summaryrefslogtreecommitdiff
path: root/posts
diff options
context:
space:
mode:
authorAdam Carpenter <gitlab@53hor.net>2019-09-28 16:20:19 -0400
committerAdam Carpenter <gitlab@53hor.net>2019-09-28 16:20:19 -0400
commit028c6c2456ae762fc60a5dd1ad622104eda6fa3d (patch)
tree18e17d0caa5c2f7fd5bb8725ee424b3d9e8b68c2 /posts
parent148599c4bc9e35ad02e4ab63ee60d428545b2647 (diff)
parentf3aa420f1e39a6ff402429a0e13922fa64bc179f (diff)
downloadcobalt-site-028c6c2456ae762fc60a5dd1ad622104eda6fa3d.tar.xz
cobalt-site-028c6c2456ae762fc60a5dd1ad622104eda6fa3d.zip
Merge branch 'posts'
Diffstat (limited to 'posts')
-rw-r--r--posts/2019-09-28-my-preferred-method-for-data-recovery.md204
1 files changed, 204 insertions, 0 deletions
diff --git a/posts/2019-09-28-my-preferred-method-for-data-recovery.md b/posts/2019-09-28-my-preferred-method-for-data-recovery.md
new file mode 100644
index 0000000..d508077
--- /dev/null
+++ b/posts/2019-09-28-my-preferred-method-for-data-recovery.md
@@ -0,0 +1,204 @@
+---
+permalink: "/posts/{{categories}}/{{slug}}"
+title: My Preferred Method for Data Recovery
+categories:
+ - life
+tags:
+ - data
+ - file
+ - photo
+ - recovery
+ - linux
+ - photorec
+excerpt_separator: "\n\n\n"
+published_date: "2019-09-28 20:20:05 +0000"
+layout: post.liquid
+is_draft: false
+---
+This week Amy plugged in her flash drive to discover that there were no files
+on it. Weeks before there had been dozens of large cuts of footage that she
+needed to edit down for work. Hours of recordings were seemingly gone. And the
+most annoying part was the drive had worked perfectly on several other
+occasions. Just not now that the footage was actually needed of course.
+Initially it looked like everything had been wiped clean, however both Amy's
+Mac and her PC thought the drive was half full. It's overall capacity was 64GB
+but it showed only about 36GB free. So there still had to be data on there if
+we could find the right tool to salvage it.
+
+Luckily this wasn't the first time I had to recover accidentally (or magically)
+deleted files. I had previously done so with some success at my tech support
+job, for some college friends, and for my in-laws' retired laptops. So I had a
+pretty clear idea of what to expect. The only trick was finding a tool that
+knew what files it was looking for. The camera that took the video clips was a
+Sony and apparently they record into `m2ts` files, which are kind of a unique
+format in that they only show up on Blu-Ray discs and Sony camcorders. Enter my
+favorite two tools for dealing with potentially-destroyed data: `ddrescue` and
+`photorec`.
+
+## DDRescue
+
+`ddrescue` is a godsend of a tool. If you've ever used `dd` before, forget
+about it. Use `ddrescue`. You might as well `alias dd=ddrescue` because it's
+that great. By default it has a plethora of additional options, displays the
+progress as it works, recovers and retries in the event of I/O errors, and does
+everything that good old `dd` can do. It's particularly good at protecting
+partitions or disks that have been corrupted or damaged by rescuing undamaged
+portions first. Oh, and have you ever had to cancel a `dd` operation? Did I
+mention that `ddrescue` can pause and resume operations? It's that good.
+
+## PhotoRec
+
+`photorec` is probably the best missing file recovery tool I've ever used in my
+entire life. And I've used quite a few. I've never had as good results as I've
+had with `photorec` with other tools like Recuva et. al. And `photorec` isn't
+just for photos, it can recover documents (a la Office suite), music, images,
+config files, and videos (including the very odd `m2ts` format!). The other
+nice thing is `photorec` will work on just about any source. It's also free
+software which makes me wonder why there are like $50 recovery tools for
+Windows that look super sketchy.
+
+## In Practice
+
+So here's what I did to get Amy's files back. Luckily she didn't write anything
+out to the drive afterward so the chances (I thought) were pretty good that I
+would get *something* back. The first thing I always do is make a full image of
+whatever media I'm trying to recover from. I do this for a couple of reasons.
+First of all it's a backup. If something goes wrong during recovery I don't
+have to worry about the original, fragile media being damaged or wiped.
+Furthermore, I can work with multiple copies at a time. If it's a large image
+that means multiple tools or even multiple PCs can work on it at once. It's
+also just plain faster working off a disk image than a measly flash drive. So I
+used `ddrescue` to make an image of Amy's drive.
+
+```shell
+$ sudo ddrescue /dev/sdb1 amy-lexar.dd
+GNU ddrescue 1.24
+Press Ctrl-C to interrupt
+ ipos: 54198 kB, non-trimmed: 0 B, current rate: 7864 kB/s
+ opos: 54198 kB, non-scraped: 0 B, average rate: 18066 kB/s
+non-tried: 63967 MB, bad-sector: 0 B, error rate: 0 B/s
+ rescued: 54198 kB, bad areas: 0, run time: 2s
+pct rescued: 0.08%, read errors: 0, remaining time: 59m
+ time since last successful read: n/a
+Copying non-tried blocks... Pass 1 (forwards)
+```
+
+The result was a very large partition image that I could fearlessly play around
+with.
+
+```shell
+$ ll amy-lexar.dd
+-rw-r--r-- 1 root root 60G Sep 24 02:45 amy-lexar.dd
+```
+
+Then I could run `photorec` on the image. This brings up a TUI with all of the
+listed media that I can try and recover from.
+
+```shell
+$ sudo photorec amy-lexar.dd
+
+PhotoRec 7.0, Data Recovery Utility, April 2015
+Christophe GRENIER <grenier@cgsecurity.org>
+http://www.cgsecurity.org
+
+ PhotoRec is free software, and
+comes with ABSOLUTELY NO WARRANTY.
+
+Select a media (use Arrow keys, then press Enter):
+>Disk amy-lexar.dd - 64 GB / 59 GiB (RO)
+
+>[Proceed ] [ Quit ]
+
+Note:
+Disk capacity must be correctly detected for a successful recovery.
+If a disk listed above has incorrect size, check HD jumper settings, BIOS
+detection, and install the latest OS patches and disk drivers.
+```
+
+After hitting proceed `photorec` asks if you want to scan just a particular
+partition or the whole disk (if you made a whole disk image). I can usually get
+away with just selecting the partition I know the files are on and starting a
+search.
+
+```shell
+PhotoRec 7.0, Data Recovery Utility, April 2015
+Christophe GRENIER <grenier@cgsecurity.org>
+http://www.cgsecurity.org
+
+Disk amy-lexar.dd - 64 GB / 59 GiB (RO)
+
+ Partition Start End Size in sectors
+ Unknown 0 0 1 7783 139 4 125042656 [Whole disk]
+> P FAT32 0 0 1 7783 139 4 125042656 [NO NAME]
+
+>[ Search ] [Options ] [File Opt] [ Quit ]
+ Start file recovery
+```
+
+Then `photorec` asks a couple of questions about the formatting of the media.
+It can usually figure them out all by itself so I just use the default options
+unless it's way out in left field.
+
+```shell
+PhotoRec 7.0, Data Recovery Utility, April 2015
+Christophe GRENIER <grenier@cgsecurity.org>
+http://www.cgsecurity.org
+
+ P FAT32 0 0 1 7783 139 4 125042656 [NO NAME]
+
+To recover lost files, PhotoRec need to know the filesystem type where the
+file were stored:
+ [ ext2/ext3 ] ext2/ext3/ext4 filesystem
+>[ Other ] FAT/NTFS/HFS+/ReiserFS/...
+```
+
+Now this menu is where I don't just go with the default path. `photorec` will
+offer to search just unallocated space or the entire partition. I always go for
+the whole partition here; sometimes I'll get back files that I didn't really
+care about but more often than not I end up rescuing more data this way. In
+this scenario searching just unallocated space found no files at all. So I told
+`photorec` to search everything.
+
+```shell
+PhotoRec 7.0, Data Recovery Utility, April 2015
+Christophe GRENIER <grenier@cgsecurity.org>
+http://www.cgsecurity.org
+
+ P FAT32 0 0 1 7783 139 4 125042656 [NO NAME]
+
+
+Please choose if all space need to be analysed:
+ [ Free ] Scan for file from FAT32 unallocated space only
+>[ Whole ] Extract files from whole partition
+```
+
+Now it'll ask where you want to save any files it finds. I threw them all into
+a directory under home that I could zip up and send to Amy's Mac later.
+
+```shell
+PhotoRec 7.0, Data Recovery Utility, April 2015
+
+Please select a destination to save the recovered files.
+Do not choose to write the files to the same partition they were stored on.
+Keys: Arrow keys to select another directory
+ C when the destination is correct
+ Q to quit
+Directory /home/adam
+ drwx------ 1000 1000 4096 28-Sep-2019 12:10 .
+ drwxr-xr-x 0 0 4096 26-Jan-2019 15:32 ..
+>drwxr-xr-x 1000 1000 4096 28-Sep-2019 12:10 amy-lexar-recovery
+```
+
+And then just press `C`. `photrec` will start copying all of the files it finds
+into that directory. It reports what kinds of files it found and how many it
+was able to locate. I was able to recover all of Amy's lost footage this way,
+past, along with some straggler files that had been on the drive at one point.
+This has worked for me many times in the past, both on newer devices like flash
+drives and on super old, sketchy IDE hard drives. I probably won't ever pay for
+data recovery unless a drive has been physically damaged in some way. In other
+words, this software works great for me and I don't foresee the need for
+anything else out there. It's simple to use and is typically pretty reliable.
+
+
+
+