Topic: File Recovery, Mandrake 10.x

this is a machine i built for my sister, IBM 966Mhz/512 meg of RAM. it's only used for web/email/music, so it's quite adequate for that. they had been having power outages in a recent series of storms, and reported problems booting. I got the machine, there appear to be filesystem errors.

i decided to clone the drive FIRST, failing hardware can be risky to work on. i added a hard drive to the machine, booted to a live CD, and tried my regular use of dd (which is on the current S-T-D disc), but it had read errors, which kills dd.

on a very, very pre-pre version of what perhaps may be the basis of the next S-T-D version, i used dd_rescue. this was not present on a Knoppix 5.01 disc, but i thought it had been on earlier ones. dd_rescue does not abort on read errors like dd does.

the syntax is a little different, instead of dd's use of:

dd if=dev/hd(drive to copy from) of=/dev/(drive to copy to)

the basic syntax is now:

dd_rescue /dev/hd(drive to copy from) /dev/hd(drive to copy to)

the normal dd command does not have a -v switch, so when you run it, you have to just see a blank screen until it is done, when it reports how many records were transferred. if you can locate a spot on the HD that has physical damage, dd_rescue can read the HD backwards up to the damaged location, if that would help.

dd_rescue has a -v switch, and it gives you a very current view of what is happening, with transfer rate display, load indicator and much more. after searching for awhile and RTFManpage, i found a good combination of parameters which will increase the buffer size, write a log, and overall speed things up.

dd_rescue -B 1b -b 2M -A -v -l /var/dd_rescue.log /dev/hd(drive to copy from) /dev/hd(drive to copy to)

now i can work on the problem, without risking any of the /home contents.  the file /var/dd_rescue.log needs to be read before rebooting of course, because it currently exists only in the ramdisk.

this should work on any filesystem there is at all, because it is a bit for bit disk copy. hope this helps!

Last edited by Picoshark (06-08-2006 03:19:14)

  • Kilroy
  • S-T-D Staff (Moderator)
  • Offline

Re: File Recovery, Mandrake 10.x

Yes dd_rescue is an excelent tool for file recovery as it is an error tollerant version of dd.  I had made mention of it in this thread and also feel it should be included in the new release of S-T-D.

Knoppix Cheat Codes
Registered Linux user# 366379

Re: File Recovery, Mandrake 10.x

i saw your thread Kilroy, good stuff! anyone doing true data forensics for legal work needs to be sure to boot with the KNOPPIX NOSWAP option. if you even touch an existing swap file by letting it 'just boot', that can get it thrown out of court. there exist several forensics toolkits, the bulk of many of them are just based on booting with NOSWAP, mounting the drives read-only, and making a clone of the original drive to work on. finding the kiddie-pr0n, docs or whatever is fairly easy from there unless they are encrypted.

i haven't done any data forensics for a crime, all mine are usually just fixing/rescuing data from hardware errors or idiots. the idiots usually outnumber the hardware failures...

  • mnc
  • Junior Member
  • Offline

Re: File Recovery, Mandrake 10.x

Picoshark wrote:

anyone doing true data forensics for legal work needs to be sure to boot with the KNOPPIX NOSWAP option. if you even touch an existing swap file by letting it 'just boot', that can get it thrown out of court. there exist several forensics toolkits, the bulk of many of them are just based on booting with NOSWAP, mounting the drives read-only,

Be very careful about trying to use Knoppix-S-T-D, or any kind of Linux, for that purpose.  A few years ago I tried to do what you just described, and IT DIDN'T WORK.  I caught Linux changing data on the drive, every time I mounted a partition read-only.  Fortunately I was just testing; I didn't screw up any evidence.

I did a search and found this document which described the same problem:

KNOPPIX Bootable CD Validation Study for Live Forensic Preview of Suspects Computer
http://luge.cc.emory.edu/KNOPPIXValidation.pdf
http://www.linux-forensics.com/KNOPPIXValidation.pdf
http://www.linux-forensics.com/forensic … dation.pdf

The document doesn't seem to be available at those URLs right now, but you can get it from Google's cache or the Internet Archive.

Last edited by mnc (14-08-2006 10:33:08)

  • fat
  • Site Admin
  • Offline

Re: File Recovery, Mandrake 10.x

if anyone finds them post the URLs and i will mirror them here as this is SO important.

Thanks for the info

  • Kilroy
  • S-T-D Staff (Moderator)
  • Offline

Re: File Recovery, Mandrake 10.x

Found an exelent list of forensic tools here.  Alot of those look very interesting, especialy tcpxtract.  Not really a forensic tool but what it does is it extracts and saves files out of network traffic.  Im going to go try it now:)

Last edited by Kilroy (08-08-2006 14:54:41)

Knoppix Cheat Codes
Registered Linux user# 366379

Re: File Recovery, Mandrake 10.x

thanks for the tip, mnc, we'll keep that in mind. dd and dd_rescue work on unmounted drives, so you should be fine, and can safely clone a drive from a live Linux disc.

http://www.garloff.de/kurt/linux/ddrescue/

Last edited by Picoshark (08-08-2006 18:02:02)

  • mnc
  • Junior Member
  • Offline

Re: File Recovery, Mandrake 10.x

Probably it was a kernel or driver or filesystem bug that has already been fixed.  But this kind of bug makes me very cautious, even a long time after the bug has been fixed, because the same kind of carelessness that could allow this bug to happen once, could allow it to happen again.

fat wrote:

if anyone finds them post the URLs and i will mirror them here as this is SO important.

And if anyone finds evidence about exactly when the bug was fixed (like a changelog entry by the person who fixed it) then please post that.

Re: File Recovery, Mandrake 10.x

i just learned about a script, that will work with dd_rescue in supposedly the most effecient way. i have also been using dd_rescue on a device level only, which makes me need to (temporarily, at least) dedicate a whole drive of the same size or larger.  you can direct it to an image.

the script is dd_rhelp located at http://www.kalysto.org/utilities/dd_rhelp/index.en.html
it will save a lot of time in the potentially long recovery process. if the drive is actively failing, this can be the difference between getting information and not.

it's well explained on the dd_rhelp site, but an example run would be like this:

# dd_rhelp /dev/hda1 /mnt/hdb1/hda1_rescue.img

then run fsck on the image you have created, mount it loopback (mount -o loop /mnt/hdb1/hda1_rescue.img /mnt/hda1 or whatever is appropriate) and then browse through it and recover the files you need.

Re: File Recovery, Mandrake 10.x

nice  Thanks you

Re: File Recovery, Mandrake 10.x

I use MultiStage Recovery each time I need to recovery data. This data recovery tool is quite powerful, reliable and isn't expensive.
So I Recommend it if you need easy-to-use data recovery tool.