NIMBioS Help

User Tools

Site Tools

Trace: 3d_printing
data_recovery

Differences

This shows you the differences between two versions of the page.

Link to this comparison view

Both sides previous revision Previous revision
Next revision 		Previous revision
data_recovery [2018/08/22 16:05]
peek [Data Recovery] 		data_recovery [2018/08/22 17:22] (current)
peek
Line 26: Line 26:
 ====== Data Recovery ====== ====== Data Recovery ======
  
-If the hardware is suspect, then the first thing to do is get a byte-for-byte copy of the drive's contents into a disk image file.  The less time spent using possibly faulty hardware the better.+If the hardware is suspect, then the first thing to do is get a byte-for-byte copy of the drive's contents into a disk image file.  The less time spent using possibly faulty hardware the better.  For this, use ''ddrescue'' instead of ''dd'', as ''ddrescue'' will repeatedly try to recover from errors as it tried to salvage data, whereas dd will simply fail.
  
-<code>ddrescue -A -f /dev/sd<X> broken.img</code>+<code> 
 +apt-get install gddrescue 
 +ddrescue -A -f /dev/sd<X> broken.img 
 +</code>
  
 This copy will remain unchanged while we work.  Make a copy of this file, and only alter the copy.  This way, if anything goes awry then we can go back to square one without having to rely on possibly faulty hardware again. This copy will remain unchanged while we work.  Make a copy of this file, and only alter the copy.  This way, if anything goes awry then we can go back to square one without having to rely on possibly faulty hardware again.
Line 36: Line 39:
 Use testdisk to search for and repair disk partitions. Use testdisk to search for and repair disk partitions.
  
-<code>testdisk work.img</code>+<code> 
 +apt-get install testdisk 
 +testdisk work.img 
 +</code>
  
 Using testdisk involves using the arrow, escape, and enter keys. Using testdisk involves using the arrow, escape, and enter keys.
  
-  - Confirm that you want to use the disk image work.img, click "Proceed"\\ {{::screenshot_2018-08-22_11-54-59.png |}}\\  +  - Confirm that you want to use the disk image work.img, click "Proceed"\\ {{ :screenshot_2018-08-22_11-54-59.png |}}\\  
-  - Select the disk image partition table type.  Ex: Intel\\ {{::screenshot_2018-08-22_11-57-20.png |}}\\  +  - Select the disk image partition table type.  Ex: Intel\\ {{ :screenshot_2018-08-22_11-57-20.png |}}\\  
-  - Click: Analyse\\ {{::screenshot_2018-08-22_11-58-16.png |}}\\  +  - Click: Analyse\\ {{ :screenshot_2018-08-22_11-58-16.png |}}\\  
-  - Click: Quick Search\\ {{::screenshot_2018-08-22_11-59-08.png |}}\\  +  - Click: Quick Search\\ {{ :screenshot_2018-08-22_11-59-08.png |}}\\  
-  - Click: Enter to continue\\ {{::screenshot_2018-08-22_12-00-07.png |}}\\  +  - Click: Enter to continue\\ {{ :screenshot_2018-08-22_12-00-07.png |}}\\  
-  - Click: Deeper Search\\ {{::screenshot_2018-08-22_12-00-46.png |}}\\  +  - Click: Deeper Search\\ {{ :screenshot_2018-08-22_12-00-46.png |}}\\  
-  - Click: Enter to continue\\ {{::screenshot_2018-08-22_12-01-27.png |}}\\  +  - Click: Enter to continue\\ {{ :screenshot_2018-08-22_12-01-27.png |}}\\  
-  - Click: Write\\ {{::screenshot_2018-08-22_12-02-14.png |}}\\  +  - Click: Write\\ {{ :screenshot_2018-08-22_12-02-14.png |}}\\  
-  - Click: Y\\ {{::screenshot_2018-08-22_12-02-54.png |}}\\  +  - Click: Y\\ {{ :screenshot_2018-08-22_12-02-54.png |}}\\  
-  - Click: OK (You do not need to reboot)\\ {{::screenshot_2018-08-22_12-03-46.png |}}\\  +  - Click: OK (You do not need to reboot)\\ {{ :screenshot_2018-08-22_12-03-46.png |}}\\  
-  - Click: Quit\\ {{::screenshot_2018-08-22_12-04-21.png |}}\\  +  - Click: Quit\\ {{ :screenshot_2018-08-22_12-04-21.png |}}\\  
-  - Click: Quit\\ {{::screenshot_2018-08-22_12-04-54.png |}}\\ +  - Click: Quit\\ {{ :screenshot_2018-08-22_12-04-54.png |}}\\ 
  
 +Use photorec to recover deleted files.
 +
 +<code>mkdir RECOVERY RECOVERY/DELETED RECOVERY/RECOVERED</code>
 +<code>photorec work.img</code>
 +
 +  - Confirm that you want to use the disk image work.img, click "Proceed"\\ {{ ::screenshot_2018-08-22_12-32-18.png |}}\\ 
 +  - Select partition, click: Search\\ {{ ::screenshot_2018-08-22_12-33-21.png |}}\\ 
 +  - Select the filesystem type\\ {{ ::screenshot_2018-08-22_12-34-09.png |}}\\ 
 +  - Select directory to save recovered files.
 +    - Select: RECOVERY\\ {{ ::screenshot_2018-08-22_12-35-28.png |}}\\ 
 +    - Select: DELETED\\ {{ ::screenshot_2018-08-22_12-36-06.png |}}\\ 
 +    - Press: C\\ {{ ::screenshot_2018-08-22_12-37-04.png |}}\\ 
 +  - photorec will process for a while.  When finished, select: Quit\\ {{ ::screenshot_2018-08-22_12-38-17.png |}}\\ 
 +  - Select: Quit\\ {{ ::screenshot_2018-08-22_12-38-59.png |}}\\ 
 +  - Select: Quit\\ {{ ::screenshot_2018-08-22_12-39-34.png |}}\\ 
 +
 +Files that the filesystem thinks have been deleted are now stored in ''RECOVERY/DELETED/'' Filenames are most likely trashed, so the only way to identify a file is to open it up.
 +
 +Recover other files:
 +
 +  - Find a list of partitions:\\
 +<code>
 +fdisk -lu work.img 
 +Disk work.img: 1.9 GiB, 2055208960 bytes, 4014080 sectors
 +Units: sectors of 1 * 512 = 512 bytes
 +Sector size (logical/physical): 512 bytes / 512 bytes
 +I/O size (minimum/optimal): 512 bytes / 512 bytes
 +Disklabel type: dos
 +Disk identifier: 0x00000000
 +
 +Device     Boot Start     End Sectors  Size Id Type
 +work.img1          63 4014079 4014017  1.9G  5 Extended
 +work.img5         496 4014079 4013584  1.9G  6 FAT16
 +</code>
 +  - Find the offset from the beginning of the disk image file to the partition that you want to work with:\\ \\ ''OFFSET = SECTOR-SIZE * START = 512 * 496 = 253952''\\ 
 +  - Attach the partition to a loopback device:\\ <code>losetup -o 253952 /dev/loop0 work.img</code>\\ 
 +  - Attempt to fix the partition:\\ <code>fsck -y /dev/loop0 2>&1 | tee fsck.log</code>\\ 
 +  - Mount the fixed partition read-only:\\ <code>mount -o ro /dev/loop0 /mnt</code>\\ 
 +  - Copy files into ''RECOVERY/RECOVERED'':\\ <code>cd RECOVERY/RECOVERED ; (cd / && tar -cvf - mnt) | tar -xvBpf - 2>&1 | tee ../tar.log</code>\\ 
 +  - Optional: Get a list of files for which tar failed:\\ <code>grep ^tar: ../tar.log</code>\\ 
 +  - Optional: Find a list of files of size 0 bytes:\\ <code>find . -size 0 -ls 2>&1 | tee ../zero-size.log</code>\\ 
 +  - Unmount the filesystem:\\ <code>umount /mnt</code>\\ 
 +  - Detach the loopback file:\\ <code>losetup -d /dev/loop0</code>\\ 
 +
 +Final contents of ''RECOVERY'' directory:
 +  * ''RECOVERY/DELETED'' -- Files recovered that the filesystem previously thought had been deleted.
 +  * ''RECOVERY/RECOVERED'' -- Files that could be copies off of the disk image.  Some files may be corrupt though.
 +  * fsck.log -- A log of all the changes that fsck made while fixing the filesystem.
 +  * tar.log -- A log of all the files copied from the disk image into ''RECOVERY/RECOVERED'' Any files that could not be copied are listed here and may be found with ''grep ^tar: log.tar''.
 +  * zero-size.log -- A log of all the files in ''RECOVERY/RECOVERED'' that are empty.
data_recovery.1534953919.txt.gz · Last modified: 2018/08/22 16:05 by peek

Page Tools

Except where otherwise noted, content on this wiki is licensed under the following license: CC Attribution-Share Alike 4.0 International
CC Attribution-Share Alike 4.0 International Donate Powered by PHP Valid HTML5 Valid CSS Driven by DokuWiki