Recover: Difference between revisions

From Halfface
Jump to navigation Jump to search
 
Line 8: Line 8:
  sudo ddrescue /dev/sdb1 /temp/sdb1
  sudo ddrescue /dev/sdb1 /temp/sdb1


http://www.forensicswiki.org/wiki/Ddrescue
Information from http://www.forensicswiki.org/wiki/Ddrescue
  'ddrescue --direct' will open the input with the O_DIRECT option for uncached reads. 'raw devices' are not needed on newer kernels. For older kernels see below.
  'ddrescue --direct' will open the input with the O_DIRECT option for uncached reads. 'raw devices' are not needed on newer kernels. For older kernels see below.
  First you copy as much data as possible, without retrying or splitting sectors:
  First you copy as much data as possible, without retrying or splitting sectors:
  # ddrescue --no-split /dev/hda1 imagefile logfile
  # ddrescue --no-split /dev/hda1 imagefile logfile
  Now let it retry previous errors 3 times, using uncached reads:
  Now let it retry previous errors 3 times, using uncached reads:
  # ddrescue --direct --max-retries=3 /dev/hda1 imagefile logfile
  # ddrescue --direct --max-retries=3 /dev/hda1 imagefile logfile
  If that fails you can try again but retrimmed, so it tries to reread full sectors:
  If that fails you can try again but retrimmed, so it tries to reread full sectors:
  # ddrescue --direct --retrim --max-retries=3 /dev/hda1 imagefile logfile
  # ddrescue --direct --retrim --max-retries=3 /dev/hda1 imagefile logfile
  You can now use ddrescue (or normal dd) to copy the imagefile to a new partition on a new disk. Use the appropriate filesystem checkers (fsck, CHKDSK) to try to fix errors caused by the bad blocks. Be sure to keep the imagefile around. Just in case the filesystem is severely broken, and datacarving tools like testdisk need to to be used on the original image.
  You can now use ddrescue (or normal dd) to copy the imagefile to a new partition on a new disk. Use the appropriate filesystem checkers (fsck, CHKDSK) to try to fix errors caused by the bad blocks. Be sure to keep the imagefile around. Just in case the filesystem is severely broken, and datacarving tools like testdisk need to to be used on the original image.



Latest revision as of 09:13, 1 August 2012

recover deleted files

Install photorec

yum install testdisk

ddrescue

Read disk.

sudo ddrescue /dev/sdb1 /temp/sdb1
Information from http://www.forensicswiki.org/wiki/Ddrescue
'ddrescue --direct' will open the input with the O_DIRECT option for uncached reads. 'raw devices' are not needed on newer kernels. For older kernels see below.
First you copy as much data as possible, without retrying or splitting sectors:
# ddrescue --no-split /dev/hda1 imagefile logfile
Now let it retry previous errors 3 times, using uncached reads:
# ddrescue --direct --max-retries=3 /dev/hda1 imagefile logfile
If that fails you can try again but retrimmed, so it tries to reread full sectors:
# ddrescue --direct --retrim --max-retries=3 /dev/hda1 imagefile logfile
You can now use ddrescue (or normal dd) to copy the imagefile to a new partition on a new disk. Use the appropriate filesystem checkers (fsck, CHKDSK) to try to fix errors caused by the bad blocks. Be sure to keep the imagefile around. Just in case the filesystem is severely broken, and datacarving tools like testdisk need to to be used on the original image.

photorec

sudo photorec /temp/sdd1

Recover files from disk image.

sleuthkit

List files

fls -f fat -r sdd1 | less

Recover files.

icat -f fat -r sdd1 9748 > recoverd.file