this post was submitted on 01 Apr 2024
29 points (91.4% liked)

Linux

48323 readers
632 users here now

From Wikipedia, the free encyclopedia

Linux is a family of open source Unix-like operating systems based on the Linux kernel, an operating system kernel first released on September 17, 1991 by Linus Torvalds. Linux is typically packaged in a Linux distribution (or distro for short).

Distributions include the Linux kernel and supporting system software and libraries, many of which are provided by the GNU Project. Many Linux distributions use the word "Linux" in their name, but the Free Software Foundation uses the name GNU/Linux to emphasize the importance of GNU software, causing some controversy.

Rules

Related Communities

Community icon by Alpár-Etele Méder, licensed under CC BY 3.0

founded 5 years ago
MODERATORS
 

A friend of mine has 2 Windows Laptops, where in the process of moving from an old 2TB storage laptop to a newer 256GB storage laptop, moving files manually (somehow, dont ask me).

They noticed they accidentally removed a 35GB folder full of media files from a very big vacation, including nature photography and some strange GoPro format files. Valuable stuff.

So we took the newer laptop as its fresh, very small storage and not much done after deleting the files.

We used a 2TB backup drive which works well.

Used CloneZilla, exited to shell, mounted the drive with udisksctl and used testdisk and photorec, but with strange results.

  1. Testdisk created a "whole" recovery in .dd format
  2. Then noticed the "undelete" function in testdisk and manually undeleted all files we found
  3. Then used photorec on that .dd recovery

The testdisk undelete files are mostly corrupted, images with missing header files etc. Same as the result of some magic sauce proprietary recovery program.

The photorec results where really strange, everything was intact but only system stuff, cache, icons etc, not a single of the deleted media.

The media are 3000 or more, so this makes no sense, we used the "full" backup from testdisk.

The laptop is off and we have some time, we can also use the older, messier one if needed.

Questions:

  • any way to repair these corrupted images and media?
  • how to work with this data in photorec? How to export just the deleted files?

I think we should try to use photorec directly with the drive and not the .dd image, which may help.

We used dd and cloned the entire small, new disk to an .iso on the backup drive so we can work with it easier. Does this include all the stuff, also the deleted things?

We will also try scalpel.

Thanks!

Update

We did a lot with the small disk which should basically be in perfect condition to undelete stuff.

  • dd and ddrescue backup into an .iso and .raw image
  • testdisk backup into a .dd image
  • photorec found only usable pictures from the OS, not a single of the wanted ones
  • testdisk and Recuva had the exact same results, all of the wanted files but all broken, missing headers and metadata
  • using scalpel currently

I would be happy about experience on how to restore such header files, information what they are and if you can use files for multiple media or guess them. We know the filetypes that we search for.

Also, are there any modern recovery tools out there, that promise better reliability?

Thanks!

top 12 comments
sorted by: hot top controversial new old
[–] d3Xt3r@lemmy.nz 10 points 7 months ago* (last edited 7 months ago) (1 children)

They noticed they accidentally removed a 35GB folder full of media files from a very big vacation, including nature photography and some strange GoPro format files. Valuable stuff.

Are you sure the files were actually deleted? I used to work in helpdesk back in the day and would regularly get calls from users in similar situations, and 9 out of 10 times the folder wasn't actually deleted but accidentally moved to somewhere else - Windows Explorer is dumb like that, it's very easy to accidentally drag-drop a large folder elsewhere without any confirmation - just a flick of the wrist and you wouldn't even notice it. On the other hand, actually deleting a large folder not only presents a confirmation dialog, it also takes a long time to delete the files - and you'd notice it very quickly (unless you were AFK).

So I'd recommend running a thorough search first - both on the old drive and new drive.

But if the files were actually deleted, I also second the recommendation of Recuva - IMO it just works better on NTFS drives, compared to Phtotorec. After all, if the photos are really that valuable then you really should be using the best tools available at your disposal.

[–] Pantherina@feddit.de 1 points 7 months ago

The files are deleted as that folder was too big

[–] mvirts@lemmy.world 7 points 7 months ago (1 children)

1 - This sounds really stupid, but check the recycle bin on both drives 😅 it is windows after all.

2 - turn off photorec paranoid mode, only check for formts you actually want, and sort the output by size to look for actual files you want.

3 - try checking total file size to see if the files were moved not deleted

[–] Pantherina@feddit.de 3 points 7 months ago (1 children)

The files are deleted as that folder was too big

[–] mvirts@lemmy.world 1 points 7 months ago (1 children)

Have you tried recovery on the old drive? If the new smaller drive was completely full after deletion recovery is not possible

[–] Pantherina@feddit.de 2 points 7 months ago

The small drive is nearly empty, just has a few files, those where deleted. The drive is now unuses, used testdisk, photorec, recuva now scalpel to get anything from it.

The files are there, for sure.

[–] mranderson17@infosec.pub 7 points 7 months ago (1 children)

So, I'm not sure if the process has changed in the last decade or so but in a long-ago computer forensics class step 0, before all else, was to never operate data recovery on the original disk. Create a block level image of the entire device, then work on that.

My go to steps for recovery have been the following in the years since:

  1. create an image of the entire disk (not a partition) using ddrescue ddrescue -d /dev/sdX <path_to_image>.img
  2. Run test disk on it selecting the partitions as necessary testdisk <path_to_image>.img

If the disk has a complicated partition layout, or more effort is required to find the correct partition you can also mount parts of the disk.

  1. create an image of the entire disk (not a partition) using ddrescue

    ddrescue -d /dev/sdX <path_to_image>.img

  2. Mount the image as a loopback device with the appropriate offset

    losetup --offset <some_offset_like_8192> --show -v -r -f -P <path_to_image>.img this will mount individual partitions:

    loop58        7:58   0 465.8G  1 loop
    ├─loop58p1  259:7    0   1.5G  1 part
    ├─loop58p2  259:8    0 450.6G  1 part
    └─loop58p3  259:9    0  13.7G  1 part
    
  3. Then operate testdisk on whatever partition you want.

All that said there are a lot of variables here and things don't always work perfectly. I hope you do find a way to recover them.

[–] Pantherina@feddit.de 1 points 7 months ago

Thanks, I dont think the common tools are dangerous to work with the original, but I now have 3 backups in various approaches and will wait until I find a solution on how to restore header files, as this seems to be kinda impossible to recover ("secure delete")

[–] d3Xt3r@lemmy.nz 5 points 7 months ago (1 children)

Also, are there any modern recovery tools out there, that promise better reliability?

If Recuva didn't work, then you'd need to use a professional tool such as Runtime Software's GetDataBack. They've been working on it for over two decades - all the way since 2001, and I've used it on a few occasions with good success where TestDisk didn't work. The catch is that it's not free, but you can download the trial version first and run it to see if it can recover (preview) your files. And if the results are promising then you can buy the license and recover the files (no need to rerun the scan).

[–] Pantherina@feddit.de 1 points 7 months ago

Hm... okay maybe. The issue is we have nearly all files but the file headers are missing.

Looking for some tools to recover those header files

[–] XEAL@lemm.ee 5 points 7 months ago* (last edited 7 months ago) (1 children)

I agree that you should recover (read), from the original media where the data was, I suspect something is lost along the way with dd when talking about deleted stuff or "marked for deletion".

I hope nobody is using the drive where the data was deleted from, as you may already know that that will decrease any chance of recovery.

I've used Photorec in the past and it was pretty straightforward when it found stuff. I've also used TestDisk to recover corrupted partitions, but I didn't know it could also help recovering files.

You could try Recuva aswell if the data was lost on a Windows machine (I've just noticed the community we're on...)

[–] Pantherina@feddit.de 2 points 7 months ago

Yes the data was lost on Windows, but I prefer Linux a lot as all good tools seem to be linux only anyways haha. But will remember recuva as a last option.

Also no the disk is not booted anymore.