http://www.techradar.com/pro/linux December2019 LXF257 45Data recovery IN-DEPTH
Rescue is trying to extract files. The following command
will hunt for PNG files from the /dev/sda1 partition and
store it under the /media/recovery directory:
sudo magicrescue -r png -d /media/recovery/ /dev/
sda1
Running Magic Rescue can take several minutes,
depending on the size of the disk/partition it has to
search and the number of file types it has to hunt. Once
it’s done, the target folder will be full of awkwardly
named files. To bring some order to the mess, you can
use the magicsort tool to arrange the files into folders.hen you lose data due to a hardware failure,
it’s always a good idea to image your disk
instead of subjecting the dying disk to the
rigours of data recovery. Although you don’t need to do
this to recover data you’ve deleted accidentally, it’s still
a good idea. Virtually all recovery tools can work with
disk images just as they do with real disks.
Perhaps the most comprehensive file recovery open-
source tool is PhotoRec. Don’t be misled by its name;
besides the most common image formats, PhotoRec
can also pick out files in various formats including ODT,
PDF, 7ZIP, RPM, DEB and even virtual disks. The tool
works on all sorts of disks, including hard disks and
removable media such as USB disks. In addition to
reading unbootable disks, PhotoRec will also recover
files from partitions that have been formatted and
reinstalled into.
Although PhotoRec is a command-line tool, it breaks
the file recovery process into steps, much like a wizard.
When you launch the tool it first asks you to select the
disk and then point it to the partition that housed the
lost file, and also specify its filesystem. It’ll then ask you
if you want it to search only the free unallocated space
or the entire partition. You’ll also have to point it to a
folder where it should store the recovered files.
Depending on the size of the partition, PhotoRec
can take quite a while to complete. By default it looks
for files of all the formats it supports, but you can limit
the filetypes to recover. Once PhotoRec is done, you’ll
discover gazillions of weirdly named files of all different
formats under one directory. PhotoRec names them as
it finds them, leaving the sorting to you.
Just as with files, it doesn’t take much effort to
corrupt a healthy disk. A wrong keypress in Fdisk or
Gparted can wipe the MBR, or banish a partition into
oblivion. And, just as with files, the situation is
salvageable – more so if you stop using the disk as
soon as you realise your mistake. TestDisk is the best
tool to fix partition tables and put non-bootable disks
back into service again. Using TestDisk is quite similar to
PhotoRec. See the LXF152 tutorial (http://bit.ly/
lxf257recover) for a hands-on with both these utilities.Expecto restorum!
The Magic Rescue command-line tool provides another
approach to recovering corrupted partition tables or
data lost by accidental deletion. However, the tool does
not rely on filesystem allocation tables. Instead, it works
by reading a file’s ‘magic bytes’ or ‘magic pattern’,
which is the unique signature that designates each file
type. This signature is often located within the very first
few bytes of a file.
Magic Rescue uses its collection of recipes to identify
the magic bytes in all deleted files of a particular type
and then transfers the deleted files to a directory for
you to sort them. Magic Rescue is available in official
repositories and upon installation dumps the recipes in
the /usr/share/magicrescue/recipes/ directory.
Before you go hunting for deleted files, first create a
target folder to store the data you unearth. It’s best if
this location isn’t on the filesystem from which MagicIMAGING A DRIVE
Whether or not you are recovering data from a dying disk, it’s much
more convenient to work with raw images of the disk rather than the
physical hardware.
Although we can use the venerable dd command to make the
copy, it won’t always be a good idea. That’s because dd is designed
to quit as soon as it encounters any errors, and wouldn’t be of much
help on a malfunctioning disk. So instead we’ll use GNU ddrescue. It
works like dd and makes block-level copies of a disk. Unlike dd
however, GNU ddrescue skips over the bad blocks and copies the
good blocks first.
It goes without saying to make sure you create the mirror image
on a healthy drive – it could be an external USB drive or an internal
one. Also make sure that while this disk is mounted, the troubled
drive isn’t. Now enter:
sudo ddrescue /dev/sda1 /media/diskImages/sda1.img /media/
diskImages/logfile
This will dump the contents of the sda1 partition from the physical
drive to the sda1.img file on the device mounted at /media/
diskImages. The logfile records all the activity in a log, which is
useful for resuming from where you left off if you need to interrupt
the copy process.
Once you have a good image of the disk, you can ask ddrescue
to re-read portions of the disk it couldn’t read earlier:
sudo ddrescue -r 3 -C /dev/sda1 /media/diskImages/sda1.img /
media/diskImages/logfile
The number of attempts ddrescue should make at reading data
wherever it runs into an error is specified with the -r option. Thanks
to the log file, ddrescue will only try to fill in the gaps and not
attempt to read the good portions again.You can add
custom headers
for detection
to Foremost’s
configuration file
(/etc/foremost.
conf), which
lists the known
format types.W
444Decmbr 2 rDm019Hr09’snoy December2019LXF257 45
Data recovery IN-DEPTH
Rescue is trying to extract files. The following command
will hunt for PNG files from the /dev/sda1 partition and
store it under the /media/recovery directory:
sudo magicrescue -r png -d /media/recovery/ /dev/
sda1
Running Magic Rescue can take several minutes,
depending on the size of the disk/partition it has to
search and the number of file types it has to hunt. Once
it’s done, the target folder will be full of awkwardly
named files. To bring some order to the mess, you can
use the magicsort tool to arrange the files into folders.hen you lose data due to a hardware failure,
it’s always a good idea to image your disk
instead of subjecting the dying disk to the
rigoursofdata recovery. Although you don’t need to do
this to recover data you’ve deleted accidentally, it’s still
a good idea. Virtually all recovery tools can work with
disk images just as they do with real disks.
Perhaps the most comprehensive file recovery open-
source tool is PhotoRec. Don’t be misled by its name;
besides the most common image formats, PhotoRec
can also pick out files in various formats including ODT,
PDF, 7ZIP, RPM, DEB and even virtual disks. The tool
works on all sorts of disks, including hard disks and
removable media such as USB disks. In addition to
reading unbootable disks, PhotoRec will also recover
files from partitions that have been formatted and
reinstalled into.
Although PhotoRec is a command-line tool, it breaks
the file recovery process into steps, much like a wizard.
When you launch the tool it first asks you to select the
disk and then point it to the partition that housed the
lost file, and also specify its filesystem. It’ll then ask you
if you want it to search only the free unallocated space
or the entire partition. You’ll also have to point it to a
folder where it should store the recovered files.
Depending on the size of the partition, PhotoRec
can take quite a while to complete. By default it looks
for files of all the formats it supports, but you can limit
the filetypes to recover. Once PhotoRec is done, you’ll
discover gazillions of weirdly named files of all different
formats under one directory. PhotoRec names them as
it finds them, leaving the sorting to you.
Just as with files, it doesn’t take much effort to
corrupt a healthy disk. A wrong keypress in Fdisk or
Gparted can wipe the MBR, or banish a partition into
oblivion. And, just as with files, the situation is
salvageable – more so if you stop using the disk as
soon as you realise your mistake. TestDisk is the best
tool to fix partition tables and put non-bootable disks
back into service again. Using TestDisk is quite similar to
PhotoRec. See the LXF152 tutorial (http://bit.ly/
lxf257recover) for a hands-on with both these utilities.
Expecto restorum!
The Magic Rescue command-line tool provides another
approach to recovering corrupted partition tables or
data lost by accidental deletion. However, the tool does
not rely on filesystem allocation tables. Instead, it works
by reading a file’s ‘magic bytes’ or ‘magic pattern’,
which is the unique signature that designates each file
type. This signature is often located within the very first
few bytes of a file.
Magic Rescue uses its collection of recipes to identify
the magic bytes in all deleted files of a particular type
and then transfers the deleted files to a directory for
you to sort them. Magic Rescue is available in official
repositories and upon installation dumps the recipes in
the /usr/share/magicrescue/recipes/ directory.
Before you go hunting for deleted files, first create a
target folder to store the data you unearth. It’s best if
this location isn’t on the filesystem from which Magic
IMAGINGA DRIVE
Whetherornotyouarerecoveringdatafromadyingdisk,it’smuch
moreconvenienttoworkwithrawimagesofthediskratherthanthe
physicalhardware.
Althoughwecanusethevenerableddcommandtomakethe
copy,itwon’talwaysbeagoodidea.That’sbecauseddisdesigned
toquitassoonasitencountersanyerrors,andwouldn’tbeofmuch
helponamalfunctioningdisk.Soinsteadwe’lluseGNUddrescue.It
workslikeddandmakesblock-levelcopiesofadisk.Unlikedd
however,GNUddrescueskipsoverthebadblocksandcopiesthe
goodblocksfirst.
Itgoeswithoutsayingtomakesureyoucreatethemirrorimage
onahealthydrive–itcouldbeanexternalUSBdriveoraninternal
one.Alsomakesurethatwhilethisdiskismounted,thetroubled
driveisn’t.Nowenter:
sudoddrescue/dev/sda1/media/diskImages/sda1.img/media/
diskImages/logfile
Thiswilldumpthecontentsofthesda1partitionfromthephysical
drivetothesda1.imgfileonthedevicemountedat/media/
diskImages.The logfilerecordsalltheactivityinalog,whichis
usefulforresumingfromwhereyouleftoffifyouneedtointerrupt
thecopyprocess.
Onceyouhaveagoodimageofthedisk,youcanaskddrescue
tore-readportionsofthediskitcouldn’treadearlier:
sudoddrescue-r3 -C/dev/sda1/media/diskImages/sda1.img/
media/diskImages/logfile
Thenumberofattemptsddrescueshouldmakeatreadingdata
whereveritrunsintoanerrorisspecifiedwiththe -r option.Thanks
tothelogfile,ddrescuewillonlytrytofillinthegapsandnot
attempttoreadthegoodportionsagain.You can add
custom headers
for detection
to Foremost’s
configuration file
(/etc/foremost.
conf), which
lists the known
format types.W