LinuxQuestions.org
Review your favorite Linux distribution.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Software
User Name
Password
Linux - Software This forum is for Software issues.
Having a problem installing a new program? Want to know which application is best for the job? Post your question in this forum.

Notices


Reply
  Search this Thread
Old 10-16-2009, 10:57 PM   #1
jarnos
LQ Newbie
 
Registered: Oct 2009
Posts: 7

Rep: Reputation: 0
Photorec seg fault and other data recovery questions


Background details (skip down for questions):

I'm working on retrieving data from an 60GB NTFS drive from an old Windows 2000 system. After a reboot, the drive wouldn't open in Windows and it started a click of death sound. The S.M.A.R.T. check failed, so I tried to open the drive with a Knoppix Live CD, but it wouldn't open and it locked up Knoppix.

So, I turned to SystemRescueCd Live CD which I've been using for all my efforts so far. I used GNU ddrescue (one quick pass and a second pass with 3 retries for the problem areas) to copy the drive to a new hard drive. Then I used dd to copy that copy to a second new drive to work on.

Using UBCD4Win, I ran chkdsk /r on the second copy. The result was a fairly complete set of directories and file listings, but many of the files are simply empty files filled with zeros. The empty files have the correct names, extensions, file sizes and are in the correct folders, but they are basically useless.

So, I went back to SystemRescueCd and read-only mounted the original first ddrescue copy and I'm running Photorec now, hoping to recover some files that were zeroed out and lost by chkdsk (on the second copy).

Aside from the defaults, I used Photorec options: Whole Partition, Bruteforce enabled and Keep Corrupted files.

After a number of hours and about halfway through the Bruteforce process, Photorec quit with the following error:

Code:
zsh segmentation fault
So, now I've restarted Photorec and selected yes when it asked to resume the previous session. I thought it might help avoid the segmentation error if I selected the Photorec option, Low Memory: Yes, but I didn't see any way to change that option when resuming the previous session. (I'm running on a Core2Duo with 4GB RAM.)

Questions:

(?) Is it possible to change Photorec options on an in-progress job to enable the Low Memory setting? Can I stop the job and edit a file somewhere to enable the Low Memory option before resuming again? Will the Low Memory option help avoid the segmentation fault error? Or is there a better way to prevent a segmentation fault error?

(?) Is Photorec the best choice for recovering files that were lost or zeroed out after chkdsk? This drive had all sorts of files, including html, text, doc, php, js, video, music, photos, zip, exe, etc. I also looked at Foremost, but it seemed to have a very limited selection of default file types. Is there a configuration file available for Foremost that would allow it to recover the same list of file types as Photorec?

(?) Are there any other options that might recover more or different files from a corrupted file system? I've seen mention of Scalpel and Magic Rescue among others.

(?) I'm also considering Windows options like Recuva, Diskdigger, Restoration and others. Are those likely to recover any more files that Photorec?

(?) Also, what is the quickest way to make an .img image file of the original ddrescue hard disk? dd took quite a while to clone the drive (longer than the ddrescue process). I tried to make an image with ntfsclone --rescue --ignore-fs-check (due to a failed check), but it didn't work on the corrupted image file.

Any advice is appreciated.
 
Old 10-17-2009, 12:13 AM   #2
Elv13
Member
 
Registered: Apr 2006
Location: Montreal,Quebec
Distribution: Gentoo
Posts: 825

Rep: Reputation: 129Reputation: 129
Stellar Phoenix is a proprietary software, but it do a good job when it come to file recovery.
 
Old 10-17-2009, 05:41 AM   #3
jarnos
LQ Newbie
 
Registered: Oct 2009
Posts: 7

Original Poster
Rep: Reputation: 0
Thanks for the suggestion.


To update my original post, my Resumed PhotoRec session just quit with the same Segmentation Fault error at exactly the same spot again (same number of sectors remaining).

If no one has any suggestions on how to change the option to Low Memory: Yes on a resumed session, I suppose my next step is to start from scratch on a third run with the Low Memory option.

Last edited by jarnos; 10-17-2009 at 06:48 AM.
 
Old 10-17-2009, 06:10 AM   #4
unSpawn
Moderator
 
Registered: May 2001
Posts: 29,415
Blog Entries: 55

Rep: Reputation: 3594Reputation: 3594Reputation: 3594Reputation: 3594Reputation: 3594Reputation: 3594Reputation: 3594Reputation: 3594Reputation: 3594Reputation: 3594Reputation: 3594
Quote:
Originally Posted by Elv13 View Post
Stellar Phoenix is a proprietary software, but it do a good job when it come to file recovery.
It is nice to hear that you have had good results with this Piece Of Software you mentioned. Especially since the software you mention AFAIK only runs on the Point-and-click-installer OS (which abbreviation is POS too but I'm sure that's besides the point and purely coincidental) and is NOT free in terms of license or use.

While Linuxquestions.org does not bar you from posting suggestions that include proprietary software I strongly doubt it could do a better job than the Open Source Software currently available.


I'm voicing this doubt because there's a few more LQ members (aka ad runners) who go around making plain "it works" posts without ever going into details, but there definately are some people here who have had no results (1, 2) at all or bad experiences with this Piece Of Software. Also here's a comparison of results, do notice the "Stellar Phoenix Linux Data Recovery" vs Photorec part.

So. If you're not a one-post drive-by ad-poster then please post results showing you've used your Piece Of Software with ace results.
 
Old 10-17-2009, 06:46 AM   #5
jarnos
LQ Newbie
 
Registered: Oct 2009
Posts: 7

Original Poster
Rep: Reputation: 0
Quote:
Originally Posted by unSpawn View Post
I'm voicing this doubt because there's a few more LQ members (aka ad runners) who go around making plain "it works" posts without ever going into details, but there definately are some people here who have had no results (1, 2) at all or bad experiences with this Piece Of Software. Also here's a comparison of results, do notice the "Stellar Phoenix Linux Data Recovery" vs Photorec part.
Thanks for the comparison links. I did some searching on the previously mentioned software and found some references to questionable adverposts promoting it on various forums.


I am now running PhotoRec with the Low Memory: Yes option. I'll see if that will get me past the segmentation fault sector.

(?) Since my first attempt with GNU ddrescue and CHKDSK yielded a decently accurate file structure (folder name, file name, file size) but with many zero filled files (00 00 00 00 ... viewed in a HEX viewer) is there any automated way to compare and rename the recovered PhotoRec files to match the proper names and folders?
 
Old 10-17-2009, 07:35 AM   #6
H_TeXMeX_H
LQ Guru
 
Registered: Oct 2005
Location: $RANDOM
Distribution: slackware64
Posts: 12,928
Blog Entries: 2

Rep: Reputation: 1292Reputation: 1292Reputation: 1292Reputation: 1292Reputation: 1292Reputation: 1292Reputation: 1292Reputation: 1292Reputation: 1292
foremost is another good recovery program, so if photorec fails, try it.
 
Old 10-17-2009, 10:09 AM   #7
jarnos
LQ Newbie
 
Registered: Oct 2009
Posts: 7

Original Poster
Rep: Reputation: 0
Quote:
Originally Posted by H_TeXMeX_H View Post
foremost is another good recovery program, so if photorec fails, try it.
Thanks, that's next on my list. Do you happen to know where I can find a configuration file to add a more extensive list of file types to the Foremost built-in defaults?
 
Old 10-17-2009, 01:44 PM   #8
Elv13
Member
 
Registered: Apr 2006
Location: Montreal,Quebec
Distribution: Gentoo
Posts: 825

Rep: Reputation: 129Reputation: 129
I am not a proprietary fanboy nor sponsored to post that software, I am an engineering student working as a consultant for a well known Linux firm in my country and we have a rule here, use something that work. Photorec don't, at least it never worked for me and it support less file system than professional tools.

There is only one application with complete enough to be called good in this area and it is autospy, but it is "too" professional, hard to setup and give more forensic information that recover the actual file.

If you think that an open source application must be better than a closed app that work, you never worked as a Linux sysadmin or consultant in a place called the real world. Linux lack many software and sometime you have no choice than going proprietary, lets name Dreamweaver (NVU is dead and never had 5% of the required feature to stand a chance), Flash Studio (F4L never worked and is long dead), Final Cut Pro / After Effect (cinelerra is not stable enough and Jashaka is dead), Oracle Database (MySQL can't do the job when it come to that kind of tasks (but is it better for smaller one) and postgres can't scale up that well) only to name a few. Those software have only wannabe Linux alternative but nothing that can do the job in a real environment.

"I strongly doubt it could do a better job than the Open Source Software currently available" is the mentality of a blind fanboy disconnected from the real/professional life. Questioning my integrity for proposing the solution that I found to be the best by using it and comparing it with other solution is outrageous and a lack of respect against me. Just accept the fact that the opensource world is nowhere near complete and perfect and that work still need to be done and meanwhile, you have to use solution that work when someone ask a question, not unstable and incomplete POS (sorry for the photorec dev, your apps is not the #1 for nothing, it is the most simple out there, but as you probably know and if the name reflect the scope of the application, it lack some features compared to commercial/industrial solutions).
 
Old 10-17-2009, 02:28 PM   #9
H_TeXMeX_H
LQ Guru
 
Registered: Oct 2005
Location: $RANDOM
Distribution: slackware64
Posts: 12,928
Blog Entries: 2

Rep: Reputation: 1292Reputation: 1292Reputation: 1292Reputation: 1292Reputation: 1292Reputation: 1292Reputation: 1292Reputation: 1292Reputation: 1292
Quote:
Originally Posted by jarnos View Post
Thanks, that's next on my list. Do you happen to know where I can find a configuration file to add a more extensive list of file types to the Foremost built-in defaults?
Well, not that I know of, but if you know of specific files you want to look for that might be on there, you should just add them to the list, it's not hard. Just use something like hexedit to look at the the file header of the file type you wan to salvage and then write it like the other examples there.

Quote:
Originally Posted by Elv13 View Post
"I strongly doubt it could do a better job than the Open Source Software currently available" is the mentality of a blind fanboy disconnected from the real/professional life. Questioning my integrity for proposing the solution that I found to be the best by using it and comparing it with other solution is outrageous and a lack of respect against me. Just accept the fact that the opensource world is nowhere near complete and perfect and that work still need to be done and meanwhile, you have to use solution that work when someone ask a question, not unstable and incomplete POS (sorry for the photorec dev, your apps is not the #1 for nothing, it is the most simple out there, but as you probably know and if the name reflect the scope of the application, it lack some features compared to commercial/industrial solutions).
Alright, but can you prove to me how Stellar Phoenix (valued at $227) is better than say foremost ? Can it do more ? From the looks of it, it does the same thing, except maybe even a bit less, and costs more, quite a bit more.

So again I ask you to prove that Stellar Phoenix is somehow better than a FLOSS solution, just so we know who the real fanboy is ...

Last edited by H_TeXMeX_H; 10-17-2009 at 02:32 PM.
 
Old 10-17-2009, 02:52 PM   #10
jarnos
LQ Newbie
 
Registered: Oct 2009
Posts: 7

Original Poster
Rep: Reputation: 0
Quote:
Originally Posted by H_TeXMeX_H View Post
Well, not that I know of, but if you know of specific files you want to look for that might be on there, you should just add them to the list, it's not hard. Just use something like hexedit to look at the the file header of the file type you wan to salvage and then write it like the other examples there.
Ok, I see.


Well, I can report that a fresh run of PhotoRec with the Low Memory: Yes option set has completed successfully. So, that option did get me past the Segmentation Fault error.

Now, I'm going to start looking through the resulting files and see if some of the zeroed out files from my CHKDSK-ed image are salvageable from the PhotoRec output.

I'm sure that will keep me occupied for a while before I move on to try Foremost and other options. Speaking of other options, I found mention of another tool called FTK Imager which may also help me sift through the original drive image.
 
Old 10-17-2009, 05:38 PM   #11
unSpawn
Moderator
 
Registered: May 2001
Posts: 29,415
Blog Entries: 55

Rep: Reputation: 3594Reputation: 3594Reputation: 3594Reputation: 3594Reputation: 3594Reputation: 3594Reputation: 3594Reputation: 3594Reputation: 3594Reputation: 3594Reputation: 3594
Quote:
Originally Posted by Elv13 View Post
Questioning my integrity for proposing the solution that I found to be the best by using it and comparing it with other solution is outrageous and a lack of respect against me.
All I asked for is proof. Which you refuse to give. But that's OK. I now at least have an idea about what you based your SW suggestion on.
 
Old 10-17-2009, 05:55 PM   #12
unSpawn
Moderator
 
Registered: May 2001
Posts: 29,415
Blog Entries: 55

Rep: Reputation: 3594Reputation: 3594Reputation: 3594Reputation: 3594Reputation: 3594Reputation: 3594Reputation: 3594Reputation: 3594Reputation: 3594Reputation: 3594Reputation: 3594
Quote:
Originally Posted by jarnos View Post
Since my first attempt with GNU ddrescue and CHKDSK yielded a decently accurate file structure (folder name, file name, file size) but with many zero filled files (00 00 00 00 ... viewed in a HEX viewer) is there any automated way to compare and rename the recovered PhotoRec files to match the proper names and folders?
Personally I wouldn't run anything on an image copy that would disturb (e.g.: reorder, rearrange, orphan) anything in the image. Filesystem structures just are too fragile. A quick and dirty way to match recovered files in PhotoRecs recup dirs could be to compare hashes with files from a backup. The next step would be to run the same but in small chunks running say 'sha256deep' in piecewise mode. Below that level you should realise that the header/footer carving process isn't infallible due to indirect inode usage and that using dd_rescue (which can also read from the end of the disk back to the front) or ddrescue, when confronted with the "click of death", will result in a very small recovery rate even before you start recovery.
 
Old 10-17-2009, 06:00 PM   #13
Elv13
Member
 
Registered: Apr 2006
Location: Montreal,Quebec
Distribution: Gentoo
Posts: 825

Rep: Reputation: 129Reputation: 129
Did I refuse to give proof?

Photorec and Foremost are closer to "undelete" the tool comming with Windows by default. They are simple and effective tools (when they work) when you know exactly what your looking for. More professional tools will scan the whole partition, optionally with additional info like journal location, index/File access table (FAT)/file tree, forcing a file system even if the partition type is different. After the scan, you will see (in a GUI file manager) the disk with every files present on the disk (real, deleted complete and incomplete). You can then copy and paste them on an USB thumb stick or external drive.

Photorec step by step NCURSE CLI-GUI is nice, but we must admit that it is not midnight commander.
 
Old 10-17-2009, 06:01 PM   #14
unSpawn
Moderator
 
Registered: May 2001
Posts: 29,415
Blog Entries: 55

Rep: Reputation: 3594Reputation: 3594Reputation: 3594Reputation: 3594Reputation: 3594Reputation: 3594Reputation: 3594Reputation: 3594Reputation: 3594Reputation: 3594Reputation: 3594
Quote:
Originally Posted by jarnos View Post
I found mention of another tool called FTK Imager which may also help me sift through the original drive image.
FTK Imager (the only piece of the FTK suite SW that's made available free of cost) is basically an imager, image convertor, filesystem viewer and "simple" file copier rolled into one. While it can be used to extract items from a filesystem I've never used it as a tool to recover files as it does not have the functionality for that (IIRC).
 
Old 10-17-2009, 06:17 PM   #15
unSpawn
Moderator
 
Registered: May 2001
Posts: 29,415
Blog Entries: 55

Rep: Reputation: 3594Reputation: 3594Reputation: 3594Reputation: 3594Reputation: 3594Reputation: 3594Reputation: 3594Reputation: 3594Reputation: 3594Reputation: 3594Reputation: 3594
Quote:
Originally Posted by Elv13 View Post
Did I refuse to give proof?
I only asked
Quote:
please post results showing you've used your Piece Of Software with ace results
which you chose not to respond to. The rest of your replies kind of indicate that regarding formal forensics training, knowledge of and practical experience with forensics SW our backgrounds seem to be just too disparate to even attempt to have a constructive discussion that could prove to be meaningful for either the OP, you, me or the rest of LQ.
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
Data recovery - photorec vs. testdisk vs. ddrescue? JStevenson Linux - Newbie 7 09-01-2009 03:27 PM
seg fault / mem fault - in cron, but works in shell? kauaikat Red Hat 1 04-29-2008 04:24 PM
Two threads somehow using the same data (seg fault with pthreads in c) fortenbt Programming 9 04-25-2008 12:34 PM
Help! Data Recovery - NOT a partition fault - ext3 carthaginian Linux - Newbie 0 10-16-2004 09:13 AM

LinuxQuestions.org > Forums > Linux Forums > Linux - Software

All times are GMT -5. The time now is 09:03 AM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Open Source Consulting | Domain Registration