LinuxQuestions.org
Support LQ: Use code LQ3 and save $3 on Domain Registration
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Newbie
User Name
Password
Linux - Newbie This Linux forum is for members that are new to Linux.
Just starting out and have a question? If it is not in the man pages or the how-to's this is the place!

Notices


Reply
  Search this Thread
Old 12-10-2008, 09:22 AM   #1
kelly1369
LQ Newbie
 
Registered: Dec 2008
Location: Martinez Georgia
Distribution: Linux Mint/Fedora/Solaris 10/Ubunto
Posts: 8

Rep: Reputation: 1
File recovery utility


What I'm looking for is an educated opinion on what options there are for windows file recovery from a Linux boot medium. I have a friend of a friend who has a laptop that had files deleted from it by a supposed "Windows Guru" (divorce is an ugly thing). An initial attempt by another Guru failed to recover but a few files. I am on a short list to have my go at it and was wondering if anyone had any particular success with one tool or another. I plan to try and do my recovery attempts with one of the various rescue CDs or with Helix. I'd appreciate anyone's opinion on a tool they've had success with.
 
Old 12-10-2008, 09:28 AM   #2
H_TeXMeX_H
LQ Guru
 
Registered: Oct 2005
Location: $RANDOM
Distribution: slackware64
Posts: 12,928
Blog Entries: 2

Rep: Reputation: 1285Reputation: 1285Reputation: 1285Reputation: 1285Reputation: 1285Reputation: 1285Reputation: 1285Reputation: 1285Reputation: 1285
Testdisk and foremost are the best programs to use.
http://www.cgsecurity.org/wiki/TestDisk
http://foremost.sourceforge.net/

Oh, and welcome to LQ.
 
Old 12-10-2008, 10:35 AM   #3
thorkelljarl
Senior Member
 
Registered: Jun 2008
Posts: 1,787

Rep: Reputation: 211Reputation: 211Reputation: 211
More

If you posted more details you would get a better evaluation of the actual case. If the files are on a harddisk the information should be there providing that nothing has been written to the drive. Hope exists as long as the drive isn't used and the data overwritten.

This seems like a powerful, standing argument for backup.
 
Old 12-10-2008, 11:11 AM   #4
unSpawn
Moderator
 
Registered: May 2001
Posts: 29,331
Blog Entries: 55

Rep: Reputation: 3529Reputation: 3529Reputation: 3529Reputation: 3529Reputation: 3529Reputation: 3529Reputation: 3529Reputation: 3529Reputation: 3529Reputation: 3529Reputation: 3529
Quote:
Originally Posted by thorkelljarl View Post
If the files are on a harddisk the information should be there providing that nothing has been written to the drive. Hope exists as long as the drive isn't used and the data overwritten.
You're absolutely right. One can easily name tools (photorec and foremost being the most often recommended OSS header/footer carvers) but events (read/writes, files deleted how?) leading up to the current (one person inspected the drive how?) situation may change expectancy because no tool can compensate for people forgetting SOP (that starts with acquiring and working on a 'dd'-like copy of the disk, not the disk itself).


Quote:
Originally Posted by H_TeXMeX_H View Post
Testdisk and foremost are the best programs to use.
Just curious: best as in or compared to what?

Last edited by unSpawn; 12-10-2008 at 12:33 PM. Reason: corrected spelling
 
Old 12-10-2008, 11:21 AM   #5
kelly1369
LQ Newbie
 
Registered: Dec 2008
Location: Martinez Georgia
Distribution: Linux Mint/Fedora/Solaris 10/Ubunto
Posts: 8

Original Poster
Rep: Reputation: 1
I wish I had more info myself. There seems to be a lawyer involved and the lawyer has the laptop. I've asked the guy who is trying to get the data back if there are any requirements for chain of custody or rules of evidence that have to be applied and he isn't sure. All I received for info is that someone deleted data, someone tried to recover it and decided whomever deleted it knew what they were doing, and there is some box within a box in the center of the screen when it boots up. I'm treating it like a normal recovery for the average windows sufferer. I don't know if the files are for leverage in a divorce or a simple desire to get things back. I'm thinking the latter. I'm not sure if the partitions have been messed with or if they've been formatted. I suspect that I'll be able to recreate the partitions and then may have the task of trying to recapture some dead files. I'll check out the programs you suggested and am still open for more suggestions.
 
Old 12-10-2008, 11:31 AM   #6
H_TeXMeX_H
LQ Guru
 
Registered: Oct 2005
Location: $RANDOM
Distribution: slackware64
Posts: 12,928
Blog Entries: 2

Rep: Reputation: 1285Reputation: 1285Reputation: 1285Reputation: 1285Reputation: 1285Reputation: 1285Reputation: 1285Reputation: 1285Reputation: 1285
Quote:
Originally Posted by unSpawn View Post
Just curious: best as in or compared to what?
Well, perhaps I should have said good, but it can also be taken to mean as best-known.

It's a good point tho that you should try not to let that partition get changed in the process of recovering the data. So, make sure to save files it recovers to either another partition or another HDD. You can also make an image using 'dd', but you'd have to have enough space to store the whole size of the partition, usually too large to consider.
 
Old 12-10-2008, 11:55 AM   #7
kelly1369
LQ Newbie
 
Registered: Dec 2008
Location: Martinez Georgia
Distribution: Linux Mint/Fedora/Solaris 10/Ubunto
Posts: 8

Original Poster
Rep: Reputation: 1
I planned on making a forensic grab through a netcat listener with another machine or working from ramdisk with a bootdisk. Helix has foremost and fatback and one should show results. Many of the boot CDs have testdisk on them. I have a handful of DOS tools to fall back on if need be. I had forgotten about foremost. At this point all of the volatile data is gone and memory will hold little to no clues. I have no idea on the size of the drive and I know of no plans or requirements for doing a bitcopy of the drive. I've often had to rescue systems that had a broken fat or were accidentally deleted or repartitioned. This particular instance looks to have been more purposeful and perhaps even skillfully done. The IT department where the laptop owner works did the initial investigation and recovery attempt. If they guys IT department got a crack at the laptop, evidence collection requirements are probably mute. My impression is that the files were wiped with a file shredder or the partitions were reformatted. I'm supposed to find out today what the lawyer says.
 
Old 12-10-2008, 12:30 PM   #8
thorkelljarl
Senior Member
 
Registered: Jun 2008
Posts: 1,787

Rep: Reputation: 211Reputation: 211Reputation: 211
Oh Dear, if it's Lawyers

My first thought would be to use an external program to clone the drive to another drive while in the presence of someone who could, if neccessary, say with authority that you did nothing more. I assume that cloning would not alter the original drive, leaving you to work with the clone while the lawyers keep track of the original.

Shredded is shredded; make sure it isn't you.
 
Old 12-10-2008, 01:21 PM   #9
H_TeXMeX_H
LQ Guru
 
Registered: Oct 2005
Location: $RANDOM
Distribution: slackware64
Posts: 12,928
Blog Entries: 2

Rep: Reputation: 1285Reputation: 1285Reputation: 1285Reputation: 1285Reputation: 1285Reputation: 1285Reputation: 1285Reputation: 1285Reputation: 1285
Quote:
Originally Posted by kelly1369 View Post
My impression is that the files were wiped with a file shredder or the partitions were reformatted. I'm supposed to find out today what the lawyer says.
If they were shredded, then the chances of recovery are low, but if the partition was formatted, then the chances are high. The recovery tools don't care about partition, they can recover data based only on file headers.
 
Old 12-10-2008, 02:02 PM   #10
unSpawn
Moderator
 
Registered: May 2001
Posts: 29,331
Blog Entries: 55

Rep: Reputation: 3529Reputation: 3529Reputation: 3529Reputation: 3529Reputation: 3529Reputation: 3529Reputation: 3529Reputation: 3529Reputation: 3529Reputation: 3529Reputation: 3529
Quote:
Originally Posted by H_TeXMeX_H View Post
Well, perhaps I should have said good, but it can also be taken to mean as best-known.
Fair enough. I was just wondering if "best" was the verdict of you comparing file carver results.


Quote:
Originally Posted by kelly1369 View Post
I planned on making a forensic grab through a netcat listener
Whatever you think will be fastest. If it's a more or less recent and regular laptop it'll have between say 80GB and 320GB. Personally I'd hook up some Firewire or USB2 slave drive then use 'linen' from the HELIX CD because it can compress, checksum and chunk the image (and with libewf you can access or export from E01's easily). If it fails due to sector errors you'll still have dcfldd, ddrescue et cetera. Before you boot up you should inspect the machine, examine each slot (eject contents), check for anything "weird" or scratch marks. Remove the battery, attach the power adapter then boot up. It helps to know the default keys to access the BIOS (ESC, DEL, F2, etc) and if it boots to disk you can cut the power immediately. Take pictures of each BIOS screen, especially the time settings, device configuration, disk specs and passwords. After that force it to boot only from CDROM or DVD (cutting the power as it tries to boots the HD). But before you do (to avoid making assumptions or errors) ...


Quote:
Originally Posted by kelly1369 View Post
I'm supposed to find out today what the lawyer says.
...it indeed would be good to get outlined by an authoritative person what you're supposed to do and who takes responsability for whatever it is you'll be doing.
 
Old 12-10-2008, 02:05 PM   #11
kelly1369
LQ Newbie
 
Registered: Dec 2008
Location: Martinez Georgia
Distribution: Linux Mint/Fedora/Solaris 10/Ubunto
Posts: 8

Original Poster
Rep: Reputation: 1
After talking some more with the computer owner, I find that they do not own the computer as it is the assumed property of the to-be-exwife. They have the computer for a short period of time. It is no longer a laptop but a tower (no amenities such as monitor or keyboard). That being said, I'll probably have to clone the drive with dd. I agree that if a quality shredder has been used, it is pretty dismal for the recovery process. I personally am hoping it was a formatting attempt or simple deletion. The target information seems to be emails, address book, pictures, and temporary Internet files. I'm fairly well versed in forensic analysis of live systems, now I just have to play with a dead one. I talked with the lawyer and it appears that I need only make one copy and it is agreed that what we find on the copy will not be refuted. I'll probably do a hash of the original to verify if the original no longer matches the copy and its original state. I'm told I'm putting a couple of FBI guys out of work. Makes it worth my while.
 
Old 12-10-2008, 02:10 PM   #12
unSpawn
Moderator
 
Registered: May 2001
Posts: 29,331
Blog Entries: 55

Rep: Reputation: 3529Reputation: 3529Reputation: 3529Reputation: 3529Reputation: 3529Reputation: 3529Reputation: 3529Reputation: 3529Reputation: 3529Reputation: 3529Reputation: 3529
One more note: while making assumptions based on what was learned and experienced is automagical, when performing forensic(-like) tasks there should be no place for assumptions, hearsay, impressions or whatever else. Rely only on on facts, record only factual information. At least that's what I learnt to do when performing forensics.
 
Old 12-10-2008, 02:25 PM   #13
kelly1369
LQ Newbie
 
Registered: Dec 2008
Location: Martinez Georgia
Distribution: Linux Mint/Fedora/Solaris 10/Ubunto
Posts: 8

Original Poster
Rep: Reputation: 1
I haven't tried Linen. Sounds like good advice. The drive is rumored to be 200GB. I'll be inspecting the computer tomorrow and identifying, for myself, the actual drive dimensions and type. Once I have a drive to duplicate, I'll take custody of the drive. Full chain of custody seems to be in effect although I'm told once I make the copy of the original, the computer with original will be returned to the wife and she will begin using it normally again. It pretty much requires that the copy be maintained in original format and that I make two copies or that once the copy is made, there will be no write blocker requirements in effect. I'll make the lawyer choose that route. When I make the copy I'm going the external route and passing off the requirements of drive purchasing to the requester. He is saving $2K through the buddy system and can afford a hard drive. The sad thing here is that whatever I find won't change anything. They guy might find some closure or just find more pain. It isn't a criminal proceding so whatever is found is just leverage for what I believe to be is child custody. It takes a lot to pry custody away from the mother.
 
Old 12-10-2008, 02:38 PM   #14
kelly1369
LQ Newbie
 
Registered: Dec 2008
Location: Martinez Georgia
Distribution: Linux Mint/Fedora/Solaris 10/Ubunto
Posts: 8

Original Poster
Rep: Reputation: 1
My job is to report what I found and not what I think I found or to speculate on what the meaning is of what I found. I would like the lawyer to determine the judge's feelings about computer evidence before I go down this road. Many a judge looks at computer files as hearsay and a lot never sees the court room. There may be a challenge on the reliability of the evidence as too the time frame and unknown persons that may have had contact with the system. Hopefully the judge will conclude that the data reflects that of the computer, declares it as original evidence and not secondary evidence or hearsay. There is plenty of room for a technicality to railroad the evidence getting presented in the court case. At the end of the day they are still getting divorced so a judge may look at it as immaterial.
 
Old 12-11-2008, 04:00 PM   #15
jschiwal
LQ Guru
 
Registered: Aug 2001
Location: Fargo, ND
Distribution: SuSE AMD64
Posts: 15,733

Rep: Reputation: 670Reputation: 670Reputation: 670Reputation: 670Reputation: 670Reputation: 670
Pen testers will use a special IDE cable, connecting it from their computer to the hard drive being examined. This cable will not allow any writes. They will then clone the entire drive and only work with the image. I don't know if a similar cable exists for sata disks. You might try investigating on the net. Maybe a jumper combination will disable writing to the drive.

I read of one case where someone forgot to seal the signed (or stamped) manilla envelopes and the drives fell out, ruining the value of the drives as evidence in court.

Last edited by jschiwal; 12-11-2008 at 04:07 PM.
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
File modification logging utility koobi Linux - General 4 09-03-2007 02:47 AM
file utility md5sum slackamp Slackware 11 06-04-2007 09:36 PM
Utility to get ELF file information praj_linux Linux - Software 0 01-04-2005 08:30 AM
Find File broken, need search utility, where does WineX install, KDE file roller? Ohmn Mandriva 6 07-05-2004 11:34 PM
File recovery after partition table damage - XFS file system gracecourt Linux - General 2 01-13-2004 04:53 PM


All times are GMT -5. The time now is 01:59 PM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration