Home

Data Recovery

Wed, 01/04/2009 - 17:06 — moses

Recently, I had to help a missionary in a remote area of Papua New Guinea retrieve data from their failed hard drive. Unfortunately, their backup wasn't so up to date, so they may loose up to a year's worth of culture and language acquisition data.

When we finally got the hard drive shipped to us, thankfully, the it did spin up when we connected to it, however we were not able to access the disk.

So the first thing I did was to create an image of the hard drive as to not damage it any further. I'm using Linux Ubuntu 8.10, but any linux distribution should be fine as long as you install the recovery tools. The tools I've used are the following:

  • dd_rescue

  • fdisk

  • losetup

  • testdisk

Creating a disk image:

To create a disk image, run the following as root:

dd_rescue -A /dev/sdb disk.img

dd_rescue is a tool similar to dd but is more error resistant. The
-A switch tells dd_rescue if it encounters errors to just output
zeros instead of skipping it.

/dev/sdb is the disk you want to image – note – you should
change this to the actual disk that is to be imaged – note the lack
of number after the device name, this is because we want to image the
entire disk rather than just the given partition.

disk.img is the file to save the image to.

 

If errors were encountered, it might be good to try and read the
data from the back of the disk.

dd_rescue -A -r /dev/sdb disk.img

 

Once the image is created, check the partition on the disk image

fdisk -lu disk.img

This is show the partitions that are available, check to see if
the partitions are mountable. If they are not, you may need to run
testdisk to fix the partition tables and/or boot records.

testdisk disk.img

check out http://www.cgsecurity.org/wiki/TestDisk_Step_By_Step
for a step by step guide on using testdisk.

 

Once the disk image has been fixed, you will need to mount the
partition. Use losetup to create a loop device for the disk in order
to mount the individual partition on the disk image.

losetup disk.img

This will tell you which loop device the image has been added to,
usually it is /dev/loop1. For the remainder of this, change
/dev/loop1 to whichever loop device was created.

Now, run fdisk on the loop device to find where the partitions are
located.

fdisk -lu /dev/loop1

Note the units and the equivalent number of bytes per unit in the
output, and also the starting sector for the partition. Multiply the
two together to get the starting byte, then run:

losetup -fo #### /dev/loop1

Where #### is the starting byte we calculated earlier.

Now run the following to see the loop devices available:

losetup -a

Note the loop device with the offset for the loop device you
created when setting up the disk image. Usually, it is the next
available loop number, e.g. /dev/loop2

Now, we can mount that loop device

mount /dev/loop2 /mnt

where /mnt is the folder where you want to mount the partition.

 

Copy the data required. Thankfully, we were able to mount the partition successfully and copied the data to another location. However, if the disk is not fixable – you can still extract raw data from
it by using photorec, but this will lose the directory structure and
the filename of the files. This may be useful for memory cards used
in digital cameras or mp3 players etc.