Advertisment

Tools to Recover Lost Data

author-image
PCQ Bureau
New Update

Data recovery tools may not be required everyday, but are remembered in

desperation when sensitive data is lost. At that moment, a person would be

willing to pay any amount to recover it. The open source world has quite a few

good data recovery tools on offer, and we've given a collection of them on this

month's Linux DVD. In this article, we'll tell you how to use some of them.

Before you start using any data recovery tools, you must remember that data

recovery is a very sensitive job. If you've lost data on a hard drive, then the

most important thing to remember is not to copy or install anything on it.

You'll loose all chances of recovering the data if you do. The other good

practice in data recovery is to keep the hard drive on which the data has been

lost as intact. Create an image of this hard drive, copy it to another location

and then run your data recovery tools on it. This way, even if something happens

to the image, your original hard drive remains intact, and so do your chances of

recovering data from it.

Advertisment

Having said that, here are some data recovery tools and how to use them.

Scrounge-ntfs



It is a data recovery utility for NTFS file systems. It reads each block on

the hard drive and tries to retrieve the data from it. To use Scrounge-ntfs, you

need to know start sector, end sector, cluster size (size of one block of data

on a partition) and MFT ( Master File Table). If you don't know the data, just

type 'scrounge-ntfs -l disk'. After getting the data, type 'scrounge-ntfs -m

6291456 -c 8 /dev/hdd 206848 566964224'. This will start recovering data from

the drive and the data will appear by default in your root directory. However if

you want to store the data in a specific directory then type 'scrounge-ntfs -m

6291456 -c 8 -o /root/recover /dev/hdd 206848 566964224'.

Scrounge-ntfs will recover all lost data from a NTFS file

system and store them in your root directory.
Advertisment
The recovered jpeg files which are stored into your default

directory.
This shows Myrescue copying the files into /dev/sda2.

Recoverjpeg



This helps you recover JPEG pictures from a file system image. It scans the

file system image and looks for JPEG structures at blocks starting from 512

bytes boundaries. This tool is used on Linux. To use this tool, you need to set

the block size. A block size of 512 (default) will recover large files, but

setting it to 1 will maximize its chance to find smaller images. For using the

tool, just type 'recoverjpeg -b 1 /dev/hdb'. It at once starts recovering the

files. However, by default the recovered filed are stored on the root directory.

You can also use Recoverjpeg to recover lost data from peripheral devices like

memory card . It works for ext3,and ext2 systems.

Advertisment

Myrescue



Myrescue tries to retrieve still readable data on your damaged hard disk. The
utility tries to copy device block wise and keeps a table noting that if copying

has been accomplished successfully. It works similar to dd_rescue, however it

first retrieves data from undamaged area by increasing the step size and then

returns to damaged area and tries to fix it. To use Myrescue, type 'myrescue

-b 4096 -r 1 /dev/hdb1 /dev/hdb5'. Make sure you have enough space on your

output file, otherwise the message 'No Space Left on the Device' will be shown

on your screen. This tool works for ext3, ext2 systems.

the image lists the lost partitions that are to be

recovered via testdisk
The HTML files retrieved after running Foremost. These

files are stored in output folder on your default directory.
Advertisment

Testdisk



Testdisk is one of the most popular utilities for recovering lost data.
Testdisk does a quick check into the disk structure and compares it with the

partition table for entry errors. It works with the following partitions: FAT12,

FAT16, FAT32, Linux, Linux swap (version 1 and 2), NTFS (Windows NT/W2K/2003),

BeFS (BeOS), UFS (BSD), JFS, XFS, and Netware. It is up to you to look over the

list of possible partitions found by TestDisk and to select the ones which were

being used just before the drive failed to boot or the partitions were lost. In

some cases, especially after initiating a detailed search for lost partitions,

TestDisk may show partition data which is simply from the remnants of a

partition that had been deleted and overwritten long ago.

Foremost



Foremost is a console program to recover files based on their headers,

footers, and internal data structures. This process is commonly referred to as

data carving. It can recover different file types like bitmap,avi,exe,and many

more. The tool find images in dd dump files, RAM dumps or swap files. Foremost

tries to identify and repair those corrupt files. To use foremost, type

'foremost -s -t all -i /dev/sda' . Foremost will start recovering files and will

create an output folder on the root directory where all the recovered files will

be stored in their respective type folder. An audit.txt file is also created

which lists all the files that are recovered using Foremost.

Disclaimer



Data recovery is a sensitive process, and should therefore be practiced

very carefully. If you are following the processes explained in this article

to recover lost data, but are not confident of the same, then we suggest you

contact a data recovery expert. PCQuest, CyberMedia, or any of its

affiliates will not be held responsible for any loss or damage caused to

your data from the guidelines described in this article, or from any of the

tools given in our data recovery DVD.

Next-Tools

to Counter a Hack Attack

Advertisment