[ale] Fwd: Hard Drive Death Spiral -- AKA Recovery Software?
H P Ladds
householdwords at gmail.com
Tue Dec 16 11:43:06 EST 2008
Thanks to all that offered help with me disk drive problem.
I have recovered all (save the Mozilla Firefox cache) of the
information of the suspect partition. Steps taken:
1. dd the partition to another drive. Result, the newly created
partition behaved exactly as the old -- unmountable
2. ddrescued the partition to another drive and ran error correction
utility. The number of errors was reduced from 8 to 1. Yet the newly
created drive behaved exactly as the old one -- unmountable.
3. Downloaded the RIP Recovery Disk and ran the TestDisk app. SUCCESS!
I saw all the files on the bad partition.
4. Used TestDisk to copy the most recent data to a new drive, and then
copied the really old stuff from some DVD backups I made previously.
Bit of weirdness -- when copying the my .mozilla file (I believe this
is a cache file) the resulting files were LARGE and burned through
about 122 Gigs of space on the new drive. I suspect that the cache
files are largely compressed and TestDisk uncompresses them as it
recovered them, but is compression technology that good? Is it likely
that a series of cache files would expand to 112+ Gigs? I'm dubious,
but its the only explanations I can come up with.
Thanks Again,
H. Preston
On Fri, Dec 12, 2008 at 4:15 PM, Greg Freemyer <greg.freemyer at gmail.com> wrote:
> Stephen,
>
> You can find it at http://ptk.dflabs.com/overview.html
>
> DFlabs in an Italian company that is writing PTK. aiui, PTK is a web
> interface that manages "The Sleuth Kit" (TSK).
>
> TSK has been around a while, so I hope it is fairly robust, even if
> PTK is not. (PTK may be as well, but as a new product, I'd expect
> some hickups.)
>
> I believe all of the above is Linux only.
>
> Greg
>
> On Thu, Dec 11, 2008 at 4:29 PM, Stephen R. Blevins
> <srblevi at worldnet.att.net> wrote:
>> Greg, Kind Sir,
>> Where can I learn about PTK. Google is *not* my friend on this one.
>>
>> TIA
>>
>> Stephen R. Blevins
>> srblevi at worldnet.att.net
>>
>>
>>
>> Greg Freemyer wrote:
>>> The first thing you need / want to do is make a full copy (image) of the drive.
>>>
>>> So, buy a drive that is atleast 20% bigger. (just to be sure).
>>>
>>> Format it ext2 or some other basic FS. (Definitely not FAT).
>>>
>>> If the drive is more or less functional use dd to make the image. If
>>> not, look into dd_rescue (or ddrescue, I forget).
>>>
>>> If it is a data drive, then all you have to do is:
>>>
>>> boot normally. dd if=/dev/sdX of=/image_file_on_big_drive bs=4k
>>> conv=sync,noerror
>>>
>>> If it is a boot drive, then boot a linux boot disk and do the same.
>>>
>>> Once you have that working copy, you need to decide if you want to
>>> make even another copy that you keep un-modified.
>>>
>>> You can use gpart to guess / rebuild your partition table.
>>>
>>> Once you know where your partitions are and you know what filesystem
>>> type you have, you can use various recovery software to move forward.
>>>
>>> To do the recovery, we use a professional tool, so I'm not sure what
>>> low-end / free software is available to do the recovery. (We use
>>> either Encase Forensics ($3,000) or X-Ways Forensics. ($1200))
>>>
>>> PTK is new opensource recovery tool that was released in the last few
>>> months. It may support linux filesystems. Not sure.
>>>
>>> HTH
>>> Greg
>>>
>>> On Thu, Dec 11, 2008 at 10:54 AM, H P Ladds <householdwords at gmail.com> wrote:
>>>
>>>> Hey All,
>>>>
>>>> I have a hard drive that appears to be dieing, and I need data
>>>> recovery software. Any suggestions?
>>>>
>>>> History of problem:
>>>>
>>>> 1. Somehow the partitions on the drive got out of order -- sda6 used
>>>> sectors (4376 - 4618) and sda5 had (4619 - 19457).
>>>> 2. In an effort to correct this situation, I deleted the partitions
>>>> and recreated them using the same sectors.
>>>> 3. I was hoping to do a e2fsck to recreate the superblocks and such.
>>>> This was a bad plan, and partition sda5 is not mountable.
>>>> 4. I did not reformat the partition, so I believe the information is
>>>> still there.
>>>> 5. I guess what I need to do is reformat the drive without destroying
>>>> the data on the disk, which is mostly impossible -- right?
>>>>
>>>> Yes, I do have the info backed up on DVDs, but this seems to be a good
>>>> opportunity to develop some data recovery skills, and maybe I can see
>>>> what's on that disk I've had in the freezer for about two years.
>>>>
>>>> H. Preston
>>>> _______________________________________________
>>>> Ale mailing list
>>>> Ale at ale.org
>>>> http://mail.ale.org/mailman/listinfo/ale
>>>>
>>>>
>>>
>>>
>>>
>>>
>> _______________________________________________
>> Ale mailing list
>> Ale at ale.org
>> http://mail.ale.org/mailman/listinfo/ale
>>
>
>
>
> --
> Greg Freemyer
> Litigation Triage Solutions Specialist
> http://www.linkedin.com/in/gregfreemyer
> First 99 Days Litigation White Paper -
> http://www.norcrossgroup.com/forms/whitepapers/99%20Days%20whitepaper.pdf
>
> The Norcross Group
> The Intersection of Evidence & Technology
> http://www.norcrossgroup.com
> _______________________________________________
> Ale mailing list
> Ale at ale.org
> http://mail.ale.org/mailman/listinfo/ale
>
More information about the Ale
mailing list