Last weekend I spend some good hours testing and digging out a hard disk that -I thought- had crashed. It turned out that Windows XP had some real problems with the disk, but Ubuntu was reading it correctly. Nevertheless I followed some guides on data recovery with Ubuntu and tried it on this disk.
The Windows XP filesystem is NTFS, which uses a table with all information about the files on the disk. If this table gets corrupted, Windows is not able to properly read the files anymore, but the files themselves are mostly still intact. There are some programs that ignore the table and look on the disk itself for the files.
Ubuntu has these programs in its software repository so I installed the required software with Synaptic which went easy. I tried Foremost and Scalpel, both read the disk entirely and check on header information. Foremost was originally developed by the United States Air Force Office of Special Investigations and The Center for Information Systems Security Studies and Research , later it has been opened to the general public.
A header is the first few bytes of a file which are unique for that file type. With this knowledge at hand a lot of great things are possible. Foremost and Scalpel are having a list of known header information and are checking each block on the hard disk for these header bytes. When some file is found, it is copied to a specified location and a log entry is written.
It turned out that a lot of files were still on this hard disk, but not the ones I was looking for… Panic was creepig in, but then I realized that there was another hard disk, which I believed had died totally a long time ago. When connected it mounted nicely and Ubuntu was showing the disk contents without a problem. There I found the long lost stuff (holiday pictures) and my day was saved. After all I did not need to play forensic detective, but I gathered some nice knowledge for the future.
Comments
Leave a comment Trackback