PDA

View Full Version : Retrieving Deleted Data?



creeping death
21st January 2009, 02:56 PM
hi,

First off I don't know if this the appropriate sub-section for asking this...So I request the mods to kindly move this to a more appropriate sub section.

Earlier Today I had delete a few important video Files,some tutorials , accidentally...sounds kinda strange...i know , (why would one delete important files without backing them up?). But thats what happened...

certain files got deleted and I would like to get them back...I know there are some disk tools to do this, i.e tools that retrieve deleted-data or corrupt-data ...but I dont really know anything about them...

I would be grateful if anyone of you would tell me how to do it...

eagerly awaiting a response.... :(

bob
21st January 2009, 03:10 PM
(moved to General Support)

sideways
21st January 2009, 03:22 PM
Unmount the disk asap. Boot up a live session and try some data recovery tool such as testdisk or foremost (install via yum)


[liveuser@localhost ~]$ yum info foremost
Loaded plugins: refresh-packagekit
Available Packages
Name : foremost
Arch : i386
Version : 1.5.3
Release : 2.fc9
Size : 44 k
Repo : fedora
Summary : Recover files by "carving" them from a raw disk
URL : http://foremost.sf.net
License : Public Domain
Description: Foremost recovers files files based on their headers, footers, and
: internal data structures. This process is commonly referred to as
: data carving. Foremost can work on a raw disk drive or image file
: generated by dd. The headers and footers can be specified by a
: configuration file or you can use command line switches to specify
: built-in file types. These built-in types look at the data
: structures of a given file format allowing for a more reliable and
: faster recovery.

eg


su -
mkdir recover
foremost -o recover -t avi,mpg -i /dev/sda1

creeping death
21st January 2009, 05:53 PM
hi ,

I only had a ubuntu 6.10 live cd :(

i m currently typing from live cd...

i installed foremost...using the deb...

but its foremost 0.69 not 1.5

when i create a directory "recover"?

where would it be created?

sideways
21st January 2009, 06:25 PM
the mkdir command creates the directory in the current directory, on the livecd that will be in ram. If anything gets recovered you should copy it to a usb stick or mount a spare partiton on the hard disk if one exists and copy it there

creeping death
21st January 2009, 06:54 PM
sudo foremost -o reco -t avi,mpg -i /dev/sda1
foremost version 0.69
Written by Kris Kendall and Jesse Kornblum.

foremost: invalid option -- t
Digs through an image file to find files within using header information.

Usage: foremost [-h|V] [-qv] [-s num] [-i <file>] [-o <outputdir>] \
[-c <config file>] <imgfile> [<imgfile>] ...

-h Print this help message and exit
-V Print copyright information and exit
-v Verbose mode. Highly recommended
-q Quick mode. Only searches the beginning of each sector. While
this is faster, you may miss some files. See man page for
details.
-i Read names of files to dig from a file
-o Set output directory for recovered files
-c Set configuration file to use. See man page for format.
-s Skip n bytes in the input file before digging
-n Extract files WITHOUT adding extensions (eg:.txt) to the
filename.
Using batch mode: reading list of files from /dev/sda1 instead of command line

Opening ��
ERROR: The configuration file didn't specify anything to search for.




any ideas?

i read the man i could understand it much



FOREMOST(1) United States Air Force FOREMOST(1)



NAME
foremost - Recover files using their headers and footers


SYNOPSIS
foremost [-h] [-V] [-vq] [-i <file>] [-o <dir>] [-c <file>] [-s <num>]
[FILES]...


DESCRIPTION
Recover files from a disk image based on headers and footers specified
by the user.


-h Show a help screen and exit.



-V Show copyright information and exit.


-v Enables verbose mode. This causes more information regarding the
current state of the program to be displayed on the screen, and
is highly recommended.


-q Enables quick mode. In quick mode, only the start of each sector
is searched for matching headers. That is, the header is
searched only up to the length of the longest header. The rest
of the sector, usually about 500 bytes, is ignored. This mode
makes foremost run considerably faster, but it may cause you to
miss files that are embedded in other files. For example, using
quick mode you will not be able to find JPEG images embedded in
Microsoft Word documents.

Quick mode should not be used when examining NTFS file systems.
Because NTFS will store small files inside the Master File Ta‐
ble, these files will be missed during quick mode.

Some users have found that certain headers, such as those for
MPEG and Quicktime movies, can be found many times inside MPEG
and MOV files. The result can be several dozen incomplete files
recovered from a single MPEG file. Using quick mode can help
avoid this problem.


-i file
The file file is used as a list of input files to examine. Each
line is assumed to consist of a single filename.


-o directory
Recovered files are written to the directory directory. As of
version 0.64, foremost requires that this directory is either
empty or does not exist. Foremost will create the directory if
necessary.


-c file
Sets the configuration file to use. If none is specified, the
file "/etc/foremost.conf" is used. The format for the configura‐
tion file is described in the default configuration file
included with this program. See the CONFIGURATION FILE section
below for more information.



-s number
Skips number bytes in each input file before beginning the
search for headers.




CONFIGURATION FILE
The configuration file is used to control what types of files foremost
searches for. A sample configuration file, foremost.conf, is included
with this distribution. For each file type, the configuration file
describes the file’s extension, whether the header and footer are case
sensitive, the maximum file size, and the header and footer for the
file. The footer field is optional, but header, size, case sensitivity,
and extension are not!

Any line that begins with a pound sign is considered a comment and
ignored. Thus, to skip a file type just put a pound sign at the begin‐
ning of that line

Headers and footers are decoded before use. To specify a value in hex‐
adecimal use \x[0-f][0-f], and for octal use \[1-9][1-9][1-9]. Spaces
can be represented by \s. Example: "\x4F\123\I\sCCI" decodes to "OSI
CCI".

To match any single character (aka a wildcard) use a ’?’. If you need
to search for the ’?’ character, you will need to change the ’wildcard’
line *and* every occurrence of the old wildcard character in the con‐
figuration file. Don’t forget those hex and octal values! ’?’ is equal
to \x3f and \063.

There is a sample set of headers in the README file.



AUTHORS
Written by Special Agent Kris Kendall and Special Agent Jesse Kornblum
of the United States Air Force Office of Special Investigations.


BUGS
When compiling foremost on systems with versions of glibc 2.1.x or
older, you will get some (harmless) compiler warnings regarding the
implicit declaration of fseeko and ftello. You can safely ignore these
warnings.



REPORTING BUGS
Because Foremost could be used to obtain evidence for criminal prosecu‐
tions, we take all bug reports very seriously. Any bug that jeopardizes
the forensic integrity of this program could have serious consequenses
on people’s lives. When submitting a bug report, please include a
description of the problem, how you found it, and your contact informa‐
tion.

Send bug reports to:
jesse.kornblum@ogn.af.mil


COPYRIGHT
This program is a work of the US Government. In accordance with 17 USC
105, copyright protection is not available for any work of the US
Government.

This is free software; see the source for copying conditions. There is
NO warranty; not even for MERCHANTABILITY or FITNESS FOR A PARTICULAR
PURPOSE.


SEE ALSO
There is more information in the README file.

Foremost was originally designed to imitate the functionality of
CarvThis, a DOS program written by the Defense Computer Forensics Lab
in in 1999.





AFOSI v0.66 - July 2003 FOREMOST(1)


:(

sideways
21st January 2009, 07:26 PM
You have a very old version of foremost there (v0.69), if you run


yum install foremost

from a Fedora 10 livecd you get version 1.5.3


[liveuser@localhost ~]$ foremost -h
foremost version 1.5.3 by Jesse Kornblum, Kris Kendall, and Nick Mikus.
$ foremost [-v|-V|-h|-T|-Q|-q|-a|-w-d] [-t <type>] [-s <blocks>] [-k <size>]
[-b <size>] [-c <file>] [-o <dir>] [-i <file]

-V - display copyright information and exit
-t - specify file type. (-t jpeg,pdf ...)
-d - turn on indirect block detection (for UNIX file-systems)
-i - specify input file (default is stdin)
-a - Write all headers, perform no error detection (corrupted files)
-w - Only write the audit file, do not write any detected files to the disk
-o - set output directory (defaults to output)
-c - set configuration file to use (defaults to foremost.conf)
-q - enables quick mode. Search are performed on 512 byte boundaries.
-Q - enables quiet mode. Suppress output messages.
-v - verbose mode. Logs all messages to screen


which has the '-t' option. You need to install a newer version.

creeping death
21st January 2009, 07:34 PM
found an ubuntu 7.10 cd and installed foremost 1.5.3

the command you gave worked.


sudo foremost -o recover -t avi -i /dev/sda1
Processing: /dev/sda1
|**|


does this mean that i m officially f***ed and that my data is lost forever? :(

creeping death
21st January 2009, 07:38 PM
wait wait
seems like something is happening,when i changed sda1 to sda...*crosses my fingers*


sudo foremost -o recover -t avi -i /dev/sda

creeping death
21st January 2009, 07:45 PM
after this thing is over and done...the first thing i will do is get fedora10 live CD!!

@Sideways...

how much does an average search and recover takes?



sudo foremost -o recover -t avi -i /dev/sda


all i got till now was intense harddisk usage and four lines of stars....


buntu@ubuntu:~$ sudo foremost -o recover -t avi -i /dev/sda
Processing: /dev/sda
|************************************************* ************************************************** ************************************************** ************************************************** ************************************************** ************************************************** ************************************************** ************************************************** ***********************

it doesnt seem that its anywhere close to the finish

sideways
21st January 2009, 07:54 PM
it'll take a while depending on the size of disk.

You can open another terminal and check the recovered files so far, lots will be rubbish, If you know the rough size of the deleted avis then type ls -lhSr reco/avi/ to list the files by size and ignore the small ones

sideways
21st January 2009, 07:54 PM
it'll take a while depending on the size of disk.

You can open another terminal and check the recovered files so far, lots will be rubbish, If you know the rough size of the deleted avis then type ls -lhSr reco/avi/ to list the files by size and ignore the small ones

creeping death
21st January 2009, 08:14 PM
it'll take a while depending on the size of disk.

You can open another terminal and check the recovered files so far, lots will be rubbish, If you know the rough size of the deleted avis then type ls -lhSr reco/avi/ to list the files by size and ignore the small ones

yeah..lots of 1.8kb avi files...

just one more question....for now...would you recommend me stopping the recovery(pressing ctrl+Z ) and searching for avi,mpg,wmv files together...would it bring down the probability of recovery?

sideways
21st January 2009, 08:19 PM
You can stop it, it won't effect the probability. But you shouldn't have run it on the whole disk, you should have specified the partition with /dev/sdaX, clearly /dev/sda1 was just a small recovery partition or similar.

creeping death
21st January 2009, 08:32 PM
ok...i guess now i somewhat understand whats happening,., when i type in the command...correct me if i m wrong here...

foremost just finds out every instance of the requested filetype from the disk...it doesnt matter if its actually deleted or not...any file that was on the disk or is currently on the disk would be recovered....

but its amazing...i m getting back files that were there on my hdd so long ago...i had formatted my hdd 2 times and yet the files are recovered...

creeping death
21st January 2009, 08:40 PM
ok...i guess now i somewhat understand whats happening,., when i type in the command...

foremost just finds out every instance of the requested filetype from the disk...it doesnt matter if its actually deleted or not...any file that was on the disk or is currently on the disk would be recovered....

i m storing the recovered files in my ipod(30GB)...hopefully all my files would be recovered...

thanks for your time...sideways.

i will get back once its all over.

sideways
21st January 2009, 09:32 PM
foremost just scans through the raw disk data for 'signatures' that would specify a particular type of file, both the start (header) and end (footer). It will make many mistakes, and will recover everything that matches including undeleted files of course.

If the data in the file has been overwiritten on the disk then this type of tool can't recover it. Usually on linux, the data in the file is still on disk after deletion, and will only get copied over if another file is created and writes on that part of the disk. That's why you should unmount/shutdown asap, and run from a live session on cd.

creeping death
21st January 2009, 09:44 PM
If the data in the file has been overwiritten on the disk then this type of tool can't recover it. .

any tool which CAN recover overwritten data?

bee
21st January 2009, 09:52 PM
any tool which CAN recover overwritten data?
No!! that doesn't exist :rolleyes: :D :D :D :D :D :p

bye!!!!!:):):)

sideways
21st January 2009, 10:50 PM
You need a hardware tool to recover overwritten data, such as an electron microscope if you've got the budget! :D

Defence standard disk wipes require multiple writes of random data since a single write will hardly ever physically mask the previous data value due to imperfections in the postioning of the drive head.

There are tools for damaged disks like SpinRite (http://en.wikipedia.org/wiki/SpinRite) which attempt a statistical analysis of multiple reads of the "bad" data to guess the correct value, but in my experience they are not very successful.

bee
22nd January 2009, 12:39 AM
You need a hardware tool to recover overwritten data, such as an electron microscope if you've got the budget! :D

Defence standard disk wipes require multiple writes of random data since a single write will hardly ever physically mask the previous data value due to imperfections in the postioning of the drive head.
Yeah, theoretically that's true. :D :D :D
But, nowadays, is it real? :rolleyes: :rolleyes: :D :D :D :p :p :p :p
http://www.nber.org/sys-admin/overwritten-data-guttman.html "was Peter Gutmann wrong?" -- yes, maybe, maybe yes maybe no, but i don't care at all!!!!!!!!!!!!!!!!!!!!!!!!!!! :p :p :p :p :D :D :D :D :D
One passage is good (it's necessary...), but i feel like two are better if you are going to sell your hard disk... :D :D :D :rolleyes: :p but one is just okay to keep your data safe...:rolleyes: :rolleyes: :rolleyes: :rolleyes: :rolleyes: :D :D :cool:
But, there are for sure no software tools to recover overwritten files :D :cool: :cool:

Talking about those stuffs makes me feel like Agent 00BEE!!!!!!!!!! :p :p :p :D :D :cool: :cool: ...... .....maybe one day....:D :D :p :p :eek: :rolleyes:

bye!!!!!!!!:):):)

sideways
22nd January 2009, 10:13 PM
Nice link bee, but I bet that's misinformation posted by the Intelligence Services to put people off guard and make them less thorough in wiping disks. :D:D:D:cool::cool::p:p:p:eek::eek::eek::eek::rolle yes::rolleyes::rolleyes::rolleyes:

Now buzz off :D:D:D:D:D:D:D:D:D:p:p:p:p:p:p:p:p:p

creeping death
23rd January 2009, 04:40 PM
well...out of around ~4GB of data...i got back 1.27GB...i had wasted much time after i had deleted...but glad that all was not lost....i should have acted quicker...


You need a hardware tool to recover overwritten data, such as an electron microscope if you've got the budget! :D
yeah...i sure can........ all i'hv got to do is.............. sell my organs :p



Defence standard disk wipes require multiple writes of random data since a single write will hardly ever physically mask the previous data value due to imperfections in the postioning of the drive head.
There are tools for damaged disks like SpinRite (http://en.wikipedia.org/wiki/SpinRite) which attempt a statistical analysis of multiple reads of the "bad" data to guess the correct value, but in my experience they are not very successful.

hmm...you are right...while i was recovering i was getting files that existed long ago...i had done atleast 3 disk formats...yet the files still existed!! and foremost retrived them , in perfectly playable condition....:eek:

that brings me to a new question...is there any means of wiping my harddisk totally by a software means? i mean...like totally make it go...make it irretrievable by software like foremost?


Nice link bee, but I bet that's misinformation posted by the Intelligence Services to put people off guard and make them less thorough in wiping disks. :D:D:D:cool::cool::p:p:p:eek::eek::eek::eek::rolle yes::rolleyes::rolleyes::rolleyes:

Now buzz off :D:D:D:D:D:D:D:D:D:p:p:p:p:p:p:p:p:p

I thought that bee was the only smiley-whore around here...guess i was wrong....:eek::p:D:D:D:D:p:cool:

no offense bee...:rolleyes::D:D:D:D:p:cool::D:D:cool:

sideways
23rd January 2009, 04:43 PM
hmm...you are right...while i was recovering i was getting files that existed long ago...i had done atleast 3 disk formats...yet the files still existed!! :eek:

that brings me to a new question...is there any means of wiping my harddisk totally by a software means? i mean...like totally make it go...make it irretrievable by software like foremost?

you can do


shred /dev/sda

as root from a livecd, or even just do


dd if=/dev/zero of=/dev/sda

creeping death
23rd January 2009, 04:50 PM
the files that were being retrived were files of windows xp....i ditched windows totally when fedora9 came...so that shred command clear up every block of data on the sda?

thanks for all the help man. both bee and you

sideways
23rd January 2009, 05:00 PM
Yeah, it'll just write random data all over every bit of the disk, several times. Will be very slow, the second option is much quicker and just as good for the non-paranoid :)

(you can replace /dev/zero with /dev/urandom too, and you probably should type 'sync' afterwards or use 'conv=fdatasync' as an option in the dd command to ensure all the writes are committed to the disk)

creeping death
23rd January 2009, 05:08 PM
ok...thanks :)