.

Data Recovery....

<<

Loic

User avatar

Newbie
Newbie

Posts: 16

Joined: Mon Mar 24, 2008 6:04 pm

Location: Sydney

Post Mon Mar 24, 2008 6:11 pm

Data Recovery....

Hi all, I hope i posted this in the right area of these forums. But i need some advice on some good data recovery software (linux)

While playing around with the Backtrack install feature i have accidentally wiped the windows partition on my laptop.

What would be ideal would to be able to boot up linux on a live cd then use some software to recover what i can to an external HDD. The only data recovery i have done is with PhotoRec and from my knowledge that program is mainly used for images...

Any advice????

Thanks...
<<

iSmith

User avatar

Full Member
Full Member

Posts: 157

Joined: Sun Jan 20, 2008 12:01 pm

Post Mon Mar 24, 2008 6:31 pm

Re: Data Recovery....

Welcome to EH-net.

All the same, let this be a lesson to you- always back up your data, especially your critical data.(i'm not saying this to shame you, i once did the same thing with my flash drive, but i had a backup.)

iSmith out.
In my eyes, your operating system is as solid as swiss cheese.
<<

Bogwitch

Jr. Member
Jr. Member

Posts: 51

Joined: Wed Aug 16, 2006 3:29 am

Post Mon Mar 24, 2008 6:33 pm

Re: Data Recovery....

Oh dear.
A few questions. How much of an installation did you do? How much data do you have that is not recoverable from other sources, eg via installation, download etc.?
How big is the HDD fitted? Did you install over an existing partition? Have you got a larger HDD you can image your corrupted HDD to? How much time have you got? :) No backups?
CISSP, C|EH, C|HFI
<<

Loic

User avatar

Newbie
Newbie

Posts: 16

Joined: Mon Mar 24, 2008 6:04 pm

Location: Sydney

Post Mon Mar 24, 2008 6:37 pm

Re: Data Recovery....

Well my laptop has a 80gb HDD and when the backtrack installer did it thing it cleared all partitions, then created a 1gb one and from what i can see just copied it self from my flash drive.

so at the moment i have a 80gb hard disk, with a 1gb partition with backtrack files on it, and the rest of the space unpartitioned... and i have a spare 300gb external HDD to dump what i can recover on to...
<<

Bogwitch

Jr. Member
Jr. Member

Posts: 51

Joined: Wed Aug 16, 2006 3:29 am

Post Mon Mar 24, 2008 6:55 pm

Re: Data Recovery....

Since you have already overwritten the FAT (or equivalent) this will not be an easy recover. There will be very few tools that will help you here - if any.

It will almost certainly require you to manually recover files from blocks. If your drive was heavily fragmented this will be incredibly time-consuming and very, very difficult.

I would create an image of the laptop HDD on the USB HDD and work with that to avoid any further corruption. Once you've done that, you will need to grep for known file headers or content and hope that the files are held in contiguous blocks. You can then manually snip the files out and re-create them.

Was anything really that important?

Like iSmith said. BACKUPS! ;)
CISSP, C|EH, C|HFI
<<

SynJunkie

Jr. Member
Jr. Member

Posts: 71

Joined: Thu Apr 17, 2008 2:41 pm

Location: UK

Post Thu Apr 17, 2008 3:05 pm

Re: Data Recovery....

Hi Loic

i was just browsing the forums and i saw your post so I thought I would register as i might be able to help.

If I had the same problem as you i would do the following.

1. I would boot into a distro such as backtrack or any other that has DD.  using DD I would create a image of the disk onto the external drive. 

dd if=/dev/hda of=/mnt/usb/hdd.img  (or whatever the external disk is mounted as).


2. once I have that image i would use a tool such as foremost to run through the image and pull alot of the files out.

foremost -v -o /home/loic/dump /mnt/usb/hdd.img

This should pull many filetypes out and place them in folders within a folder called dump (create this folder before you start) in your home drive.


Or you could boot into backtrack, mount the external drive as say /mnt/usb and then run foremost direct to that without creating the image.

foremost -v -o /mnt/usb/dump /dev/hda

This would be quicker than ceating the image first obviously.

I have just put a post up on my blog about simple data recovery at http://synjunkie.blogspot.com

I hope this might have been of use to you.
----------------------------------
http://synjunkie.blogspot.com
<<

RoleReversal

User avatar

Hero Member
Hero Member

Posts: 928

Joined: Fri Jan 04, 2008 8:54 am

Location: UK

Post Fri Apr 18, 2008 4:33 am

Re: Data Recovery....

SynJunkie,

nice tips and article, think I'll take a closer look at you site :D
<<

SynJunkie

Jr. Member
Jr. Member

Posts: 71

Joined: Thu Apr 17, 2008 2:41 pm

Location: UK

Post Fri Apr 18, 2008 4:36 pm

Re: Data Recovery....

Thanks.

It's a weird coincidence that data recovery was something I was focusing on in that recent blog post.
----------------------------------
http://synjunkie.blogspot.com

Return to Forensics

Who is online

Users browsing this forum: No registered users and 1 guest

cron
.
Powered by phpBB® Forum Software © phpBB Group.
Designed by ST Software