by March 3, 2010 0 comments



Data recovery tools may not be required everyday, but are remembered in
desperation when sensitive data is lost. At that moment, a person would be
willing to pay any amount to recover it. The open source world has quite a few
good data recovery tools on offer, and we’ve given a collection of them on this
month’s Linux DVD. In this article, we’ll tell you how to use some of them.
Before you start using any data recovery tools, you must remember that data
recovery is a very sensitive job. If you’ve lost data on a hard drive, then the
most important thing to remember is not to copy or install anything on it.
You’ll loose all chances of recovering the data if you do. The other good
practice in data recovery is to keep the hard drive on which the data has been
lost as intact. Create an image of this hard drive, copy it to another location
and then run your data recovery tools on it. This way, even if something happens
to the image, your original hard drive remains intact, and so do your chances of
recovering data from it.

Having said that, here are some data recovery tools and how to use them.

Scrounge-ntfs
It is a data recovery utility for NTFS file systems. It reads each block on
the hard drive and tries to retrieve the data from it. To use Scrounge-ntfs, you
need to know start sector, end sector, cluster size (size of one block of data
on a partition) and MFT ( Master File Table). If you don’t know the data, just
type ‘scrounge-ntfs -l disk’. After getting the data, type ‘scrounge-ntfs -m
6291456 -c 8 /dev/hdd 206848 566964224’. This will start recovering data from
the drive and the data will appear by default in your root directory. However if
you want to store the data in a specific directory then type ‘scrounge-ntfs -m
6291456 -c 8 -o /root/recover /dev/hdd 206848 566964224’.

Scrounge-ntfs will recover all lost data from a NTFS file
system and store them in your root directory.
The recovered jpeg files which are stored into your default
directory.
This shows Myrescue copying the files into /dev/sda2.

Recoverjpeg
This helps you recover JPEG pictures from a file system image. It scans the
file system image and looks for JPEG structures at blocks starting from 512
bytes boundaries. This tool is used on Linux. To use this tool, you need to set
the block size. A block size of 512 (default) will recover large files, but
setting it to 1 will maximize its chance to find smaller images. For using the
tool, just type ‘recoverjpeg -b 1 /dev/hdb’. It at once starts recovering the
files. However, by default the recovered filed are stored on the root directory.
You can also use Recoverjpeg to recover lost data from peripheral devices like
memory card . It works for ext3,and ext2 systems.

Myrescue
Myrescue tries to retrieve still readable data on your damaged hard disk. The
utility tries to copy device block wise and keeps a table noting that if copying
has been accomplished successfully. It works similar to dd_rescue, however it
first retrieves data from undamaged area by increasing the step size and then
returns to damaged area and tries to fix it. To use Myrescue, type ‘myrescue
-b 4096 -r 1 /dev/hdb1 /dev/hdb5’. Make sure you have enough space on your
output file, otherwise the message ‘No Space Left on the Device’ will be shown
on your screen. This tool works for ext3, ext2 systems.

the image lists the lost partitions that are to be
recovered via testdisk
The HTML files retrieved after running Foremost. These
files are stored in output folder on your default directory.

Testdisk
Testdisk is one of the most popular utilities for recovering lost data.
Testdisk does a quick check into the disk structure and compares it with the
partition table for entry errors. It works with the following partitions: FAT12,
FAT16, FAT32, Linux, Linux swap (version 1 and 2), NTFS (Windows NT/W2K/2003),
BeFS (BeOS), UFS (BSD), JFS, XFS, and Netware. It is up to you to look over the
list of possible partitions found by TestDisk and to select the ones which were
being used just before the drive failed to boot or the partitions were lost. In
some cases, especially after initiating a detailed search for lost partitions,
TestDisk may show partition data which is simply from the remnants of a
partition that had been deleted and overwritten long ago.

Foremost
Foremost is a console program to recover files based on their headers,
footers, and internal data structures. This process is commonly referred to as
data carving. It can recover different file types like bitmap,avi,exe,and many
more. The tool find images in dd dump files, RAM dumps or swap files. Foremost
tries to identify and repair those corrupt files. To use foremost, type
‘foremost -s -t all -i /dev/sda’ . Foremost will start recovering files and will
create an output folder on the root directory where all the recovered files will
be stored in their respective type folder. An audit.txt file is also created
which lists all the files that are recovered using Foremost.

Disclaimer
Data recovery is a sensitive process, and should therefore be practiced
very carefully. If you are following the processes explained in this article
to recover lost data, but are not confident of the same, then we suggest you
contact a data recovery expert. PCQuest, CyberMedia, or any of its
affiliates will not be held responsible for any loss or damage caused to
your data from the guidelines described in this article, or from any of the
tools given in our data recovery DVD.

Next-Tools
to Counter a Hack Attack

No Comments so far

Jump into a conversation

No Comments Yet!

You can be the one to start a conversation.

<