I'm trying to recover data from a (Windows 2k) HDD belonging to my sister. I first tried with the drive in an IDE to USB adapter which wasn't recognised (the adapter was, the disk wasn't) which isn't good. So I'm now trying with the disk mounted in a PC. The BIOS can see the disk and correctly shows its manufacturer/serial/etc. I booted to an Ubuntu live CD and ran GParted, and it shows the disk as 18GB of unallocated space (which is the right capacity, although obviously I'd have prefered it to show an NTFS partition). fdisk cannot access the disk. I tried dd which gives a read/write error. The disk is spinning up OK and isn't noisy. Any suggestions? Professional data recovery could be considered but is probably too expensive. It's lost photos of my niece I'm trying to recover, amongst other things. Professional recovery is likely to be too expensive to justify unless it's under <£100 and I tend to assume anyone below that price isn't going to be doing anything I can't do myself with some Linux tools like scalpel, but if anyone knows otherwise I'd love to hear from you! -- Mark Rogers // More Solutions Ltd (Peterborough Office) // 0845 45 89 555 Registered in England (0456 0902) at 13 Clarke Rd, Milton Keynes, MK1 1LG
On Fri, 2008-12-19 at 11:12 +0000, Mark Rogers wrote:
The BIOS can see the disk and correctly shows its manufacturer/serial/etc. I booted to an Ubuntu live CD and ran GParted, and it shows the disk as 18GB of unallocated space (which is the right capacity, although obviously I'd have prefered it to show an NTFS partition).
Try Photorec http://www.cgsecurity.org/wiki/PhotoRec it is probably in your favourite distro's package repository (on ubuntu and debian it is in the testdisk package) It works very well even if the partition information etc is lost as it just looks for recognisable file headers. If the disk is even slightly readable this has worked out quite well for me in the past, generally I find that if photorec can't do it then none of the commercial data recovery software will either and forensic style recovery might be the only option. Oh and don't let the name fool you...it doesn't just do photos.
Hullo, 2008/12/19 Wayne Stallwood <ALUGlist@digimatic.co.uk>:
On Fri, 2008-12-19 at 11:12 +0000, Mark Rogers wrote:
It works very well even if the partition information etc is lost as it just looks for recognisable file headers.
I wonder if it thus knows about all filesystems and will direclty go for the files, or if instead it hunts around for the superblocks for each filesystem and then lets the OSs filesystem drivers access the device (with the appropriate offsets). Though I can't see the latter working unless it can create device nodes for the partitions. "Photorec ignores the filesystem, this way it works even if the filesystem is severely damaged." This is a problem for ascii text files, or other data. How does it detect a file if a file does not have a header (aka magic value)? Sure, some files like JPEGs have a certain magic value. Surely it won't work with custom file formats. The FS recovery tool I wrote for ext2/3 had to use the filesystem metadata, as this tells you what the file is and where its data blocks are located (some of which can be on different locations on the physical disk). It'd be interesting to have a look at the source code - yet another thing to do over XMas ;) Srdjan
On Fri, 2008-12-19 at 11:54 +0000, Srdjan Todorovic wrote:
"Photorec ignores the filesystem, this way it works even if the filesystem is severely damaged." This is a problem for ascii text files, or other data. How does it detect a file if a file does not have a header (aka magic value)? Sure, some files like JPEGs have a certain magic value. Surely it won't work with custom file formats.
No it doesn't work with custom file formats (unless presumably you edited the source code to allow it to look for the right header) However that said the list of supported file formats covers most of what an average person would want to recover. http://www.cgsecurity.org/wiki/File_Formats_Recovered_By_PhotoRec
The FS recovery tool I wrote for ext2/3 had to use the filesystem metadata, as this tells you what the file is and where its data blocks are located (some of which can be on different locations on the physical disk). It'd be interesting to have a look at the source code - yet another thing to do over XMas ;)
What is your FS recovery tool ? You aren't promoting it very well if you don't even tell us it's name :) Yeh I am not sure how it copes with fragmented files without understanding the filesystem to be honest. Maybe it can't. But the key thing here is that photorec is a file recovery tool not a filesystem recovery tool.
Wayne Stallwood wrote:
Try Photorec http://www.cgsecurity.org/wiki/PhotoRec it is probably in your favourite distro's package repository (on ubuntu and debian it is in the testdisk package)
It works very well even if the partition information etc is lost as it just looks for recognisable file headers.
This definitely looks useful for the future. However, as far as I can tell this disk is not seeking at all. If I hold the disk in my hand I can feel a very faint clicking as if the drive is trying to seek but failing. I left it scanning for an hour or so with Photorec but all I was getting were streams of kernel errors. Looks like a professional job is necessary or I give up :-( These guys: http://www.datatrack-labs.co.uk/ .. look to be the cheapest but have the kit necessary to do the proper job if they're any good. Anyone heard of them? -- Mark Rogers // More Solutions Ltd (Peterborough Office) // 0845 45 89 555 Registered in England (0456 0902) at 13 Clarke Rd, Milton Keynes, MK1 1LG
On 19/12/2008 11:37:01, Wayne Stallwood wrote:
On Fri, 2008-12-19 at 11:12 +0000, Mark Rogers wrote:
Try Photorec http://www.cgsecurity.org/wiki/PhotoRec it is probably in your favourite distro's package repository (on ubuntu and debian it is in the testdisk package)
It works very well even if the partition information etc is lost as it just looks for recognisable file headers.
We had a talk at work a while back now from somebody from the police forensics team and the software they use to find things you shouldn't have or which may be useful evidence uses exactly this technique in case you have deleted the files or used a filesystem that the software cannot otherwise cope with. Regards, Steve.
Steve Fosdick wrote:
On 19/12/2008 11:37:01, Wayne Stallwood wrote:
On Fri, 2008-12-19 at 11:12 +0000, Mark Rogers wrote:
Try Photorec http://www.cgsecurity.org/wiki/PhotoRec it is probably in your favourite distro's package repository (on ubuntu and debian it is in the testdisk package)
It works very well even if the partition information etc is lost as it just looks for recognisable file headers.
We had a talk at work a while back now from somebody from the police forensics team and the software they use to find things you shouldn't have or which may be useful evidence uses exactly this technique in case you have deleted the files or used a filesystem that the software cannot otherwise cope with.
It seems to be called testdisk under Ubuntu. Cheers Ian
On 19-Dec-08 15:51:12, Ian Thompson-Bell wrote:
Steve Fosdick wrote:
On 19/12/2008 11:37:01, Wayne Stallwood wrote:
On Fri, 2008-12-19 at 11:12 +0000, Mark Rogers wrote: Try Photorec http://www.cgsecurity.org/wiki/PhotoRec it is probably in your favourite distro's package repository (on ubuntu and debian it is in the testdisk package)
It works very well even if the partition information etc is lost as it just looks for recognisable file headers.
We had a talk at work a while back now from somebody from the police forensics team and the software they use to find things you shouldn't have or which may be useful evidence uses exactly this technique in case you have deleted the files or used a filesystem that the software cannot otherwise cope with.
It seems to be called testdisk under Ubuntu. Cheers Ian
Hmmm ... not sure if that's correct! Couldn't find PhotoRec in Debian, but did find testdisk, which is described as: Partition scanner and disk recovery tool TestDisk checks the partition and boot sectors of your disks. It is very useful in recovering lost partitions. No reference to having anything to do with searching for files! See also: http://en.wikipedia.org/wiki/TestDisk Ted. -------------------------------------------------------------------- E-Mail: (Ted Harding) <Ted.Harding@manchester.ac.uk> Fax-to-email: +44 (0)870 094 0861 Date: 19-Dec-08 Time: 16:08:26 ------------------------------ XFMail ------------------------------
(Ted Harding) wrote:
Hmmm ... not sure if that's correct! Couldn't find PhotoRec in Debian, but did find testdisk
On my Ubuntu (8.10 Intrepid) box: $ apt-cache search photorec testdisk - Partition scanner and disk recovery tool It's in that package, I just installed it! -- Mark Rogers // More Solutions Ltd (Peterborough Office) // 0845 45 89 555 Registered in England (0456 0902) at 13 Clarke Rd, Milton Keynes, MK1 1LG
On 19-Dec-08 16:24:43, Mark Rogers wrote:
(Ted Harding) wrote:
Hmmm ... not sure if that's correct! Couldn't find PhotoRec in Debian, but did find testdisk
On my Ubuntu (8.10 Intrepid) box: $ apt-cache search photorec testdisk - Partition scanner and disk recovery tool
It's in that package, I just installed it!
Ahh! Further search (Google: debian testdisk photorec) leads to: http://www.debian-administration.org/articles/420 wherein: $ apt-get install testdisk TestDisk' works with Ext2/Ext3, ReiserFS 3.6, ReiserFS 4, XFS, JFS, VFAT, NTFS, Linux Swap, etc. It also comes bundled with another program, 'PhotoRec', which started as a program for recovering photographs from digital cameras, but developed into a general data recovery program from different storage devices, even hard disks. Your command $ apt-cache search photorec frew a blank on my Debian Etch, but $ apt-cache search testdisk did give a positive. Ted. -------------------------------------------------------------------- E-Mail: (Ted Harding) <Ted.Harding@manchester.ac.uk> Fax-to-email: +44 (0)870 094 0861 Date: 19-Dec-08 Time: 17:16:00 ------------------------------ XFMail ------------------------------
(Ted Harding) wrote:
On 19-Dec-08 15:51:12, Ian Thompson-Bell wrote:
Steve Fosdick wrote:
On 19/12/2008 11:37:01, Wayne Stallwood wrote:
On Fri, 2008-12-19 at 11:12 +0000, Mark Rogers wrote: Try Photorec http://www.cgsecurity.org/wiki/PhotoRec it is probably in your favourite distro's package repository (on ubuntu and debian it is in the testdisk package)
It works very well even if the partition information etc is lost as it just looks for recognisable file headers.
We had a talk at work a while back now from somebody from the police forensics team and the software they use to find things you shouldn't have or which may be useful evidence uses exactly this technique in case you have deleted the files or used a filesystem that the software cannot otherwise cope with.
It seems to be called testdisk under Ubuntu. Cheers Ian
Hmmm ... not sure if that's correct! Couldn't find PhotoRec in Debian, but did find testdisk, which is described as:
Partition scanner and disk recovery tool TestDisk checks the partition and boot sectors of your disks. It is very useful in recovering lost partitions.
No reference to having anything to do with searching for files!
See also: http://en.wikipedia.org/wiki/TestDisk Ted.
Interesting because I did a synaptic search for photorec and only test disk was listed. The complete text of the description is as follows: <quote> Partition scanner and disk recovery tool TestDisk checks the partition and boot sectors of your disks. It is very useful in recovering lost partitions. It works with : * DOS/Windows FAT12, FAT16 and FAT32 * NTFS ( Windows NT/2K/XP ) * Linux Ext2 and Ext3 * BeFS ( BeOS ) * BSD disklabel ( FreeBSD/OpenBSD/NetBSD ) * CramFS (Compressed File System) * HFS and HFS+, Hierarchical File System * JFS, IBM's Journaled File System * Linux Raid * Linux Swap (versions 1 and 2) * LVM and LVM2, Linux Logical Volume Manager * Netware NSS * ReiserFS 3.5 and 3.6 * Sun Solaris i386 disklabel * UFS and UFS2 (Sun/BSD/...) * XFS, SGI's Journaled File System . PhotoRec is file data recovery software designed to recover lost pictures from digital camera memory or even Hard Disks. It has been extended to search also for non audio/video headers. It searchs for * Sun/NeXT audio data (.au) * RIFF audio/video (.avi/.wav) * BMP bitmap (.bmp) * bzip2 compressed data (.bz2) * Source code written in C (.c) * Canon Raw picture (.crw) * Canon catalog (.ctg) * FAT subdirectory * Microsoft Office Document (.doc) * Nikon dsc (.dsc) * HTML page (.html) * JPEG picture (.jpg) * MOV video (.mov) * MP3 audio (MPEG ADTS, layer III, v1) (.mp3) * Moving Picture Experts Group video (.mpg) * Minolta Raw picture (.mrw) * Olympus Raw Format picture (.orf) * Portable Document Format (.pdf) * Perl script (.pl) * Portable Network Graphics (.png) * Raw Fujifilm picture (.raf) * Contax picture (.raw) * Rollei picture (.rdc) * Rich Text Format (.rtf) * Shell script (.sh) * Tar archive (.tar ) * Tag Image File Format (.tiff) * Microsoft ASF (.wma) * Sigma/Foveon X3 raw picture (.x3f) * zip archive (.zip) </quote> Notice the reference to photorec in the second half which was what prompted my original post. Cheers Ian
On Fri, 19 Dec 2008 14:52:48 +0000 Steve Fosdick <lists@pelvoux.nildram.co.uk> allegedly wrote:
On 19/12/2008 11:37:01, Wayne Stallwood wrote:
On Fri, 2008-12-19 at 11:12 +0000, Mark Rogers wrote:
Try Photorec http://www.cgsecurity.org/wiki/PhotoRec it is probably in your favourite distro's package repository (on ubuntu and debian it is in the testdisk package)
It works very well even if the partition information etc is lost as it just looks for recognisable file headers.
We had a talk at work a while back now from somebody from the police forensics team and the software they use to find things you shouldn't have or which may be useful evidence uses exactly this technique in case you have deleted the files or used a filesystem that the software cannot otherwise cope with.
Probably Encase since that is the most widely used forensics tool though some forces use Access Data's FTK. Another useful tool is Sleuthkit (http://www.sleuthkit.org/sleuthkit/desc.php) a free set of forensic tools which is in turn based on Venema and Farmer's earlier "Coroner's Toolkit". Mick --------------------------------------------------------------------- The text file for RFC 854 contains exactly 854 lines. Do you think there is any cosmic significance in this? Douglas E Comer - Internetworking with TCP/IP Volume 1 http://www.ietf.org/rfc/rfc854.txt ---------------------------------------------------------------------
On Fri, 2008-12-19 at 18:43 +0000, mbm wrote:
Probably Encase since that is the most widely used forensics tool though some forces use Access Data's FTK. Another useful tool is Sleuthkit (http://www.sleuthkit.org/sleuthkit/desc.php) a free set of forensic tools which is in turn based on Venema and Farmer's earlier "Coroner's Toolkit".
Sorry when I used the term forensic recovery I was (probably using the wrong word when) referring to the methods companies such as OnTrack use. Where the platters are removed from the drive in a clean room environment and spun up on specialist hardware to read them regardless of the state of the rest of the drive mechanics/electronics.
Did the disk come from a Dell laptop? If so your sister may have set up a hdd password, which is set independently of the bios password. It will lock the disk contents unless it is sucessfully entered and would result in the disk looking empty to things like GParted. The only way i have managed to fix this problem is by booting the disk via a Dell laptop, which then give the password prompt on boot and then assuming your sister knows the password, removing the password via the bios. Might not be your problem though if its not come from a laptop! Rick On Fri, Dec 19, 2008 at 11:12 AM, Mark Rogers <mark@quarella.co.uk> wrote:
I'm trying to recover data from a (Windows 2k) HDD belonging to my sister.
I first tried with the drive in an IDE to USB adapter which wasn't recognised (the adapter was, the disk wasn't) which isn't good. So I'm now trying with the disk mounted in a PC.
The BIOS can see the disk and correctly shows its manufacturer/serial/etc. I booted to an Ubuntu live CD and ran GParted, and it shows the disk as 18GB of unallocated space (which is the right capacity, although obviously I'd have prefered it to show an NTFS partition).
fdisk cannot access the disk. I tried dd which gives a read/write error.
The disk is spinning up OK and isn't noisy.
Any suggestions?
Professional data recovery could be considered but is probably too expensive. It's lost photos of my niece I'm trying to recover, amongst other things. Professional recovery is likely to be too expensive to justify unless it's under <£100 and I tend to assume anyone below that price isn't going to be doing anything I can't do myself with some Linux tools like scalpel, but if anyone knows otherwise I'd love to hear from you!
-- Mark Rogers // More Solutions Ltd (Peterborough Office) // 0845 45 89 555 Registered in England (0456 0902) at 13 Clarke Rd, Milton Keynes, MK1 1LG
_______________________________________________ main@lists.alug.org.uk http://www.alug.org.uk/ http://lists.alug.org.uk/mailman/listinfo/main Unsubscribe? See message headers or the web site above!
On Fri, Dec 19, 2008 at 11:57:32AM +0000, Ricky Bruce wrote:
The only way i have managed to fix this problem is by booting the disk via a Dell laptop, which then give the password prompt on boot and then assuming your sister knows the password, removing the password via the bios.
You can remove those passwords with hdparm too (although it's marked dangerous, experimental and all that) it is just ide security mode which I have disabled and enabled before when upgrading a hard disk in an old style xbox for more storage when running XBMC which was via a linux live cd specifically for the purpose. Adam -- jabberid = quinophex@jabber.earth.li
On 19/12/2008 13:44:35, Adam Bower wrote:
On Fri, Dec 19, 2008 at 11:57:32AM +0000, Ricky Bruce wrote:
The only way i have managed to fix this problem is by booting the disk via a Dell laptop, which then give the password prompt on boot and then assuming your sister knows the password, removing the password via the bios.
You can remove those passwords with hdparm too (although it's marked dangerous, experimental and all that) it is just ide security mode which I have disabled and enabled before when upgrading a hard disk in an old style xbox for more storage when running XBMC which was via a linux live cd specifically for the purpose.
There is obviously no limit here to what things a small single purpose linux distro can be used for. I remember well the linux floppy that can be used to reset the administrator password on windows - great when the one person who knew it left the company a few year previously. Regarding IDE security mode, this sounds like one of the things recently promoted in the BCS IT now magazine. Personally I reckon if the data is really sensitive nothing short of strong encryption with the key not stored anywhere on the laptop is sufficient. Regards, Steve.
Ricky Bruce wrote:
Did the disk come from a Dell laptop?
No, it's a 3.5" IDE from a Compaq PC. The tests I've done with it (other than via USB adapter) have been done in the same PC it came from.
If so your sister may have set up a hdd password, which is set independently of the bios password. It will lock the disk contents unless it is sucessfully entered and would result in the disk looking empty to things like GParted.
Although not the case here for the reasons above, that's interesting to know so thanks for that. -- Mark Rogers // More Solutions Ltd (Peterborough Office) // 0845 45 89 555 Registered in England (0456 0902) at 13 Clarke Rd, Milton Keynes, MK1 1LG
participants (9)
-
Adam Bower -
Ian Thompson-Bell -
Mark Rogers -
mbm -
Ricky Bruce -
Srdjan Todorovic -
Steve Fosdick -
Ted.Harding@manchester.ac.uk -
Wayne Stallwood