Disc Recovery within Linux
This Article comes with no Warranty – You do everything shown here on your own Risk. It may be possible to sort, repair and recover your Data, see this Article as a help.
i wrote this little Article to provide a little help for those guys who hardly try to get their lost data back like me recently. This Article comes with no warranty :) This Article will also show (evil!) that some data can be easily restored from a harddisc even if you deleted all files and even if you made new partitions. Surely, a good company or good people who are used to restore data will prolly get much more data out than i.
Anyway, i will suggest some tools here, and give some advice how to use them. After i lost some really important files i was searching for ways to restore my data – Here’s the result:
Lost Graphics (jpg) – recoverjpeg
Imagine you don’t have a backup of your stored graphics which are in jpg-format and you want them because they show your pets, family or other things. Or probably digital artwork or photography. Whatever you lost – There is a speedy way to restore such data. Get recoverjpeg from here. Follow the instructions and run it onto the whole disc. Doesn’t matter whether your disc is mounted or not, though you should have it not mounted to not risk that lost data gets overwritten by something else.
Recoverjpeg will try to get all jpegs from that disc and store them in the current directory. So it’s probably better if you do a: mkdir ~/my_restored_pictures && cd ~/my_restored_pictures and run recoverjpeg from there.
Some of the graphics will most likely contain wrong colors, artifacts or are corrupted. Anyway: i was able to bring ~ 40 000 pictures back and most of them are useful. Compared to other tools which i tested recoverjpeg seems to be really fast.
Lost Files (some) – PhotoRec
PhotoRec seems to be a really really nice tool. I’m just a bit curious about some things within PhotoRec but for now i didn’t looked why – there are probably some answers around on their page. The “Estimated” time is “just” wrong. When i started to run PhotoRec on my first disc it has shown “estimated time: 20h”. When i came back 7 hours later it has shown “estimated time: 21h” – When i came back 20 hours later it has shown “estimated time: 17 hours”. So.. if your data is really important, the time doesn’t matter – just run it and hope to get as much as possible. I got a lot of txt files, sorting of them will be nearly impossible (over 50k files) so.. hope that you don’t have important stuff within txt files like i. mp3′s (hey.. totally unimportant to me, though i just wanna note.) are splitted into several files – at least some of them. So listening the mp3′s isn’t really working. Well i could try to “put” them together using some other linux tools, ofc.
Just get PhotoRec from here. As PhotoRec is getting a lot of other files (you can set which filetypes it should try to restore) this is a really helpful tool. I run PhotoRec on the whole disc without defining a filesystem (well i set “other”) and without setting a partition (whole disc). Take a good look at their documentation – it’s well explained. I was able to restore a lot of Data using PhotoRec.
Another .. Way to restore files – foremost
In general, to restore lost data, you need to look at the harddisc in raw format. Without a filesystem layer between. In this raw data you will find everything. Every file (as far as i know) is starting with a specific header, and thus telling you or a tool what file it is. With tools like foremost, who know about these headers, you can restore files. So let’s take a more closer look at foremost.
You can get foremost here, in case it’s not in your distribution. There is by the way another similar tool, though it doesn’t seem to be actively developed (not sure). Anyway, you can give Scalpel a try.
We got a disc as /dev/sdb and want to restore PDFs from this disc using foremost. We would do:
~ mkdir /sicherung/pdfs
~ cd /sicherung/pdfs
~ foremost -v -t pdf -k 500 -b 1024 -o /sicherung/pdfs -i /dev/sdb
Usually you will have created an image from the disc instead of using the disc directly. Tools for this would be ddrescue and dd.
ddrescue can be obtained here in case it’s not in your distribution.
Restore (Repair) archives – (gz) – gzrecovery
gzrecovery can be obtained from here, in case it’s not in your distribution.
Let’s imagine with the above tools we got some .gz files containing a lot of files. These .gz files are broken because some deleted files got overwritten on the disc already or something else happened or the backup tool wasn’t able to restore them fully. We can try to repair this archive using gzrecovery and to get at least some of the files within that .gz back. Look at the documentation of gzrecovery to do so.
Other useful things and links
(Article) de – at LinuxUser about dd_rescue
(Article) de – at LinuxUser about correct delete of files
(Article) de – Wiki of Ubuntu about data recovery
(Tools) en – Allin1 for sleuthkit
(Tools) en – sleuthkit
(Linklist) en – useful links about datarecovery
Should be enough to give you a help.
Conclusion?
I was really curious about the fact that it was THAT easy to restore most of my data. I expected some black magic or something. Anyway, combined with the fact that i used 3 (5 discs at all) old harddiscs to restore some other data which i probably deleted in the past – I got nearly everything back. Anyway, you shouldn’t consider your old harddiscs as backups.. though i’m happy that i didn’t trashed them :)
The fact, that it was that easy to restore my data, is opening my eyes a bit more. Now i know for example that if i give out my harddiscs, even if i “quickformat” or create a linux filesys or if i make new partitions, people could restore the data on it. Thats .. Evil. By the way.. Just to name some tools to securly erase your harddisc, you could try:
dd of=/dev/hda <<< “HERE-IS-NOTHING-TO-ReStOrE”
though… not sure how “secure” this would be :p Another way to do this is using the “shred” tool. Just google a bit for it. It will first overwrite files to hide it’s content.
