Recover: Difference between revisions
Jump to navigation
Jump to search
(New page: ==recover deleted files== Install photorec yum install testdisk Install ddrescue yum install ddrescue Read disk. sudo ddrescue /dev/sdb1 /temp/sdb1 sudo photorec /temp/sdd1 Recover...) |
|||
(2 intermediate revisions by the same user not shown) | |||
Line 4: | Line 4: | ||
yum install testdisk | yum install testdisk | ||
==ddrescue== | |||
Read disk. | Read disk. | ||
sudo ddrescue /dev/sdb1 /temp/sdb1 | sudo ddrescue /dev/sdb1 /temp/sdb1 | ||
Information from http://www.forensicswiki.org/wiki/Ddrescue | |||
'ddrescue --direct' will open the input with the O_DIRECT option for uncached reads. 'raw devices' are not needed on newer kernels. For older kernels see below. | |||
First you copy as much data as possible, without retrying or splitting sectors: | |||
# ddrescue --no-split /dev/hda1 imagefile logfile | |||
Now let it retry previous errors 3 times, using uncached reads: | |||
# ddrescue --direct --max-retries=3 /dev/hda1 imagefile logfile | |||
If that fails you can try again but retrimmed, so it tries to reread full sectors: | |||
# ddrescue --direct --retrim --max-retries=3 /dev/hda1 imagefile logfile | |||
You can now use ddrescue (or normal dd) to copy the imagefile to a new partition on a new disk. Use the appropriate filesystem checkers (fsck, CHKDSK) to try to fix errors caused by the bad blocks. Be sure to keep the imagefile around. Just in case the filesystem is severely broken, and datacarving tools like testdisk need to to be used on the original image. | |||
==photorec== | |||
sudo photorec /temp/sdd1 | sudo photorec /temp/sdd1 | ||
Recover files from disk image. | Recover files from disk image. | ||
==sleuthkit== | |||
List files | |||
fls -f fat -r sdd1 | less | |||
Recover files. | |||
icat -f fat -r sdd1 9748 > recoverd.file |
Latest revision as of 09:13, 1 August 2012
recover deleted files
Install photorec
yum install testdisk
ddrescue
Read disk.
sudo ddrescue /dev/sdb1 /temp/sdb1
Information from http://www.forensicswiki.org/wiki/Ddrescue 'ddrescue --direct' will open the input with the O_DIRECT option for uncached reads. 'raw devices' are not needed on newer kernels. For older kernels see below. First you copy as much data as possible, without retrying or splitting sectors: # ddrescue --no-split /dev/hda1 imagefile logfile Now let it retry previous errors 3 times, using uncached reads: # ddrescue --direct --max-retries=3 /dev/hda1 imagefile logfile If that fails you can try again but retrimmed, so it tries to reread full sectors: # ddrescue --direct --retrim --max-retries=3 /dev/hda1 imagefile logfile You can now use ddrescue (or normal dd) to copy the imagefile to a new partition on a new disk. Use the appropriate filesystem checkers (fsck, CHKDSK) to try to fix errors caused by the bad blocks. Be sure to keep the imagefile around. Just in case the filesystem is severely broken, and datacarving tools like testdisk need to to be used on the original image.
photorec
sudo photorec /temp/sdd1
Recover files from disk image.
sleuthkit
List files
fls -f fat -r sdd1 | less
Recover files.
icat -f fat -r sdd1 9748 > recoverd.file