coffee
Well-Known Member
- Reaction score
- 1,832
- Location
- United States
Doing file recovery is a simple process when the files have been just deleted. Its amazing what you can recover as long as the sectors have not been over-written. If the sectors are over-written then recovery probably is not possible. Also you might only recover fragments of files. As far as dealing with the customer they should be warned that you will recover what you can. If there are damaged sectors then please use dd_rescue instead. It has capibilities beyond dd.
Warning: Never, Ever, Perform recovery from the actual device. You will make an iso first and then work on the iso instead. If you happen to destroy or damage the original you are out of luck. When you do make an iso of the block device make sure its not mounted. Crazy things can happen if you do.
THE STORY:
A few days ago I had a customer call me frantic about her ipod nano. She had somehow deleted all her music and couldnt get it back.
She mentioned she did a sync with her computer to back it up and next thing you know it was all gone. I had asked her how many songs did she lose? She replied that she had lost over 400 songs! Quickly puting my brain to good use I could see why she was so upset at a
dollar a pop for a song she was out alot of money. This has to happen to alot of people and they consider it gone for good. However, As an experienced tech that you are you know they are actually still there. Perhaps you dont know? Well, Put on that pot of coffee or grab your favorite drink and we are going to explore recovery of block devices (hard drives, Ipods, cdrom disks, dvd disks ect..).
BACKGROUND INFO:
Linux treats block devices as a link in the /dev directory. Commonly named /dev/sda, /dev/sdb ect.. Most distros of linux use the scsi module for block devices. Therefore 'sd' in the device name stands for 'scsi device'. The letter refers to an individual block device discovered on the buss. /dev/sda1 means the first drive (in windows its c
and the '1' denotes the first partition. The old way of naming a block device was 'hd' and has been obolete for awhile.
HOW TO RECOVER DATA FROM BLOCK DEVICES
Recovery can be quite simple as in the case I talked about above. As long as the sectors have not been over-written where the data is stored we can most likely recover them. But we are going to use linux to do it. I have always been a fan of linux because its a quick
way of getting things done. Its not a required course for techs to learn linux but it will make your life alot easier in the long run.
So, Lets get down to it and we are going to recover some data off a nano right now!
The setup
We can use about any linux distro to to this. My distro of choice is fedora. Most of it will be in a term window and the last step will be graphical because in my example we are going to recover a bunch of songs. It is very important to understand that we do not work directly on
the block device for recovery. The reason why is that if something were to go amazingly wrong we would kill any chance of recovery. Therefore we want to make a ISO image of the block device and work from that.
STEP 1: MAKE AN ISO OF THE BLOCK DEVICE.
This is quite easy. Please make sure the block device is not mounted. (umount /dev/sdc1 in my case). My block device is shown as /dev/sdc1. This means its drive c partition 1. From running fdisk -l I also know that it was actually a fat32 partition. I now have all I need (info wise) to start my ISO creation:
Now we have an iso of the partition that we want to recover info from. If we screw something up no worries as we cant damage the ipod in anyway at this point. Infact, Now I can just pull the ipod from the computer and set it aside.
STEP 2: BEGIN RECOVERY.
In order to recover the files we have to understand that some recovery programs might not recognize certain files. In my example we could run the program called photorec on the iso but mp4 music files get recovered and are not playable. Therefore, We are actually going to use a program that comes as part of testdisk called foremost. This will recover the songs as playable mp4 files. However, As you will see they are named fxxxxxx.mp4. We will get to that. For now lets start our recovery.
Make a directory for storage of the files recovered first and move into that directory. Make sure your iso image is also in that directory. My recovery directory is /home/coffee/Downloads/recovered-files. Now start the recovery:
After foremost is finished your going to end up with a bunch of directories named like recup_dir.1, recup_dir.2, ect... Remember that every song is named something similar to fxxxxxxx.mp4. We have now recovered that songs. However, This really does not help the customer that much because all the song information is missing! We have to find out what song is what and rename them accordingly. This would take forever if we did it all by hand. However we always know a better way to do this.
STEP 3: RECOVER THE SONG NAMES
This is a very simple step actually. Inbedded into each mp4 is the information on the song. We use a graphical program called 'EasyTag' to recover the info from the individual songs and also rename them. Therefore, Most linux repos have easytag available and if you are using fedora and have the rpmfusion repo setup its simple process to install it.
From within easytag select the first directory for it to work on (recup_dir.1). Easytag will automatically scan the directory and recover the song information. When this is complete select scan from the top menu and then select "rename files and directories". After this runs you are pretty much set. Keep in mind that the real work is done when you exit the program. Upon exiting easytag it will ask you if you wish to rewrite the info and just choose yes.
At this point you are done. The last step is to burn the recovered files to a cd or dvd. I normally use K3b for this.
ENDING THOUGHTS:
1. If you are looking for one type of file you can hurry up the process by changing the -t swich to the type of file you are looking for. However, I feel safer with the 'all' option. I dont want to miss anything. Please read on the foremost page what file types are supported.
2. In the case of other types of files like pdfs, txt, doc, ect.. The file name is a bit of a problem.
3. You can use this on pretty much all block devices. Whether its a hard drive or whatever. In the case of an iphone it important to remember that the device is encryped. Just google for help on that. I have not done an iphone yet.
4. Some programs work better than others. If Im doing pictures I will use photorec. For music I use foremost.
5. If your recovering off a cd or dvd with scratches you will want to use dd_rescue instead. Also, Take a can of pledge furniture polish and liberally coat the scratched disk first. Let dry, Buff off. You should be able to get a good read off of it unless its really screwed up!
I hope you find this helpful. I recovered 577 songs for my customer and burned them all on one dvd. The whole process took about 30 minutes because the ipod was only 8gigs in size. If your working on an actual hard drive then its going to take much longer and I suggest changing the t switch in the foremost command line to hurry up the process.
Warning: Never, Ever, Perform recovery from the actual device. You will make an iso first and then work on the iso instead. If you happen to destroy or damage the original you are out of luck. When you do make an iso of the block device make sure its not mounted. Crazy things can happen if you do.
THE STORY:
A few days ago I had a customer call me frantic about her ipod nano. She had somehow deleted all her music and couldnt get it back.
She mentioned she did a sync with her computer to back it up and next thing you know it was all gone. I had asked her how many songs did she lose? She replied that she had lost over 400 songs! Quickly puting my brain to good use I could see why she was so upset at a
dollar a pop for a song she was out alot of money. This has to happen to alot of people and they consider it gone for good. However, As an experienced tech that you are you know they are actually still there. Perhaps you dont know? Well, Put on that pot of coffee or grab your favorite drink and we are going to explore recovery of block devices (hard drives, Ipods, cdrom disks, dvd disks ect..).
BACKGROUND INFO:
Linux treats block devices as a link in the /dev directory. Commonly named /dev/sda, /dev/sdb ect.. Most distros of linux use the scsi module for block devices. Therefore 'sd' in the device name stands for 'scsi device'. The letter refers to an individual block device discovered on the buss. /dev/sda1 means the first drive (in windows its c
and the '1' denotes the first partition. The old way of naming a block device was 'hd' and has been obolete for awhile.HOW TO RECOVER DATA FROM BLOCK DEVICES
Recovery can be quite simple as in the case I talked about above. As long as the sectors have not been over-written where the data is stored we can most likely recover them. But we are going to use linux to do it. I have always been a fan of linux because its a quick
way of getting things done. Its not a required course for techs to learn linux but it will make your life alot easier in the long run.
So, Lets get down to it and we are going to recover some data off a nano right now!
The setup
We can use about any linux distro to to this. My distro of choice is fedora. Most of it will be in a term window and the last step will be graphical because in my example we are going to recover a bunch of songs. It is very important to understand that we do not work directly on
the block device for recovery. The reason why is that if something were to go amazingly wrong we would kill any chance of recovery. Therefore we want to make a ISO image of the block device and work from that.
STEP 1: MAKE AN ISO OF THE BLOCK DEVICE.
This is quite easy. Please make sure the block device is not mounted. (umount /dev/sdc1 in my case). My block device is shown as /dev/sdc1. This means its drive c partition 1. From running fdisk -l I also know that it was actually a fat32 partition. I now have all I need (info wise) to start my ISO creation:
Now we have an iso of the partition that we want to recover info from. If we screw something up no worries as we cant damage the ipod in anyway at this point. Infact, Now I can just pull the ipod from the computer and set it aside.
STEP 2: BEGIN RECOVERY.
In order to recover the files we have to understand that some recovery programs might not recognize certain files. In my example we could run the program called photorec on the iso but mp4 music files get recovered and are not playable. Therefore, We are actually going to use a program that comes as part of testdisk called foremost. This will recover the songs as playable mp4 files. However, As you will see they are named fxxxxxx.mp4. We will get to that. For now lets start our recovery.
Make a directory for storage of the files recovered first and move into that directory. Make sure your iso image is also in that directory. My recovery directory is /home/coffee/Downloads/recovered-files. Now start the recovery:
After foremost is finished your going to end up with a bunch of directories named like recup_dir.1, recup_dir.2, ect... Remember that every song is named something similar to fxxxxxxx.mp4. We have now recovered that songs. However, This really does not help the customer that much because all the song information is missing! We have to find out what song is what and rename them accordingly. This would take forever if we did it all by hand. However we always know a better way to do this.
STEP 3: RECOVER THE SONG NAMES
This is a very simple step actually. Inbedded into each mp4 is the information on the song. We use a graphical program called 'EasyTag' to recover the info from the individual songs and also rename them. Therefore, Most linux repos have easytag available and if you are using fedora and have the rpmfusion repo setup its simple process to install it.
From within easytag select the first directory for it to work on (recup_dir.1). Easytag will automatically scan the directory and recover the song information. When this is complete select scan from the top menu and then select "rename files and directories". After this runs you are pretty much set. Keep in mind that the real work is done when you exit the program. Upon exiting easytag it will ask you if you wish to rewrite the info and just choose yes.
At this point you are done. The last step is to burn the recovered files to a cd or dvd. I normally use K3b for this.
ENDING THOUGHTS:
1. If you are looking for one type of file you can hurry up the process by changing the -t swich to the type of file you are looking for. However, I feel safer with the 'all' option. I dont want to miss anything. Please read on the foremost page what file types are supported.
2. In the case of other types of files like pdfs, txt, doc, ect.. The file name is a bit of a problem.
3. You can use this on pretty much all block devices. Whether its a hard drive or whatever. In the case of an iphone it important to remember that the device is encryped. Just google for help on that. I have not done an iphone yet.
4. Some programs work better than others. If Im doing pictures I will use photorec. For music I use foremost.
5. If your recovering off a cd or dvd with scratches you will want to use dd_rescue instead. Also, Take a can of pledge furniture polish and liberally coat the scratched disk first. Let dry, Buff off. You should be able to get a good read off of it unless its really screwed up!
I hope you find this helpful. I recovered 577 songs for my customer and burned them all on one dvd. The whole process took about 30 minutes because the ipod was only 8gigs in size. If your working on an actual hard drive then its going to take much longer and I suggest changing the t switch in the foremost command line to hurry up the process.
