[ale] what would you use to recover files from a reformatted ext3/4 drive?

Greg Freemyer greg.freemyer at gmail.com
Thu Feb 3 10:55:45 EST 2011 

Wolf,

First get yourself a external drive and get a dd copy of that partition.

ie. With the partition unmounted:

dd if=/dev/sda1 of=/mnt/my_copy.dd bs=4K conv=noerror,sync

With USB2, you should get about 1GB / min transfer speed.  Maybe as
fast as 100 GB/hr.

If you want to bring the copy by my office, I can try to recover your
data with X-Ways.  It supports ext3 and ext4 file recovery in theory
and works with dd images like above, but I have little experience
recovering from ext3/4.  We mostly do NTFS/Fat.  For those it is
really good and I have recovered huge numbers of files post
formatting.

I can also try EnCase, if X-Ways fails.  With NTFS, I have high
confidence in both.  With ext3, I have no idea.

We're in Norcross.  Email me off-list if you want to pursue this.
Greg.Freemyer at NorcrossGroup.com.

Or you can buy a copy ($1K for X-Ways, $3K for EnCase), but it takes a
week or so to get the license dongle(s).  And they're both Windows
software.  I don't know if either do trial software or not.

Greg



On Thu, Feb 3, 2011 at 10:06 AM, Wolf Halton <wolf at wolfhalton.info> wrote:
> I managed to accidentally lose the content of the  /home folder when
> updating Ubuntu 10.4.
> Something about starting a project like this at 3:00 am...  I set the
> partition not to be reformatted, but had forgotten it was ext3, so when
> I was pointing the mount to /home, I also set the file system to ext4.
> I am prepared to just suck it up and move on, but if there is a chance
> of recovering the data, I would like to try (before the users over-write
> too much). Any ideas?
>
> Wolf
> _______________________________________________
> Ale mailing list
> Ale at ale.org
> http://mail.ale.org/mailman/listinfo/ale
> See JOBS, ANNOUNCE and SCHOOLS lists at
> http://mail.ale.org/mailman/listinfo
>



-- 
Greg Freemyer
Head of EDD Tape Extraction and Processing team
Litigation Triage Solutions Specialist
http://www.linkedin.com/in/gregfreemyer
CNN/TruTV Aired Forensic Imaging Demo -
   http://insession.blogs.cnn.com/2010/03/23/how-computer-evidence-gets-retrieved/

The Norcross Group
The Intersection of Evidence & Technology
http://www.norcrossgroup.com

More information about the Ale mailing list