LinuxQuestions.org

LinuxQuestions.org (/questions/)
-   Linux - General (http://www.linuxquestions.org/questions/linux-general-1/)
-   -   Restore files from "dd" image (http://www.linuxquestions.org/questions/linux-general-1/restore-files-from-dd-image-618939/)

MaaSTaaR 02-05-2008 07:55 PM

Restore files from "dd" image
 
Hello.

My old laptop's hard disk damaged, and I tried to get copy from files stored on the hard disk, so I used dd command "dd if=/dev/hda of=/media/usbdisk/files.img conv=noerror" (Thanks for this page http://www.cgsecurity.org/wiki/Damaged_Hard_Disk).

As you saw, I get image from whole hard disk, not only one partition, That's mean the image contain all partitions and boot sector, now I want get files which store in the image file.

I tried qemu to boot to image, GRUB show for me Error 2, so I can't boot.
I tried mount by use this command

Code:

maastaar@maastaar-laptop:~$ sudo mount /media/disk/files.img /mnt/ -o loop
the output

Code:

[sudo] password for maastaar:
mount: you must specify the filesystem type

again but with -t flag and ext3

Code:

maastaar@maastaar-laptop:~$ sudo mount /media/disk/files.img /mnt/ -o loop -t ext3
the output

Code:

mount: wrong fs type, bad option, bad superblock on /dev/loop0,
      missing codepage or helper program, or other error
      In some cases useful info is found in syslog - try
      dmesg | tail  or so

the output of dmesg | tail

Code:

maastaar@maastaar-laptop:~$ dmesg | tail
[  28.028000] NET: Registered protocol family 17
[  29.588000] NET: Registered protocol family 10
[  29.588000] lo: Disabled Privacy Extensions
[  40.440000] eth0: no IPv6 routers present
[  45.340000] kjournald starting.  Commit interval 5 seconds
[  45.340000] EXT3-fs warning: maximal mount count reached, running e2fsck is recommended
[  45.380000] EXT3 FS on sdb1, internal journal
[  45.380000] EXT3-fs: mounted filesystem with ordered data mode.
[  763.900000] loop: module loaded
[  830.584000] VFS: Can't find ext3 filesystem on dev loop0.

the output of file files.img

Code:

maastaar@maastaar-laptop:/media/disk$ file files.img
files.img: x86 boot sector, LInux i386 boot LOader; partition 2: ID=0xf, starthead 254, startsector 39070080, 39070080 sectors, code offset 0x48

any help please?

theNbomr 02-05-2008 08:04 PM

I don't think this will actually work for an image of an entire drive, but the image file will look like file type iso9660.
The only way that I can think of to recover your files is to 'dd' the image onto a working drive. That should provide a set of mountable partitions. Unless the drive parameters are identical to the original drive, you will waste a lot of space on the new drive. Naturally, anything previously on the new drive will be lost. If you can acquire a drive as a temporary space to do the recovery, you should be in business.
Maybe someone else has a better idea.
--- rod.

cygnus-x1 02-05-2008 10:06 PM

I was in a similar situation and i was told the exact same thing.

sundialsvcs 02-05-2008 10:54 PM

I idly-wonder if you could mount the thing with -o loop ?

syg00 02-05-2008 11:39 PM

... with -t iso9660 ....

theNbomr 02-06-2008 09:48 AM

Quote:

Originally Posted by syg00 (Post 3047477)
... with -t iso9660 ....

Will this work for an image of a full drive, rather than a single partition?
--- rod.

b0uncer 02-06-2008 10:14 AM

No, I don't think it could mount it - you could easily have several partitions there, with possibly different filesystems, so mount could not possibly know what to mount and how. You could maybe mount it if it were an image of a partition, containing one filesystem. But several partitions, including boot sector, is not going to mount. Not sure if you can or how easily you could "chop" the big image into pieces that contained the partitions, and then try to mount them, but I'd say the easiest way you have is to obtain a new drive that has exactly or at least as much space as was on the original one (like said, if the new drive is bigger, you waste the "extra" space as long as you play with that dd image), and dd the image onto that drive. Then you would mount the partitions from that drive (or create new images, whatever), and hope for the best - and when the job was done, repartition/format the drive, to get the whole space in use.

unSpawn 02-06-2008 10:58 AM

As root issue 'fdisk -l /media/disk/files.img'. Note the device name, start and where it says "512 = n bytes". If an ext3 partition is /media/disk/files.img2 starting at 660 with n = 8225280 you could 'losetup -o$[660*8225280] /dev/loop0 /media/disk/files.img' and then 'mount /dev/loop0 -t ext3 /mnt/somemountpoint'.

PTrenholme 02-06-2008 01:23 PM

If fdisk can parse the image file, perhaps all that needs to be done is a chmod so the image is a block device,and then just mount it.

On the other hand, the dd to a new disk should work. When I replaced the 80Gb HD in my laptop with a 120Gb one, I dd the old drive to a file on a USB drive, pulled it, installed the new drive, booted from the USB drive (which had a bootable Fedora on it), and used dd to copy the image to the new drive. The only tricky part was that I needed to "tweak" the partition table so I could use the whole new drive. (I found the gparted could do it, but kparted and qtparted couldn't.)

You might be interested to know that the image was of a dual-boot (XP, Fedora) system, and that both worked after the transfer. Although I did have to fix C:\BOOT.INI on the XP partition because the "old" partition table entered the partitions in a non-standard order, and the "fixed" partition table corrected the ordering.)

unSpawn 02-06-2008 05:56 PM

Quote:

Originally Posted by PTrenholme (Post 3048165)
perhaps all that needs to be done is a chmod so the image is a block device

So how do you chmod a file so it magically becomes a block device?

PTrenholme 02-06-2008 06:57 PM

Quote:

Originally Posted by unSpawn (Post 3048411)
So how do you chmod a file so it magically becomes a block device?

No idea (that's why I said "perhaps"), although the existence of the -o loop= option to the mount command seems to suggest that it should be possible to access he image as a device.

Perhaps a fuse program might be written. (Note, please, the "perhaps.")

unSpawn 02-06-2008 07:20 PM

Quote:

Originally Posted by PTrenholme (Post 3048447)
Perhaps a fuse program might be written.

If one already exists that's cool, but there's no need. In post #8 I explained how to use fdisk, losetup and mount to access a partition residing in a full "dd" style disk image.

Halgeir 02-06-2008 07:47 PM

Can this help you? And a question.
 
>mount: wrong fs type, bad option, bad superblock on /dev/loop0,
> missing codepage or helper program, or other error
> In some cases useful info is found in syslog - try
> dmesg | tail or so
>[/code]

Hi! I did experiment with the "dd" command today. Experienced the same situation when I tried mount the image. Found a lot of information on this page which solved the whole issue: http://edseek.com/~jasonb/articles/linux_loopback.html.

Later I did a dd of the usb partition (/dev/sdb1) not the device (/dev/sdb). Then I could mount the image directly without specifying a offset value.

Hmm... Do anyone know of a GUI program for linux which it's possible to browse and copy from a RAW DD image (both from a single partition and a whole disk).

:)-|algeir

muchristian 07-18-2009 10:01 AM

Quote:

Originally Posted by unSpawn (Post 3048024)
As root issue 'fdisk -l /media/disk/files.img'. Note the device name, start and where it says "512 = n bytes". If an ext3 partition is /media/disk/files.img2 starting at 660 with n = 8225280 you could 'losetup -o$[660*8225280] /dev/loop0 /media/disk/files.img' and then 'mount /dev/loop0 -t ext3 /mnt/somemountpoint'.

I think this will sort of work for me. Actually this gets me part of the way for some other projects I am working on. I do have a question though. I use DD and DCFLDD a lot in my line of work and the one thing that I have to do is split the image files up into chunks of 640MB to 2048MB in order for these images to sit on some of the file systems used by people on my team. That being said is there a way for me to mount this dd images using unSpawn's idea but somehow using 'cat'(or whatever) to create a logical single image file? the files will be like this, DD_sda.OOO DD_sda.001 DD_sda.002 etc. until I manage to get the whole drive imaged. I know how to cat the images back together to get one actual file, but not many file systems like 80gb to 200gb single files.

I think I can do fdisk -l /media/storage/DD_sda.000 on the first file to get the information I need for mounting since that first image file contains the partition table. It seams to me that I would have to create some sort of virtual device or file that represents all of the image files as one device/file, then mount the partition using losetup and loop.

unSpawn 07-18-2009 10:34 AM

// Please avoid necroposting, e.g, the practice of responding to a thread that died out long ago.

Maybe have a look at TSK / PyFLAG / PTK (as in TSK). TSK has some image management tools (mmls) that might come in handy (see the docs or read sleuthkit.org/informer/ articles) wrt partitions, PyFLAG (advanced IO) can handle chunked EWF (.E01, .E02, et cetera) you can write with either 'linen' or convert with the EWF tools (IIRC) (or FTK Imager) but I don't know TSK/PyFLAG handles mounting split DD images. If you dig that then that kinda answers me thinking about what your
Quote:

Originally Posted by muchristian (Post 3611760)
line of work

could be...


All times are GMT -5. The time now is 12:42 AM.