Ubuntu Geek

Ubuntu Linux Tutorials,Howtos,Tips & News | Lunar Lobster , Mantic Minotaur

Recover Data Like a Forensics Expert Using an Ubuntu Live CD

by · Published · Updated

Sponsored Link
Plenty of utilities can recover deleted files, but what if you can't boot your computer, or the whole drive has been formatted? Here's how to dig deep and recover the most elusive deleted files, or even whole partitions.

Note: These tools cannot recover data that has been overwritten on a hard disk. Whether a deleted file has been overwritten depends on many factors – the quicker you realize that you want to recover a file, the more likely you will be able to do so.

Our setup

To show these tools, we've set up a small 1 GB hard drive, with half of the space partitioned as ext2, a file system used in Linux, and half the space partitioned as FAT32, a file system used in older Windows systems. We stored ten random pictures on each hard drive.

sshot-1

We then wiped the partition table from the hard drive by deleting the partitions in GParted.

sshot-2

Is our data lost forever?

Installing the tools

All of the tools we're going to use are in Ubuntu's universe repository.

To enable the repository, open Synaptic Package Manager by clicking on System in the top-left, then Administration > Synaptic Package Manager.

Click on Settings > Repositories and add a check in the box labelled "Community-maintained Open Source software (universe)".

sshot-3

Click Close, and then in the main Synaptic Package Manager window, click the Reload button. Once the package list has reloaded, and the search index rebuilt, search for and mark for installation one or all of the following packages: testdisk, foremost, and scalpel.

Testdisk includes TestDisk, which can recover lost partitions and repair boot sectors, and PhotoRec, which can recover many different types of files from tons of different file systems.

sshot-4

Foremost, originally developed by the US Air Force Office of Special Investigations, recovers files based on their headers and other internal structures. Foremost operates on hard drives or drive image files generated by various tools.

sshot-6

Finally, scalpel performs the same functions as foremost, but is focused on enhanced performance and lower memory usage. Scalpel may run better if you have an older machine with less RAM.

sshot-5

Recover hard drive partitions

If you can't mount your hard drive, then its partition table might be corrupted. Before you start trying to recover your important files, it may be possible to recover one or more partitions on your drive, recovering all of your files with one step.

Testdisk is the tool for the job. Start it by opening a terminal (Applications > Accessories > Terminal) and typing in:

sudo testdisk

sshot-8

If you'd like, you can create a log file, though it won't affect how much data you recover. Once you make your choice, you're greeted with a list of the storage media on your machine. You should be able to identify the hard drive you want to recover partitions from by its size and label.

Full Story

Sponsored Link

Related posts

Tags:

You may also like...

1 Response

  1. Amanj says:
    April 27, 2010 at 10:16 pm

    Thank you for sharing the article, I’m using the foremost now, and hoping it can find my lost photos 🙂

Leave a Reply

Your email address will not be published. Required fields are marked *