I want to recover files from a formatted HDD using a linux Dist.
 

Sorry! I am really lost at this point trying to use Linux. I am trying to recover some files from a HDD that was accidentally formatted.The machine is using windows XP. I have the XP recovery cd ( XP is already installed from the cd and that is why the data was lost.) I read somewhere that it is possible to use a Linux boot disk to recover some files. Can anybody tell me what Linux Distribution, and how to do it? I would like to be able to save whatever files I can salvage to a CD or several floppies. They are mostly .doc and ppt.(power point). I tried to use the feisty faun on my win. 2k machine, but the boot disk would not load completely or maybe I just did not know what to do once it was loaded. It got the "desktop" up but it would not do anything. That is another issue I can address later but I really need help with the recovery issue. I downloaded several file recovery utilities but since I only have one HDD in the xp machine I want to find a way to save what I can find to removable media since you cannot save to the same disk you recover from. Any help anybody can give me will be greatly appreciated. I saw several questions about file recovery but they still did not answer my questions.

You could try using a bootable Knoppix distro called Penguin Sleuth. Check it out here: http://penguinsleuth.org/index.php?o...tpage&Itemid=1

Reply to post
 

Thank you for the reply. I am still very confused. You see when I labeled myself "newbie" that is literal. I Down loaded the penguinsleuth iso and now I need someone to tell me how to use it to recover the files I said I want to try and recover.I burned the .iso to CD and am ready to start trying, just need some guidance. Those other links included in the answer I got were foreign to me. ( What i mean is I don't know what to do with them ) can you enlighten me. I really appreciate your help but I really need super basic help to understand this stuff. I am motivated since I have wanted to learn to use Linux for a long time.

Hi,

First, are you still using the boxen with the drive that you wish to recover the files from? If so then you most likely won't be able to recover the desired files. Mostly because of the writes that you are performing on the active partition that you are working from. If the files are on another drive or partition that has not been touched then you could possibly recover some files.

TRK (Trinity Rescue Kit) 'Aims specifically at recovery and repair operations on Windows machines, but is equally usable for Linux recovery issues.' TRK is a LiveCD that can be used to do the desired operation.

This link and others are referenced in 'Slackware-Links' formerly 'Slackware LQ Suggestions Links!' for other good online reference.

I'd use HELIX as it includes 'foremost' (I'll spare you the technical details). The "save to floppy" thing won't work. You really need to add a HD or use a (USB or Firewire) removable one to save data to. "Saving" to floppy or CDR won't do. The HD or partition size depends on how much data will be carved (can't influence that), if you have no idea you could try half the size of the 'victim' drive or the size of the partition. Undeniably the best practice would be to use 'dd' to make a copy of the HD and work on that to fixate the state of things, however that'll cost time and space.

How to work 'foremost? Boot up HELIX (don't need GUI mode). List your partitions with 'fdisk -l'. If you added a drive format it first. Now mount the partition you write to and make a dir "output". Notice you don't need to mount the "victim" drive. Run 'foremost -d -i /dev/victimpartitionordrive -v -o /destinationmountpoint/output 2>&1 | tee /destinationmountpoint/foremost.log'. This takes time depending on size of the drive and condition of files. Note formatting a drive for installing XP removes and lays down a new filesystem structure, it doesn't erase files. What effectively erases (parts of) files is copying something over it like installing does. Needless to say there is no guarantee for recovering everything.

Thank You!
Onebuck I am not using that machine at all. I am using this forum with my windows 2000 machine. I am wondering if the download of TRK includes instructions. I am trying the suggestions posted here in the order that they are posted. Have downloaded TRK and will burn it to disk and try to see what I can do. Bet I am going to have questions. I am hoping this experience is going to make me understand how to use Linux. Looks like this Linux thing is going to be a major undertaking for me.

No. If you read the TRK site it specifically says there's no docs on the CDR, only the tools contain terste help (usually "--help" or "-h").


Well, good luck then. You're in for a ride since the other posters conveniently "forgot" to add detailed instructions.


If you start by lowering your expectations, taking your time to prep (read docs, test, read some more) and work methodically this experience will show you that GNU/Linux is more versatile than ClippyOS. If you dive in head first, hoping to recover *everything* and w/o reading anything and all from a "safe" point-and-click environment without knowledge of the gory details, this experience will show you that frustration is an universal thing, so choose wisely ;-p

Hi,

Unspawn, I agree with your point of view but may I add that a lot of M$ Windows users come with the hold my hand attitude. This mood/attitude is indoctrinated by M$ much as a lot of religions do it. I just finished reading a good article; (Linux is Not Windows).

I think all users of an OS, be it M$, Linux or whatever should read this enlightening article. The authors point(s) are open and very well presented.

We all need to expand our response, myself included. We all seem to make some assumptions that a user does read some material relative to the problem at hand. But! That is not always so, most users just want a quick and spoon fed solution to their problem. The M$ mindset sets that user to expect a valid response from the responder. We as volunteers do try to present the solutions holistically but sometimes fail to explicitly define that solution because of the before mentioned assumption(s).

I do like your 'ClippyOS' example. So true!

(Apologies to the OP for entering OT territory) this unfortunately is not exclusively a "Windows users" thing but an general attitude problem. An example from the GNU/Linux camp: there is a certain distribution, whose users claim it's not a newbie distro and not for everyone. They also claim using that particular distro to learn "Linux the Linux way" and they pride themselves on rather die() or RTFM for ages than ask a question (the last thing not being distro-specific but commendable anyway). Yet a large portion of those users is seen at LQ asking questions that could be solved by simply reading the docs (or a quick search of LQ if you want to cheat ;-p).

The culture thing from the article you referred to in practice: when ClippyOS users come along and ask for detailed instructions you bet they haven't (yet) got the "read first, then try and *then* ask" thing right, but we can be friendly and point out to them that thats the standard procedure. Now a user of aforementioned distro comes along, with a true cornucopia of information at his/her fingertips, the ability to test, deinstall and reinstall software w/o skipping a beat and repeatedly asks for detailed steps, *then* I see a "hold my hand" attitude problem.


...now to get back on track: I've been using the whole Sleuth / Autopsy pyFLAG thing (and EnCase, FTK, X-Ways and whatnot) and I wouldn't recommend Sleuthkit to a desperate novice user. I'd really appreciate it if you could tell me (or provide pointers to) the steps for recovery using TRK if it isn't too much work. Thanks in advance!