Here some tips and guidelines to recover back your data from a damaged hard disk>>
Imagine your years of collection of data, songs, movies, multimedia collection, moments to remember pics, important files and documents got disappeared all of a suuden from your hard drive.. The reason could be anything from a corrupt file system, a distruptive virus, carelessness or just a cosmic roll of dice.
Though the data is not lost it can be recovered, there's still a chance to get your data back..Taking some care you can recover partially or completely your lost data.. Here are some steps that can be taken to get your data back!!
Always to use ddrescue to create an image file and work on that image
IT STARTS WITH HERE
You should not write to afailed device, as it can worsen the hardware condition failure, and overwrite existent data in case of lost files. as soon as you can shut off the machine who got crashed. For recovering a LiveCD or LiveUSB can be used and do prefer to use Linux for data recovery process. if you trying to make your disk data back using windows then deattatched your hard drive first..
System Rescue Disc home screen has nearly all the recovery programs needed
Creating a image of the lost drive
Don't get that much adventurous to get your hard drive correct without having help from others.. it's not mandatory that the hardware has crashed always we can recover the data directly from the drive if the hardware breakdown has not taken place!! It is a good practice to first create an image the device and run recovery software on that image.
Keep in mind that if the image size is greater than 4GB you’ll not be able to use an FAT32 filesystem to store the image, since there is a 4GB limit to the maximum size of a file on the FAT32 filesystem.
Then you should use NTFS or Ext4 file systems that can handle such file size.
We’ll be using a program called GNU ddrescue, basically made for Linux system, but also available on Windows through cygwin.
Go to bit.ly/tXPZy7 for instructions on how to install and use cygwin+ddrescue for Windows.
>> Identify the disk or partition that is giving problems using the command sudo fdisk -l.
ex.. if /dev/sdb contains that data to be get recovered, you will be requiring another disk (for backing up the data there).
If it’s only a partition of that single drive, the path would look something like this /negi/movies..
The following command illustrates how to image the partition...
sudo ddrescue -r 3 /dev/sda1 <image> <log>
.jpg)
we can give successive passes like this:
sudo ddrescue -r 3 -C /dev/sda1 <image> <log>
GNU ddrescue will be using the log files to only read the gaps additioned to the errors. In both cases, the -r option determines the number of times gddrescue will try to read when it encounters an error (-1 = infinity).
Another way to do this will be to copy as much data as possible, without retrying or splitting sectors:
sudo ddrescue --no-split /dev/sda1 <image> <log>
Following this let it retry previous errors thrice, using uncached reads:
sudo ddrescue --direct --max-retries=3 /dev/hda1 <image> <log>
If that fails, you can try again but re-trimmed, so it tries to reread full sectors:
sudo ddrescue --direct --retrim --max-retries=3 /dev/hda1 <image> <log>
This second method doesn't works if the hardware failure is not the cause, then there is no need to do them that's way you can recover it easily from other apps.
** note: In case your media is corrupted and may contain hardware defects, try making images by both the methods, run recovery on both the images.
The data recovered may not be mutually exclusive, but sure will increase the total no. of files that are recovered.
Here's some tools that can help in this big task!!
>>Foremost
Foremost is a command-line tool which can recover files from a number of filesystems, including FAT, Ext4 and NTFS.
This tool works only in Linux.
Foremost can recover files from various sources some are here-
from an image of the drive,
from the drive directly.
Consider the situation where an external hard disk at /dev/sdb1 is need to recovered.
to recover the files from your any location use these following commands:
This tool works only in Linux.
Foremost can recover files from various sources some are here-
from an image of the drive,
from the drive directly.
Consider the situation where an external hard disk at /dev/sdb1 is need to recovered.
to recover the files from your any location use these following commands:
mkdir ~/recovery
sudo foremost -i /dev/sdb1 -o ~/recovery/
To run Foremost on an image substitute the filename for the device
sudo foremost -i <image> -o ~/recovery/
The recovered files will then be owned by root. Change their ownership so that you can use them:
sudo chown -R youruser:youruser ~/recovery
Use the -w switch to obtain only an audit of recoverable files:
sudo foremost -w -i /dev/sdb1 -o ~/recovery
To recover only specific file types, use the -t switch:
sudo foremost -t jpg -i /dev/sdb1 -o ~/recovery
>>Scalpel
Scalpel reads a database of header and footer definitions and finds out the matching files from raw set of files there. it is based on Foremost, but more sufficient than it.
It’s available for both Linux and Windows.
For running it on Windows, you’ll need “mingw” (windows version) installed.
You can get scalpel from bit.ly/vnn9o7, once it is downloaded extract it, head over to the src directory and use the command to install it.
It’s available for both Linux and Windows.
For running it on Windows, you’ll need “mingw” (windows version) installed.
You can get scalpel from bit.ly/vnn9o7, once it is downloaded extract it, head over to the src directory and use the command to install it.
mingw32-make -f Makefile.win
You’ll also need to copy the pthreads and tre regular expression library dlls into the same directory as “scalpel.exe”. The default configuration file, “scalpel.conf”, has all supported file patterns commented out, you must edit this file before running Scalpel to activate some patterns. Resist the urge to simply uncomment all file carving patterns; this wastes time and will generate a huge number of false positives. Instead, uncomment only the patterns for the file types you need.
To run scalpel use the following command.
sudo scalpel FILE -o DIRECTORY
Where FILE is the image file (or device) and Directory is the output directory. Here the configuration file in the current directory is used. In case your configuration file resides somewhere else use the -c switch to specify the location of the configuration file.
>>PhotoRec
Photorec is a files recovering software helped to recover text,videos,archived files etc. as the name suggests PhotoRec is also used to recover images too.. ignores the file system and goes after the underlying data, so it’ll still work even if your media’s file system has been severely damaged or formatted.
PhotoRec is with month’s Alpha DVD. no need to install it, just extract up the downloaded zip file and just run photorec_win.exe as an Administator.
Select the partition from which you want to get recovered!!
.jpg)
.jpg)
** it provide you with the feature to scan up the whole disk or to scan the free space only..!!
In case you run PhotoRec directly you’ll get prompt which asks for which device to use. choose the drive to get attempted for recovery.
Followed by the partition table type, in most cases it’s Intel, unless you have changed your partition table type. After this you’ll be asked to select the partition on which you’d like to run PhotoRec. Select the filesystem type when asked. This is followed by a prompt which asks you whether to search for files in free space only or the whole disk. After this you’ll be asked for the output directory where you want the recovered files to be places. Thats it PhotoRec will have started running and copying recovered files to the
>>NTFSUndelete
Windows 7 and Vista both routinely put a “recovery partition” at the front of drives now even as fresh installs too.
Windows 7 and Vista both routinely put a “recovery partition” at the front of drives now even as fresh installs too.
Anyway, the important result for us is that a lot of documentation assumes Windows will be on sda1 but in fact nowadays the important stuff, your stuff, is likely to be (or have been) on sda2.
Of course it could easily be somewhere completely different but this is the general case, and in most cases this is the default layout of the new breed of systems.
Of course it could easily be somewhere completely different but this is the general case, and in most cases this is the default layout of the new breed of systems.
Look for deleted files on /dev/sda2 using the following command ntfsundelete /dev/sda2
To look for deleted documents on /dev/sda2 use
ntfsundelete /dev/sda2 -s -m ‘*.doc’
To look for deleted files between 5000 and 6000000 bytes, recovering up more than 90%, on /dev/sda2 use
ntfsundelete /dev/sda2 -S 5k-6m -p 90
And if you’re looking for deleted files altered in the last two days
ntfsundelete /dev/sda2 -t 2d
**keep the Autopsy process running in the background to access the web interface.
Comments
Post a Comment