Data Recovery Tool

PhuckFonix · 05-29-2004, 08:20 PM

I'm running Mandrake 10.0 Official. I want to extract as much data as possible from an empty part of hdb. the first 4 gb are a linux partition but the other ~16GB is partitionable space that has data in those areas. The data was on a fat32 partition and possibly but not certainly also NTFS partition. The partition space has not been written over so I trust that it is recoverable. Only thing that was modified was the partition table which turned that/(those) one (or two) partition(s) into free space.

PhuckFonix · 05-30-2004, 01:14 PM

If there is any confusion ask me what to clear up.

unSpawn · 05-31-2004, 08:19 AM

The partition space has not been written over so I trust that it is recoverable.
Whatever you do, please first make a backup of the whole disk (something like dd if=/dev/hdX bs=1 of=/dev/ANOTHERPHYSICALDISK/FILE). Next please see the LQ FAQ: Security references, post 5 on forensics and recovery.

The data was on a fat32 partition and possibly but not certainly also NTFS partition.
For FAT32 try "fatback" (on the FIRE CDR). For NTFS recovery you'll have to resort to (harder to use for a newbie) tools like TCT, Autopsy, TASK and the like. They're ready to use on some Linux forensics CD distro's like FIRE, PSK, which come with NTFS support too. ALWAYS backup first, and ALWAYS mount disks readonly.

Only thing that was modified was the partition table which turned that/(those) one (or two) partition(s) into free space.
Try "Gpart" and "Testdisk".

PhuckFonix · 06-06-2004, 05:14 PM

I did an Analyzed and Write and recovered a 5.5GB fat partition on hdb(hdb5) with Testdisk. Then, I tried to "undelete" files from it. For that I used the tool fatback, but it's insufficient. The file names are read only 26 characters. So, when I "cp example over twenty six characters.dat /mnt/lin2" I will only get "example over twenty six char" in /mnt/lin2. That leaves me guessing the extension and the file name. Is there way to solve this problem? If there is a solution to this, I'd also like to cpchain entire file names because I have A LOT of files when I ls a directory.

unSpawn · 06-07-2004, 01:33 AM

For that I used the tool fatback, but it's insufficient.
Sorry to hear that. Please help the authors and email 'em everything you think will make a better product...

That leaves me guessing the extension and the file name. Is there way to solve this problem?
The answer probably is no, because the FAT, the mapping between "node" and contents is gone. You could try recovering the FAT, Google for "recover from CIH" or alike. Nothing can go wrong, because you made backups before doing anything else. Right.

PhuckFonix · 06-07-2004, 06:24 PM

As I understand it, extensions are merely part of the name, which has been cut off because it's ".extension" location is in the string at a location >26. I think that all goes back to the program which I will e-mail the author about.

I never had any backup ruitines on Windows and I certainly know not any on Linux. I don't have HD space to back up into, I have about almost 20gigs over personal files spread about two disks(20GB each). Those are the only things I think are important to back up. I have system install disks after all, right? What is a partition image making tool simliar to something like Norton Ghost except free beer for Linux? What types of media should I back up to? I think what I've seen people use things that look like cassette tapes except a little bigger. I'm not a big spender.

CIH is a win95 virus?
These are the results of my excursion:

Code:

fatback /dev/hdb5
No audit log specified, using "./fatback.log"
Parsing file system.
\ (Done)
fatback> ls
Sun May 10 22:39:22 2004          0 MYDOCU~1/     My Documents
Sun May 10 22:39:22 2004          0 SYSTEM~1/     System Volume Information
Sun May 10 15:43:18 2004          0 COPY/         copy
Sun May 10 23:18:36 2004          0 ?FX10B.TMP
Sun May 10 23:19:24 2004          0 ?FX170.TMP
Sun May 10 23:20:50 2004          0 ?FX17D.TMP
Sun May 10 23:22:08 2004          0 ?FX184.TMP
Sun May 10 23:24:10 2004          0 ?FX1AA.TMP
Sun May 10 23:25:28 2004          0 ?FX1B1.TMP
Sun May 10 23:26:52 2004          0 ?FX1B8.TMP
Sun May 10 23:35:28 2004          0 ?FX1D9.TMP

Since the file name on the far right column is complete, the entire name is recovered by typing cp MYDOCU~/ /mnt/lin2
I found this for long file name:

Quote:

Fatback is a forensic tool for undeleting files from Microsoft FAT
file systems. Fatback is different from other undelete tools in that
it does the following:
* Runs under UNIX environments (only Linux and FreeBSD tested so far)

* Can undelete files automatically

* Supports Long File Names

* Supports FAT12, FAT16, and FAT32

* Powerful interactive mode

* Recursively undeletes deleted directories

* Recovers lost cluster chains

* Works with single partitions or whole disks

[...]

FILE NAME
MS DOS names files in two parts, the file name, and the extension.
The accepted convention is to separate these fields with the "."
character, however in a directory entry, there is no such
character. One must note that in a directory entry, the extension
field immediately follows the file name field. For example, if
you created a file named `MYREPORT.DOC', it would look like
`MYREPORTDOC' in the raw directory.

[...]

Long File Names
---------------

Long file names are "UNICODE"(1) names that can be up to 819
characters per name. To achieve this, the names are split up into 32
byte fragments that fit into directory entries, and placed in the
directory in reverse order with the associated file entry immediately
following.

Long file name fragments can be identified by the attributes field,
which will have the Read-Only, Hidden, System, and Volume flags set.

---------- Footnotes ----------

(1) UNICODE is a text encoding system using multiple bytes of data
to represent each character to provide a larger character set than the
255 character ASCII set. UNICODE is often used for languages other
than English.