Data Recovery: When Your OS Deletes Itself - Part II

After crying like a baby for a few hours at the prospect of so much lost data and insufficient backups, I decided that maybe there was still hope for recovering my lost data.  As I mentioned, I just recently completed a college course in information forensics.  As part of this course, we learned how to use some of the more advanced forensic software tools on the market.  The downside to this is that the textbook that we were instructed to buy only came with trial versions of this software.  I guess that’s to be expected though; you can’t really blame a publisher for not giving away close to $15,000 in software (or more) in a book that costs $100.  However, this of course left me at a bit of a disadvantage for recovering my data.

One software tool that we used was Access Data’s Forensic Toolkit (FTK).  This is a great piece of software for forensic imaging and recovery, however my trial would only allow me to analyze 5,000 files.  This is a far cry from the more than 90,000 that it detected on the drive partition.  Another option was Technology Pathways ProDiscover Basic.  Being a basic version, this piece of software was included in its entirety and did end up helping me to recover at least part of my FAT32 partition.  This still left a 15 gigabyte NTFS partition, which upon analysis, looked to be in especially bad shape.  Before I go to much further in explaining these software tools, I think it is necessary to explain a few simple ways for obtaining an image of a drive that has been corrupted or ‘erased’.  This of course is one of the initial steps in the recovery process.  WARNING: The following instructions are to be used ONLY if you feel comfortable with a computer and more specifically with the Linux/Unix operating system.  Attempting to recover data using this method can be very effective, but it can also be detrimental in the wrong hands!

First things first, you will need some sort of Linux live CD.  I prefer to use Ubuntu in most cases, though others will usually work.  Once you have obtained your live CD, you can simply boot up, enter terminal and use an included tool/command called ‘dd’.  The dd command will create a raw bit for bit image of either a single partition or your entire drive.  Once you have this image, you can do all sorts of fun things, such as importing it into your favorite forensics tool for analysis.  The syntax for dd is even incredibly simple to understand (unlike some Linux commands):

‘dd if=input drive path here of=output file/path here‘

For example, if you wanted to obtain an image of your entire drive, which was located at sda and you wanted to save the image to an external drive mounted as “WindowsExt”, the command might look like this:

‘dd if=/dev/sda of=/media/WindowsExt/driveimagename.dd’

Simple, right?  As a side note, you ALWAYS want to be sure that the drive you plan on saving the output file to is bigger than the drive your taking the image from.  When obtaining your image, you may also need to determine where your various drives are mounted.  A good way to do this is to use the command ‘fdisk -l’ from root.  This will show you each of your drives labeled and separated into partitions.  Once dd begins taking an image, it will NOT report back it’s progress.  Depending on how large the source drive/partition is, imaging can take anywhere from 1 hour to 48 hours.  If the prospect of not know what is going on scares you, you may want to look at a similar tool called ‘dcfldd’.  This is simply a more advanced version of dd which will report its progress.

Once you have your drive image, you are ready to begin the recovery process, which will be discussed in part III, so stay tuned!

Technorati Tags: data recovery, information forensics, hard drive recovery, hdd recovery, linux data recovery