We are still actively working on the spam issue.

Difference between revisions of "Data recovery"

From InstallGentoo Wiki
Jump to: navigation, search
m (Hurr durr moved page Data recovery on wheels to Data recovery over redirect)
(wanted to add ddrescue/context for use. It is referenced already further down however i wanted to illustrate its importance given that it should be used before any other tool when a drive is in a failing state with bad sectors.)
 
(10 intermediate revisions by 3 users not shown)
Line 1: Line 1:
{{Cleanup | Additional drive recovery processes are required. A cleanup of the existing one would be beneficial too.}}
 
 
 
== What is Data Recovery? ==
 
 
 
Data recovery, is the method or process of recovering your data. It is usually done after drive failure, accidental deletion of data, or by the police when recovering suspect's data from a computer.
 
Data recovery, is the method or process of recovering your data. It is usually done after drive failure, accidental deletion of data, or by the police when recovering suspect's data from a computer.
  
 
== Data Recovery Tools ==
 
== Data Recovery Tools ==
  
*[http://extundelete.sourceforge.net/ extundelete] - When using the extended filesystem on *nix, this should be what you try before spending hours waiting for testdisk/photorec to crawl over the partition or image. Just remount as ro, supports recovery of specific, whole directories and filenames.
+
*[http://extundelete.sourceforge.net/ extundelete] - When using the extended filesystem (ext3, ext4) on *nix, this should be what you try before spending hours waiting for testdisk/photorec to crawl over the partition or image. Just remount as read only. Supports recovery of specific, whole directories and filenames.
*[http://www.cgsecurity.org/wiki/TestDisk TestDisk]
+
*[http://www.cgsecurity.org/wiki/PhotoRec PhotoRec] - Ignores the filesystem completely meaning that it can fish out files from almost any file system - even if severely damaged. It recognises most common filetypes and does it's best to recover them. It won't however recover filenames or directories and it will recover everything it finds. There fore you may end up manually fishing out files you actually wanted. Great for recovering memorycards.
*[http://www.cgsecurity.org/wiki/PhotoRec PhotoRec]
+
*[http://www.cgsecurity.org/wiki/TestDisk TestDisk] - Comes with PhotoRec. Recovers lost and damaged partitions.
*[https://www.piriform.com/recuva/ Recuva]
+
*[https://www.piriform.com/recuva/ Recuva] - Proprietary
 
+
*[https://en.m.wikipedia.org/wiki/Ddrescue ddrescue] - Block-level cloning utility. Essential when attempting to recover data from failing hard drives with bad sectors. Will skip bad sectors and return to them once all readable blocks have been copied. Once finished cloning to a good drive, other recovery tools can be used.
Note: TestDisk and PhotoRec come as a package, TestDisk is used to "help recover lost partitions and/or make non-booting disks bootable again when these symptoms are caused by faulty software, certain types of viruses or human error (such as accidentally deleting a Partition Table)."[http://www.cgsecurity.org/wiki/TestDisk] Whereas PhotoRec is for recovering data, therefore depending on your needs either one may be appropriate.
+
'''Note''': TestDisk and PhotoRec come as a package, TestDisk is used to "help recover lost partitions and/or make non-booting disks bootable again when these symptoms are caused by faulty software, certain types of viruses or human error (such as accidentally deleting a Partition Table)."[http://www.cgsecurity.org/wiki/TestDisk] Whereas PhotoRec is for recovering data, therefore depending on your needs either one may be appropriate.
  
 
== First steps in recovering data ==
 
== First steps in recovering data ==
  
*<strong>DO NOT WRITE TO THE DRIVE</strong>
+
*'''DO NOT WRITE TO THE DRIVE'''
 
** Doing so may overwrite the information that you wish to recover
 
** Doing so may overwrite the information that you wish to recover
 
+
** Browsing the internet, executing commands and installing software often write to disk so avoid these.
 +
** You may want to cut the power to your computer to be extra sure
 +
*** And no, don't do it the clean way. Just hold down the powerbutton for 5 to 10 seconds.
 
*Follow the process detailed below
 
*Follow the process detailed below
*Next time, <strong>keep an up-to-date backup</strong>
+
*Next time, ''''keep an up-to-date [[backups|backup]]'''
 
 
== An example of a drive recovery process==
 
 
 
 
 
Here's what you have to do to save your data, if the hard drive still mounts.
 
 
 
You can tell that your hard drive is failing if it causes your computer to hang in the [[BIOS]] when connected, if it has a "Current Pending Sector Count" > 0 in the SMART info, or if it's making unusual noises.
 
  
First, get another hard drive large enough to image the failing one onto.
+
==Recovering deleted files==
  
Connect the failing hard drive to an internal SATA port on your computer, if it's in a USB enclosure open it up and remove the drive.  
+
* [http://www.cgsecurity.org/wiki/PhotoRec Instructions for PhotoRec]
  
Next, boot from a [[GNU/Linux]] LiveCD and use an imaging program that doesn't retry I/O errors endlessly. Mount the failing drive Read-Only first. Use [http://www.garloff.de/kurt/linux/ddrescue/ dd_rescue] or an equivalent so that it doesn't get stuck forever rereading one sector when it encounters read errors.
+
==Recovering a failing drive==
  
Finally, if you are able to mount the disk image, do that. If not able to mount the copy, try Testdisk and Photorec or Recuva to recover data from the image. Recover the saved data to yet another separate partition.
+
You can tell that your hard drive is failing if it causes your computer to hang in the [[BIOS]] when connected, if it has a "Current Pending Sector Count" > 0 in the SMART info, or if it's making unusual noises. Here's what you have to do to save your data, if the hard drive still mounts.  
  
If you had to use PhotoRec, you will probably want to disable recovery of plain text files unless there's something in that format you want to save since it produces a massive amount of tiny text files from most hard drives. Stick to photos and Office documents for most people. Fragmented files will probably be unrecoverable.
+
# First, get another hard drive large enough to image the failing one onto.
 +
# Connect the failing hard drive to an internal SATA port on your computer, if it's in a USB enclosure open it up and remove the drive.
 +
# Next, boot from a [[GNU/Linux]] LiveCD and mount the failing drive Read-Only.
 +
# Use an imaging program such as [http://www.garloff.de/kurt/linux/ddrescue/ dd_rescue] or an equivalent so that it doesn't get stuck forever rereading one sector when it encounters read errors.
 +
# Finally, if you are able to mount the disk image, do that. If you are not able to mount the copy, try Testdisk and Photorec or Recuva to recover data from the image. Recover the saved data to yet another separate partition.
 +
#* If you had to use PhotoRec, you will probably want to disable recovery of plain text files unless there's something in that format you want to save since it produces a massive amount of tiny text files from most hard drives. Stick to photos and Office documents for most people. Fragmented files will probably be unrecoverable.
  
== External Links ==
+
== Android ==
  
[http://www.forensicswiki.org/wiki/Main_Page Forensics Wiki]
+
[[dd]] can be used on Android devices to image their storage partitions. No [[Passwords | password]] is required unless the storage is encrypted. The device must either have USB Debugging enabled, or be flashed with a custom bootloader (which, when booted into, has USB Debugging enabled). You will also need an external storage card with enough capacity to take the dd image. Use Android Debug Bridge (adb) from the android-sdk to connect to the device. From there you can mount the external storage card and use dd to image the required partitions.
  
 
[[Category:Recommendations]]
 
[[Category:Recommendations]]
 
[[Category:HowTo]]
 
[[Category:HowTo]]

Latest revision as of 10:08, 23 February 2021

Data recovery, is the method or process of recovering your data. It is usually done after drive failure, accidental deletion of data, or by the police when recovering suspect's data from a computer.

Data Recovery Tools

  • extundelete - When using the extended filesystem (ext3, ext4) on *nix, this should be what you try before spending hours waiting for testdisk/photorec to crawl over the partition or image. Just remount as read only. Supports recovery of specific, whole directories and filenames.
  • PhotoRec - Ignores the filesystem completely meaning that it can fish out files from almost any file system - even if severely damaged. It recognises most common filetypes and does it's best to recover them. It won't however recover filenames or directories and it will recover everything it finds. There fore you may end up manually fishing out files you actually wanted. Great for recovering memorycards.
  • TestDisk - Comes with PhotoRec. Recovers lost and damaged partitions.
  • Recuva - Proprietary
  • ddrescue - Block-level cloning utility. Essential when attempting to recover data from failing hard drives with bad sectors. Will skip bad sectors and return to them once all readable blocks have been copied. Once finished cloning to a good drive, other recovery tools can be used.

Note: TestDisk and PhotoRec come as a package, TestDisk is used to "help recover lost partitions and/or make non-booting disks bootable again when these symptoms are caused by faulty software, certain types of viruses or human error (such as accidentally deleting a Partition Table)."[1] Whereas PhotoRec is for recovering data, therefore depending on your needs either one may be appropriate.

First steps in recovering data

  • DO NOT WRITE TO THE DRIVE
    • Doing so may overwrite the information that you wish to recover
    • Browsing the internet, executing commands and installing software often write to disk so avoid these.
    • You may want to cut the power to your computer to be extra sure
      • And no, don't do it the clean way. Just hold down the powerbutton for 5 to 10 seconds.
  • Follow the process detailed below
  • Next time, 'keep an up-to-date backup

Recovering deleted files

Recovering a failing drive

You can tell that your hard drive is failing if it causes your computer to hang in the BIOS when connected, if it has a "Current Pending Sector Count" > 0 in the SMART info, or if it's making unusual noises. Here's what you have to do to save your data, if the hard drive still mounts.

  1. First, get another hard drive large enough to image the failing one onto.
  2. Connect the failing hard drive to an internal SATA port on your computer, if it's in a USB enclosure open it up and remove the drive.
  3. Next, boot from a GNU/Linux LiveCD and mount the failing drive Read-Only.
  4. Use an imaging program such as dd_rescue or an equivalent so that it doesn't get stuck forever rereading one sector when it encounters read errors.
  5. Finally, if you are able to mount the disk image, do that. If you are not able to mount the copy, try Testdisk and Photorec or Recuva to recover data from the image. Recover the saved data to yet another separate partition.
    • If you had to use PhotoRec, you will probably want to disable recovery of plain text files unless there's something in that format you want to save since it produces a massive amount of tiny text files from most hard drives. Stick to photos and Office documents for most people. Fragmented files will probably be unrecoverable.

Android

dd can be used on Android devices to image their storage partitions. No password is required unless the storage is encrypted. The device must either have USB Debugging enabled, or be flashed with a custom bootloader (which, when booted into, has USB Debugging enabled). You will also need an external storage card with enough capacity to take the dd image. Use Android Debug Bridge (adb) from the android-sdk to connect to the device. From there you can mount the external storage card and use dd to image the required partitions.