000000031 0015K Unallocated 02: 00:01 0000000032 0001646591 0001646560 0803M DOS FAT16 (0x06) 03: 00:00 0001646592 0002013183 0000366592 0179M DOS FAT16 (0x06)
This shows several partitions. In this example, we want to mount the DOS partition starting at block 32. To calculate the number of bytes, multiply by 512:
# bc bc 1.06 32 * 512 16384 quit
Mount the partition:
sudo mount -o loop,offset=16384 file mnt (32 multiplied by 512 byte blocks = 16384)
For mounting a typical NTFS partition created by Windows use:
sudo mount -t ntfs -o r,force,loop,offset=32256 file mnt (63 multiplied by 512 byte blocks = 32256)
- Cleaning up
Sort certain types of files:
sudo mkdir recovery/VID recovery/JPG find recovery/ -name "*.avi" | xargs -i mv {} recovery/VID/ find recovery/ -name "*.mpg" | xargs -i mv {} recovery/VID/ find recovery/ -name "*.jpg" | xargs -i mv {} recovery/JPG/
Eliminate small photos:
sudo mkdir recovery/SMALL find recovery/JPG/ -name "*.jpg" -size -1024k | xargs -i mv {} recovery/SMALL/
Rename jpegs according to exif data:
find JPG/ -name "*.jpg" | xargs -i jhead -nf%Y%m%d-%H%M%S {}
Then, remove duplicates.
find /var/recovery/JPG/ -name "*a.jpg" | xargs -i mv {} /var/recovery/JPG/DUPS/
Copy files with matching strings:
cd recovery mkdir ../copy/ grep -l "enter the string of text here" *.doc | xargs -i cp {} ../copy/
- Recover Bad Sectors:
safecopy /video/folder/Vid001.avi /video/folder/n.avi recoverdm -t 1 -i /video/Vid001.avi -o /video/Vid001.avi
- Secure Delete:
sudo apt-get install secure-delete
This has four tools:
srm - securely delete an existing file smem - securely delete traces of a file from ram sfill - wipe all the space marked as empty on your hard drive sswap - wipe all the data from you swap space.
Bad Sector
- Check a disk partition for errors
sudo badblocks -v /dev/sdc
If bad sectors are found, proceed further. First write the location of the bad sectors into a file:
sudo badblocks /dev/sdc > ~/bad-blocks
After that, feed the file into the FSCK command to mark these bad sectors as ‘unusable’ sectors:
sudo fsck -l bad-blocks /dev/sdc
{{#widget:DISQUS
|id=networkm
|uniqid=Recovery
|url=https://aman.awiki.org/wiki/Recovery
}}