summaryrefslogblamecommitdiff
path: root/posts/2019-09-28-my-preferred-method-for-data-recovery.md
blob: d508077813b06c0f3a625582e8d24e37007e59e8 (plain) (tree)











































































































































































































                                                                               
---
permalink: "/posts/{{categories}}/{{slug}}"
title: My Preferred Method for Data Recovery
categories:
  - life
tags:
  - data
  - file
  - photo
  - recovery
  - linux
  - photorec
excerpt_separator: "\n\n\n"
published_date: "2019-09-28 20:20:05 +0000"
layout: post.liquid
is_draft: false
---
This week Amy plugged in her flash drive to discover that there were no files
on it. Weeks before there had been dozens of large cuts of footage that she
needed to edit down for work. Hours of recordings were seemingly gone. And the
most annoying part was the drive had worked perfectly on several other
occasions. Just not now that the footage was actually needed of course.
Initially it looked like everything had been wiped clean, however both Amy's
Mac and her PC thought the drive was half full. It's overall capacity was 64GB
but it showed only about 36GB free. So there still had to be data on there if
we could find the right tool to salvage it. 

Luckily this wasn't the first time I had to recover accidentally (or magically)
deleted files. I had previously done so with some success at my tech support
job, for some college friends, and for my in-laws' retired laptops. So I had a
pretty clear idea of what to expect. The only trick was finding a tool that
knew what files it was looking for. The camera that took the video clips was a
Sony and apparently they record into `m2ts` files, which are kind of a unique
format in that they only show up on Blu-Ray discs and Sony camcorders. Enter my
favorite two tools for dealing with potentially-destroyed data: `ddrescue` and
`photorec`.

## DDRescue

`ddrescue` is a godsend of a tool. If you've ever used `dd` before, forget
about it. Use `ddrescue`. You might as well `alias dd=ddrescue` because it's
that great. By default it has a plethora of additional options, displays the
progress as it works, recovers and retries in the event of I/O errors, and does
everything that good old `dd` can do. It's particularly good at protecting
partitions or disks that have been corrupted or damaged by rescuing undamaged
portions first. Oh, and have you ever had to cancel a `dd` operation? Did I
mention that `ddrescue` can pause and resume operations? It's that good. 

## PhotoRec

`photorec` is probably the best missing file recovery tool I've ever used in my
entire life. And I've used quite a few. I've never had as good results as I've
had with `photorec` with other tools like Recuva et. al. And `photorec` isn't
just for photos, it can recover documents (a la Office suite), music, images,
config files, and videos (including the very odd `m2ts` format!). The other
nice thing is `photorec` will work on just about any source. It's also free
software which makes me wonder why there are like $50 recovery tools for
Windows that look super sketchy.

## In Practice

So here's what I did to get Amy's files back. Luckily she didn't write anything
out to the drive afterward so the chances (I thought) were pretty good that I
would get *something* back. The first thing I always do is make a full image of
whatever media I'm trying to recover from. I do this for a couple of reasons.
First of all it's a backup. If something goes wrong during recovery I don't
have to worry about the original, fragile media being damaged or wiped.
Furthermore, I can work with multiple copies at a time. If it's a large image
that means multiple tools or even multiple PCs can work on it at once. It's
also just plain faster working off a disk image than a measly flash drive. So I
used `ddrescue` to make an image of Amy's drive. 

```shell
$ sudo ddrescue /dev/sdb1 amy-lexar.dd
GNU ddrescue 1.24
Press Ctrl-C to interrupt
     ipos:   54198 kB, non-trimmed:        0 B,  current rate:   7864 kB/s
     opos:   54198 kB, non-scraped:        0 B,  average rate:  18066 kB/s
non-tried:   63967 MB,  bad-sector:        0 B,    error rate:       0 B/s
  rescued:   54198 kB,   bad areas:        0,        run time:          2s
pct rescued:    0.08%, read errors:        0,  remaining time:         59m
                              time since last successful read:         n/a
Copying non-tried blocks... Pass 1 (forwards)
```

The result was a very large partition image that I could fearlessly play around
with.

```shell
$ ll amy-lexar.dd
-rw-r--r-- 1 root root 60G Sep 24 02:45 amy-lexar.dd
```

Then I could run `photorec` on the image. This brings up a TUI with all of the
listed media that I can try and recover from.

```shell
$ sudo photorec amy-lexar.dd

PhotoRec 7.0, Data Recovery Utility, April 2015
Christophe GRENIER <grenier@cgsecurity.org>
http://www.cgsecurity.org

  PhotoRec is free software, and
comes with ABSOLUTELY NO WARRANTY.

Select a media (use Arrow keys, then press Enter):
>Disk amy-lexar.dd - 64 GB / 59 GiB (RO)

>[Proceed ]  [  Quit  ]

Note:
Disk capacity must be correctly detected for a successful recovery.
If a disk listed above has incorrect size, check HD jumper settings, BIOS
detection, and install the latest OS patches and disk drivers.
```

After hitting proceed `photorec` asks if you want to scan just a particular
partition or the whole disk (if you made a whole disk image). I can usually get
away with just selecting the partition I know the files are on and starting a
search.

```shell
PhotoRec 7.0, Data Recovery Utility, April 2015
Christophe GRENIER <grenier@cgsecurity.org>
http://www.cgsecurity.org

Disk amy-lexar.dd - 64 GB / 59 GiB (RO)

     Partition                  Start        End    Size in sectors
      Unknown                  0   0  1  7783 139  4  125042656 [Whole disk]
>   P FAT32                    0   0  1  7783 139  4  125042656 [NO NAME]

>[ Search ]  [Options ]  [File Opt]  [  Quit  ]
                              Start file recovery
```

Then `photorec` asks a couple of questions about the formatting of the media.
It can usually figure them out all by itself so I just use the default options
unless it's way out in left field.

```shell
PhotoRec 7.0, Data Recovery Utility, April 2015
Christophe GRENIER <grenier@cgsecurity.org>
http://www.cgsecurity.org

   P FAT32                    0   0  1  7783 139  4  125042656 [NO NAME]

To recover lost files, PhotoRec need to know the filesystem type where the
file were stored:
 [ ext2/ext3 ] ext2/ext3/ext4 filesystem
>[ Other     ] FAT/NTFS/HFS+/ReiserFS/...
```

Now this menu is where I don't just go with the default path. `photorec` will
offer to search just unallocated space or the entire partition. I always go for
the whole partition here; sometimes I'll get back files that I didn't really
care about but more often than not I end up rescuing more data this way. In
this scenario searching just unallocated space found no files at all. So I told
`photorec` to search everything.

```shell
PhotoRec 7.0, Data Recovery Utility, April 2015
Christophe GRENIER <grenier@cgsecurity.org>
http://www.cgsecurity.org

   P FAT32                    0   0  1  7783 139  4  125042656 [NO NAME]


Please choose if all space need to be analysed:
 [   Free    ] Scan for file from FAT32 unallocated space only
>[   Whole   ] Extract files from whole partition
```

Now it'll ask where you want to save any files it finds. I threw them all into
a directory under home that I could zip up and send to Amy's Mac later.

```shell
PhotoRec 7.0, Data Recovery Utility, April 2015

Please select a destination to save the recovered files.
Do not choose to write the files to the same partition they were stored on.
Keys: Arrow keys to select another directory
      C when the destination is correct
      Q to quit
Directory /home/adam
 drwx------  1000  1000      4096 28-Sep-2019 12:10 .
 drwxr-xr-x     0     0      4096 26-Jan-2019 15:32 ..
>drwxr-xr-x  1000  1000      4096 28-Sep-2019 12:10 amy-lexar-recovery
```

And then just press `C`. `photrec` will start copying all of the files it finds
into that directory. It reports what kinds of files it found and how many it
was able to locate. I was able to recover all of Amy's lost footage this way,
past, along with some straggler files that had been on the drive at one point.
This has worked for me many times in the past, both on newer devices like flash
drives and on super old, sketchy IDE hard drives. I probably won't ever pay for
data recovery unless a drive has been physically damaged in some way. In other
words, this software works great for me and I don't foresee the need for
anything else out there. It's simple to use and is typically pretty reliable.