From Network Security Wiki
Jump to navigation Jump to search

HDD Recovery

The Following Recovery Tools are briefly discussed here:

TestDisk & PhotoRec

  • TestDisk recover lost partitions and repair boot sectors
sudo tesdisk
  • PhotoRec recover many types of files from tons of file systems
sudo photorec imagefilename
sudo photorec


  • Foremost and Scalpel are not interested in the underlying filesystem. They simply expect the data blocks of the files to reside sequentially in the image under investigation. The tools will find images in dd dumps, RAM dumps, or swap files.Carving will help to identify and reconstruct files on corrupt filesystems, in slack space, or even after installation of a new operating system, as long as the required data blocks still exist.
  • Foremost recovers files based on their headers and other internal structures, operates on hard drives or drive image files generated by various tools.
  • Recovery process:

Mount the external drive sdb

sudo mount /dev/sdb1 /recovery
sudo mkdir /recovery/foremost

Run foremost:

sudo foremost -i /dev/hda -o /recovery/foremost

To run formost on an image, just substitute the filename for the device

sudo foremost -i image-name -o /recovery/foremost

The recovered files will then be owned by root. Change their ownership so that you can use them:

sudo chown -R youruser:youruser /recovery/foremost

Use the -w switch to obtain only an audit of recoverable files:

sudo foremost -w -i /dev/hda -o /recovery/foremost

To recover only specific file types, use the -t switch:

sudo foremost -t jpg -i /dev/hda -o /recovery/foremost
  • Foremost is a console program to recover files based on their headers, footers, and internal data structures. This process is commonly referred to as data carving. Foremost can work on image files, such as those generated by dd, Safeback, Encase, etc, or directly on a drive. The headers and footers can be specified by a configuration file or you can use command line switches to specify built-in file types. These built-in types look at the data structures of a given file format allowing for a more reliable and faster recovery
  • Foremost:

Search for jpeg format skipping the first 100 blocks

sudo foremost -s 100 -t jpg -i image.dd

Only generate an audit file, and print to the screen (verbose mode)

sudo foremost -av image.dd

Search all defined types

sudo foremost -t all -i image.dd

Search for gif and pdf

sudo foremost -t gif,pdf -i image.dd

Search for office documents and jpeg files in a Unix file sys-tem in verbose mode.

sudo foremost -v -t ole,jpeg -i image.dd

Run the default case(image.dd means enter your harddisk mount point i.e /dev/sda1 or /dev/sda2)

sudo foremost image.dd


  • Scalpel is focused on enhanced performance and lower memory usage.

A Frugal, High Performance File CarverA fast file carver that reads a database of header and footer definitions and extracts matching files from a set of image files or raw device files. Scalpel is filesystem-independent and will carve files from FATx, NTFS, ext2/3, or raw partitions. It is useful for both digital forensics investigation and file recovery.

By default, all file types in the database (/etc/scalpel/scalpel.conf) are commented out. To specify which filetypes you want to carve, you need to edit the file and uncomment each line.

sudo scalpel FILE -o Directory

Where FILE is the image file (or device) and Directory is the output directory.

Autopsy & Sleuthkit

Autopsy can be run from the "live" CD, but you must specify an address to which you can connect remotely. You must also specify an external disk on which it can save the extracted information. Here external disk is mounted to /media/disk with an autopsy folder on it and your IP address is

sudo autopsy -d /media/disk/autopsy

Extract unallocated (deleted) blocks from a disk or disk image.

dls inputimage > outputimage

Use any data carving tool to search the output image for files.

List file and directory names in a forensic image. fls lists the files and directory names in the image and can display file names of recently deleted files for the directory using the given inode. This includes deleted files. If you have imaged your filesystem to a file named "loopfile", you can list the contents by running:

fls loopfile -r -f fat -i raw
 r/r 3: test (Volume Label Entry)
 r/r * 5: sample.docx
 r/r * 7: sample.pptx
 r/r * 9: sample.xlsx

Copy file by inode. icat opens the named image(s) and copies the file with the specified inode number to standard output.

Example: fls has shown you the inode number of some files on an image. To recover a file by using th einode number run:

icat -r -f fat -i raw loopfile 5 > sample.docx

sorter - Sort files in an image into categories based on file type. Sorter is a Perl script that analyzes a file system to organize the allocated and unallocated files by file type.

Example: This will sort all the files found in /dev/sdc1 and put image files in a directory named "out":

sudo sorter -h -s -i raw -f fat -d out -C /usr/share/sleuthkit/windows.sort /dev/sdc1

Here is a description of a script that will pull all files from an image using fls and icat:
# -- reconstruct lost but not overwritten FAT data

cat $1 |
while read line; do
   filetype=`echo "$line" | awk {'print $1'}`
   filenode=`echo "$line" | awk {'print $3'}`
   filename=`echo "$line" | cut -f 2`

   echo "$filename"

   if [ $filetype == "d/d" ]; then
      mkdir -p "$filename"
      icat -f fat -r -s fatImage "$filenode" > "$filename"

Another, similar script which attempts to "rebuild" the filesystem directory structure plus file content: 
for inode in $(cat /tmp/inodes) ; do
/KNOPPIX/usr/local/sleuthkit-2.09/bin/ffind /dev/hda1 $inode
if [ $? -eq 0 ]
	echo "INODE: $inode"
	INODEDIR=`/KNOPPIX/usr/local/sleuthkit-2.09/bin/ffind /dev/hda1 $inode`
	REALDIR=/mnt/out`dirname "$INODEDIR"`
	mkdir -p "$REALDIR"
	/KNOPPIX/usr/local/sleuthkit-2.09/bin/icat /dev/hda1 $inode > "$FILENAME"
	if [ `du "$FILENAME" | awk '{print $1}'` == 1 ]
		rm "$FILENAME"
		mkdir -p "$FILENAME"
	echo ""


  • DD is not a command you want to use unless you have no other choice. Unlike for deleting a partition or just files, dd can and will inflict permanent unrecoverable damage. Even data recovery professionals won't be able to help you if dd manages to annihilate a great deal of data on your hard disk. This is why dd is useful for truly wiping your disk.
  • DD is not a filesystem tool. It bypasses any and all filesystems and their drivers for raw low-level usage of your hard disk. That means when its told to write to your hard disk, it really, truly means it, and will do so completely ignoring the boundaries of whatever filesystem present. Indeed, dd can actually perform writes across filesystems in one usage if you do /dev/sda as a target instead of, say, /dev/sda2.
  • If you hard disk is zeroed out (dd if=/dev/zero of=/dev/sda) by dd, the there's nothing you can do.
  • Backup Entire Harddisk
dd if=/dev/sda of=/dev/sdb
  • Copy everything using synchronized I/O
dd if=/dev/sda of=/dev/sdb conv=noerror,sync
  • Create an Image of a Hard Disk
dd if=/dev/hda of=~/hdadisk.img
  • Restore using Hard Disk Image
dd if=hdadisk.img of=/dev/hdb
  • Backup a Partition
dd if=/dev/hda1 of=~/partition1.img
  • CDROM Backup
dd if=/dev/cdrom of=tgsservice.iso bs=2048
  • Create ISO from USB(Bootable):
dd if=/dev/sdb of=~/usb-disk.iso
Do not use sdb1 instead of sdb otherwise image will not be bootable.
  • Use DD and NetCat to create an image and save it on another hard disk

Destination Machine:

netcat -l -p 4444 | dd of=remote-machine.img

Source Machine

dd if=/dev/sda1 | netcat destination-machine-ip 4444

Push CTRL+C to cancel out after this is completed, as the netcat session will still be active

  • DD Progress
dd if=/dev/sda1 of=my-dd.img

find the process number of dd

ps -ef | grep dd

run command to find the status of this dd, Open another terminal session

kill -SIGUSR1 31733

looking back at dd page to find following results:

  dd if=/dev/sda1 of=my-dd.img
  12574781+40555 records in
  12601304+0 records out
  6451867648 bytes (6.5 GB) copied, 224.634 s, 28.7 MB/s
  • Data recovery from failing HD using DD Rescue
sudo apt-get install gddrescue

Connect the failed disk to your system by either plugging the drive directly or using usb enclosure. We need failing hard disk connected and unmounted.

First you copy as much data as possible, without retrying or splitting sectors:

ddrescue --no-split /dev/hda1 imagefile logfile 
ddrescue -C --no-split /dev/hda1 imagefile logfile   ## Resume from logfile

Now let it retry previous errors 3 times, using uncached reads:

ddrescue --direct --max-retries=3 /dev/hda1 imagefile logfile 

If that fails you can try again but retrimmed, so it tries to reread full sectors:

ddrescue --direct --retrim --max-retries=3 /dev/hda1 imagefile logfile 

We can now mount this image on our system and take a look at the files.

sudo mount -t ext3 -o loop disk-image.img /mnt/tmp


sudo umount /mnt


  • Recovery Process:

If /dev/sda is unreadable, get another HD with more space than on the failed disk.

sudo ddrescue -r 3 /dev/sda /media/usbdrive/image /media/usbdrive/logfile

Run successive passes like this:

sudo ddrescue -r 3 -C /dev/sda /media/usbdrive/image /media/usbdrive/logfile

gnuddrescue will use the log file to only read the gaps with errors. In both cases, the -r option determines the number of times gddrescue will try to read when it encounters an error (-1 = infinity).

From Forensics Wiki:

First you copy as much data as possible, without retrying or splitting sectors:

ddrescue --no-split /dev/hda1 imagefile logfile  

Now let it retry previous errors 3 times, using uncached reads:

ddrescue --direct --max-retries=3 /dev/hda1 imagefile logfile  

If that fails you can try again but retrimmed, so it tries to reread full sectors:

ddrescue --direct --retrim --max-retries=3 /dev/hda1 imagefile logfile  

Example 1: Rescue an ext2 partition in /dev/hda2 to /dev/hdb2

ddrescue -r3 /dev/hda2 /dev/hdb2 logfile
e2fsck -v -f /dev/hdb2
mount -t ext2 -o ro /dev/hdb2 /mnt

Example 2: Rescue a CD-ROM in /dev/cdrom

ddrescue -b 2048 /dev/cdrom cdimage logfile


  • If there space shortage while imaging the drive:

Using Gnu ddrescue with a log file, you can continue imaging to another drive and then span the images. In this example, you have imaged some of the drive to a file on one drive, and the rest of the drive to a file on another drive. Here is how you put the pieces together:

sudo losetup /dev/loop1 /media/Drive1/image
sudo losetup /dev/loop2 /media/Drive2/image
sudo mdadm -B /dev/md0 -l linear -n 2 /dev/loop1 /dev/loop2

Your complete image file be found at /dev/md0. And then to take the array down:

sudo mdadm -S /dev/md0
sudo losetup -d /dev/loop1
sudo losetup -d /dev/loop2
  • Extract filesystem from recovered image:

Mounting partitions on the image: If you imaged the whole drive, you can mount the individual partitions on the image by using the "offset" option when mounting a loop filesystem. mmls from The Sleuth Kit can show you the partitions found within an image:

mmls file -b
  DOS Partition Table
  Offset Sector: 0
  Units are in 512-byte sectors
       Slot    Start        End          Length       Size    Description
  00:  -----   0000000000   0000000000   0000000001   0512B   Primary Table (#0)
  01:  -----   0000000001   0000000031   0000000031   0015K   Unallocated
  02:  00:01   0000000032   0001646591   0001646560   0803M   DOS FAT16 (0x06)
  03:  00:00   0001646592   0002013183   0000366592   0179M   DOS FAT16 (0x06)

This shows several partitions. In this example, we want to mount the DOS partition starting at block 32. To calculate the number of bytes, multiply by 512:

# bc
bc 1.06 
32 * 512

Mount the partition:

sudo mount -o loop,offset=16384 file mnt
 (32 multiplied by 512 byte blocks = 16384)

For mounting a typical NTFS partition created by Windows use:

sudo mount -t ntfs -o r,force,loop,offset=32256 file mnt
  (63 multiplied by 512 byte blocks = 32256)
  • Cleaning up

Sort certain types of files:

sudo mkdir recovery/VID recovery/JPG
find recovery/ -name "*.avi" | xargs -i mv {} recovery/VID/
find recovery/ -name "*.mpg" | xargs -i mv {} recovery/VID/
find recovery/ -name "*.jpg" | xargs -i mv {} recovery/JPG/ 

Eliminate small photos:

sudo mkdir recovery/SMALL
find recovery/JPG/ -name "*.jpg" -size -1024k | xargs -i mv {} recovery/SMALL/ 

Rename jpegs according to exif data:

find JPG/ -name "*.jpg" | xargs -i jhead  -nf%Y%m%d-%H%M%S {}

Then, remove duplicates.

find /var/recovery/JPG/ -name "*a.jpg" | xargs -i mv {} /var/recovery/JPG/DUPS/

Copy files with matching strings:

cd recovery
mkdir ../copy/
grep -l "enter the string of text here" *.doc | xargs -i cp {} ../copy/
  • Recover Bad Sectors:
safecopy /video/folder/Vid001.avi /video/folder/n.avi
recoverdm -t 1 -i /video/Vid001.avi -o /video/Vid001.avi
  • Secure Delete:
sudo apt-get install secure-delete

This has four tools:

srm - securely delete an existing file
smem - securely delete traces of a file from ram
sfill - wipe all the space marked as empty on your hard drive
sswap - wipe all the data from you swap space.

Bad Sector

  • Check a disk partition for errors
sudo badblocks -v /dev/sdc

If bad sectors are found, proceed further. First write the location of the bad sectors into a file:

sudo badblocks /dev/sdc > ~/bad-blocks

After that, feed the file into the FSCK command to mark these bad sectors as ‘unusable’ sectors:

sudo fsck -l bad-blocks /dev/sdc

blog comments powered by Disqus