[SGVLUG] recommendations on local (Pasadena) data restorationservices?

Jeff Keys jskeys at gmail.com
Wed Sep 6 16:11:13 PDT 2006 

On 9/5/06, Emerson, Tom <Tom.Emerson at wbconsultant.com> wrote:
> Look back in the lug's archive for the discussion on retrieving photos
> from a "corrupted" memory stick -- there are several "proprietary"
> programs that worked to a degree (and in one case, I think, repackaged
> for several "cases", but all doing the exact same task, i.e., one was
> for recovering "memory sticks", another for "camera memory cards",
> another for "usb memory", and so on -- you get the point...)  The only
> downside (in your case) is that these are targeted to recovering images
> (photos) not neccessarilly "random data files"
>
> there was also one that was targeted to "forensic discovery", and in
> fact may have been "open source" [perhaps even a source-only
> distribution, can't remember offhand] that worked superb -- the intended
> use may seem to be different, but the end results are often the same:
> recovery of the data...  Also, since the intent is to "discover"
> (incriminating) evidence, it will look for more file types as well as
> files embedded in other files (naughty pictures embedded in a word
> document, for instance...)
>
> > -----Original Message-----
> > From: sgvlug-bounces at sgvlug.net
> > [mailto:sgvlug-bounces at sgvlug.net] On Behalf Of Bryan Backer
> >
> > As you can tell by the subject line, this is a tale of woe.
> [...]
> > 1) has anybody had luck with any liveCD Linux distributions
> > (or other rescue liveCDs) that include tools to deduce and
> > reconstruct files from the disk (NTFS, I believe) if linux
> > sees read errors on blocks 1 and 2? I've seen mention of
> > tools that could, given time, grind through disks and attempt
> > to locate some portions of the files even if the boot blocks
> > or disk indicies or whatever were gone, but those tools won't
> > be standard issue on liveCDs meant for general desktop use.
>
> Use "dd" to copy the data to another device "as a file", then the
> aforementioned "forensic discovery" tool can "grind through" the file
> without regard to things like missing FAT info...  [or similar on an
> ntfs/reiser/ext/flavor-of-the-month file system]
>
I would recommend gnu/ddrescue --
http://www.gnu.org/software/ddrescue/ddrescue.html. It works like dd
-- bit-for-bit copy, but has many additional capabilities for data
rescue. When it hits a bad sector, it will slow down the read rate
drastically, read in the reverse direction, etc. to help recover all
it can. On the first pass, it keeps track of the bad spots so it can
return and try the aforementioned, but first presses forward to read
as much good data as possible before the disk gets any worse. You
don't need to mount the disk when you run ddrescue; save the image to
a .iso file on a separate drive.

I used it earlier this year to rescue the 60Gb drive in my laptop, and
it did a good job recovering two NTFS partitions, a FAT32, and several
ext3s. One caveat: I saved to a USB drive pre-formatted as FAT32, and
let it run overnight. In the morning I discovered the 4Gb file size
limit of FAT32. I created a big ext3 partition and copied the 4Gb
.isos to it and restarted ddrescue. It picked up where it left off and
completed the rescue.

hth,
Jeff

More information about the SGVLUG mailing list