Differences

This shows you the differences between two versions of the page.

--- data_recovery [2018/08/22 16:45]
peek [Data Recovery]
+++ data_recovery [2018/08/22 17:22] (current)
peek
@@ Line 26: / Line 26: @@
 ====== Data Recovery ======
-If the hardware is suspect, then the first thing to do is get a byte-for-byte copy of the drive's contents into a disk image file.  The less time spent using possibly faulty hardware the better.
+If the hardware is suspect, then the first thing to do is get a byte-for-byte copy of the drive's contents into a disk image file.  The less time spent using possibly faulty hardware the better.  For this, use ''ddrescue'' instead of ''dd'', as ''ddrescue'' will repeatedly try to recover from errors as it tried to salvage data, whereas dd will simply fail.
-<code>ddrescue -A -f /dev/sd<X> broken.img</code>
+<code>
+apt-get install gddrescue
+ddrescue -A -f /dev/sd<X> broken.img
+</code>
 This copy will remain unchanged while we work.  Make a copy of this file, and only alter the copy.  This way, if anything goes awry then we can go back to square one without having to rely on possibly faulty hardware again.
@@ Line 36: / Line 39: @@
 Use testdisk to search for and repair disk partitions.
-<code>testdisk work.img</code>
+<code>
+apt-get install testdisk
+testdisk work.img
+</code>
 Using testdisk involves using the arrow, escape, and enter keys.
@@ Line 87: / Line 93: @@
 work.img5         496 4014079 4013584  1.9G  6 FAT16
 </code>
-  - Find the offset from the beginning of the disk image file to the partition that you want to work with:\\ \\ ''OFFSET = SECTOR-SIZE * START'' \\ ''OFFSET = 512 * 496 = 253952''
+  - Find the offset from the beginning of the disk image file to the partition that you want to work with:\\ \\ ''OFFSET = SECTOR-SIZE * START = 512 * 496 = 253952''\\
+  - Attach the partition to a loopback device:\\ <code>losetup -o 253952 /dev/loop0 work.img</code>\\
+  - Attempt to fix the partition:\\ <code>fsck -y /dev/loop0 2>&1 | tee fsck.log</code>\\
+  - Mount the fixed partition read-only:\\ <code>mount -o ro /dev/loop0 /mnt</code>\\
+  - Copy files into ''RECOVERY/RECOVERED'':\\ <code>cd RECOVERY/RECOVERED ; (cd / && tar -cvf - mnt) | tar -xvBpf - 2>&1 | tee ../tar.log</code>\\
+  - Optional: Get a list of files for which tar failed:\\ <code>grep ^tar: ../tar.log</code>\\
+  - Optional: Find a list of files of size 0 bytes:\\ <code>find . -size 0 -ls 2>&1 | tee ../zero-size.log</code>\\
+  - Unmount the filesystem:\\ <code>umount /mnt</code>\\
+  - Detach the loopback file:\\ <code>losetup -d /dev/loop0</code>\\
+Final contents of ''RECOVERY'' directory:
+  * ''RECOVERY/DELETED'' -- Files recovered that the filesystem previously thought had been deleted.
+  * ''RECOVERY/RECOVERED'' -- Files that could be copies off of the disk image.  Some files may be corrupt though.
+  * fsck.log -- A log of all the changes that fsck made while fixing the filesystem.
+  * tar.log -- A log of all the files copied from the disk image into ''RECOVERY/RECOVERED''.  Any files that could not be copied are listed here and may be found with ''grep ^tar: log.tar''.
+  * zero-size.log -- A log of all the files in ''RECOVERY/RECOVERED'' that are empty.

NIMBioS Help

User Tools

Site Tools

Differences

Page Tools