Case Studies
Case studies are user-submitted accounts of data recovery experiences using Free/Libre, Open Source software. They are meant to be an objective description of a data recovery task.
Case Study: Repair Mac filesystem
Submitted by andrew on Wed, 12/02/2009 - 13:33.----Synopsis----
A hard disk from a Macintosh computer failed resulting in a white screen at boot time. The owners were told that the drive was damaged and it was replaced. The faulty drive was imaged, the hfsplus boot block was repaired using the alternate boot block and the filesystem was repaired, allowing for the recovery of all of the owners personal data.
----Imaging----
The 2.5 inch hard disk was connected to a power supply and a USB to SATA interface which was then connected to a computer running Ubuntu linux.
$tail -f /var/log/messages
The view of the /var/log/messages showed numerous read errors as the drive was being recognized by the kernel. After several attempts at power cycling the drive, it was recognized in /proc/partitions as the correct devices (/dev/sdc /dev/sdc1 and /dev/sdc2). Imaging of /dev/sdc2 was started several times, but the drive failed after a few moments. The imaging of the entire drive (/dev/sda) was started and much more data was recovered in the first few hours. The output was at an average speed of 12 MB/s.
$sudo ddrescue -v /dev/sdc image log
The drive powered off intermittently over the first 8 hours of imaging. Recovery was restarted in reverse and using direct disk access, resulting is a much slower rate of 368 Kb/s.
sudo ddrescue -vRDd -r 99 /dev/sdc image log
However, the drive sustained this without powering off over the remaining recovery. Most of the 120 gigs were recovered in the first five days of recovery. About 50 Mb of the remaining 800 Mb to be imaged were recovered over two more subsequent days. Only about 750 Kb of the total 120 Gigs were unrecovered.
----Partition table----
The partition table on the image was intact.
$sudo parted image unit b print
Model: (file)
Disk /media/disk-1/doug1/image: 120034123776B
Sector size (logical/physical): 512B/512B
Partition Table: gpt
Number Start End Size File system Name Flags
1 20480B 209735679B 209715200B fat32 EFI System Partition boot
2 209735680B 119899885567B 119690149888B Apple_HFS_Untitled_1
The filesystem was not mountable.
$ sudo mount -o loop,offset=209735680 image mnt/
mount: you must specify the filesystem type
$ sudo mount -o loop,offset=209735680 image mnt/ -t hfsplus
mount: wrong fs type, bad option, bad superblock on /dev/loop0,
missing codepage or helper program, or other error
In some cases useful info is found in syslog - try
dmesg | tail or so
-----Filesystem Repair----
The image was backed up and all work was performed on the copy. Testdisk was run on the image:
$ sudo testdisk image
The advanced filesystem utilities were used and the Volume Header (superblock) was found to be bad.
Volume header
Bad
Backup volume header
HFS+ OK
Sectors are not identical.
[ Quit ] [Backup BS] [ Dump ]
Return to Advanced menu
The backup Boot Sector was used to correct the problem.
Testdisk was then quit and the filesystem was mounted.
$sudo mount -o loop,offset=209735680 image mnt/ -t hfsplus
$ ls mnt
ls: reading directory mnt: Input/output error
Applications bin Desktop DB dev eBookUSBDriver 2.pkg eBookUSBDriver 4.pkg eBookUSBDriver.tar etc mach
automount cores Desktop DF Developer eBookUSBDriver 3.pkg eBookUSBDriver.pkg EndNote X1 Library mach.sym
The /home folder was absent. The image was unmounted and the loop device was associated with the partition on the image:
sudo losetup /dev/loop0 image -o 209735680
The filesystem was repaired using fsck from the hfsprogs package:
$ sudo fsck.hfsplus -f /dev/loop0
** /dev/loop0
** Checking HFS Plus volume.
** Checking Extents Overflow file.
** Checking Catalog file.
Invalid node structure
(4, 15221)
** Rebuilding Catalog B-tree.
** The volume Macintosh HD could not be repaired.
$ sudo fsck.hfsplus -fy /dev/loop0
** /dev/loop0
** Checking HFS Plus volume.
** Checking Extents Overflow file.
** Checking Catalog file.
Invalid node structure
(4, 15221)
** Rebuilding Catalog B-tree.
Invalid key length
(4, 15446)
Invalid key length
(4, 15449)
Invalid key length
(4, 15488)
Invalid node structure
(4, 26487)
Invalid key length
(4, 27098)
Invalid node structure
(4, 27645)
Invalid key length
(4, 27648)
** Rechecking volume.
** Checking HFS Plus volume.
** Checking Extents Overflow file.
** Checking Catalog file.
Missing thread record (id = 16)
** Checking Catalog file.
Missing thread record (id = 16)
Missing thread record (id = 547002)
Missing thread record (id = 1112972)
Missing thread record (id = 1112980)
Missing thread record (id = 1113016)
Missing thread record (id = 1113031)
Missing thread record (id = 1113360)
Missing thread record (id = 1113615)
Missing thread record (id = 1114428)
Incorrect number of thread records
(4, 216)
Incorrect number of thread records
(4, 216)
** Checking multi-linked files.
** Checking Catalog hierarchy.
Invalid directory item count
(It should be 27 instead of 43)
Invalid volume directory count
(It should be 92432 instead of 131923)
Invalid volume file count
(It should be 417731 instead of 529038)
** Checking Extended Attributes file.
** Checking volume bitmap.
Volume Bit Map needs minor repair
** Checking volume information.
Invalid volume free block count
(It should be 23031363 instead of 23403608)
Volume Header needs minor repair
(2, 0)
** Repairing volume.
Missing directory record (id = 1114428)
Missing directory record (id = 1113615)
Missing directory record (id = 1113360)
Missing directory record (id = 1113031)
Missing directory record (id = 1113016)
Missing directory record (id = 1112980)
Missing directory record (id = 1112972)
Missing directory record (id = 547002)
Missing directory record (id = 16)
** Look for missing items in lost+found directory.
** Rechecking volume.
** Checking HFS Plus volume.
** Checking Extents Overflow file.
** Checking Catalog file.
** Checking Catalog hierarchy.
Invalid directory item count
(It should be 0 instead of 16)
Invalid directory item count
(It should be 0 instead of 1)
Invalid directory item count
(It should be 0 instead of 1)
Invalid directory item count
(It should be 24 instead of 27)
Invalid directory item count
(It should be 0 instead of 4)
Invalid directory item count
(It should be 56 instead of 85)
Invalid volume file count
(It should be 529041 instead of 529038)
** Checking Extended Attributes file.
** Checking volume bitmap.
** Checking volume information.
** The volume Macintosh HD could not be repaired after 3 attempts.
$sudo fsck.hfsplus -r /dev/loop0
** /dev/loop0
** Checking HFS Plus volume.
** Checking Extents Overflow file.
** Checking Catalog file.
** Rebuilding Catalog B-tree.
** Rechecking volume.
** Checking HFS Plus volume.
** Checking Extents Overflow file.
** Checking Catalog file.
Incorrect number of thread records
(4, 208)
** Checking multi-linked files.
** Checking Catalog hierarchy.
Invalid directory item count
(It should be 0 instead of 16)
Invalid directory item count
(It should be 0 instead of 1)
Invalid directory item count
(It should be 0 instead of 1)
Invalid directory item count
(It should be 24 instead of 27)
Invalid directory item count
(It should be 0 instead of 4)
Invalid directory item count
(It should be 56 instead of 85)
Invalid volume file count
(It should be 529041 instead of 529038)
** Checking Extended Attributes file.
** Checking volume bitmap.
** Checking volume information.
** Repairing volume.
** Rechecking volume.
** Checking HFS Plus volume.
** Checking Extents Overflow file.
** Checking Catalog file.
Incorrect number of thread records
(4, 208)
** Checking multi-linked files.
** Checking Catalog hierarchy.
Invalid volume file count
(It should be 529041 instead of 529038)
** Checking Extended Attributes file.
** Checking volume bitmap.
** Checking volume information.
** Repairing volume.
** Rechecking volume.
** Checking HFS Plus volume.
** Checking Extents Overflow file.
** Checking Catalog file.
Incorrect number of thread records
(4, 208)
** Checking multi-linked files.
** Checking Catalog hierarchy.
Invalid volume file count
(It should be 529041 instead of 529038)
** Checking Extended Attributes file.
** Checking volume bitmap.
** Checking volume information.
** The volume Macintosh HD could not be repaired after 3 attempts.
The filesystem was mounted and the pertinent files were recovered from the lost+found directory. The owners of the drive report that 100 per cent of their data was recovered.
$ sudo mount /dev/loop0 mnt/
$ ls -sh1t mnt/
total 784K
0 lost+found
0 Applications
4.0K mach
604K mach.sym
0 bin
20K Desktop DB
52K Desktop DF
0 Library
0 Developer
100K eBookUSBDriver.tar
0 automount
4.0K etc
0 EndNote X1
0 cores
0 dev
0 eBookUSBDriver 2.pkg
0 eBookUSBDriver 3.pkg
0 eBookUSBDriver 4.pkg
0 eBookUSBDriver.pkg
$ ls mnt/lost+found/547057/iPhoto\ Library/Originals/
2005 2006 2007 2008 2009
----Kernel HFSPlus driver bug?----
The accessing of certain files within the repaired filesystem caused the loop device to hang. Subsequent attempts to access the loop device including attempts to detach it resulted in unkillable hung processes. Subsequent loop devices were attached to the image, though, and the data was copied with care to avoid the files which caused this problem.
Bug Report: Process hangs when accessing some files in repaired hfsplus filesystem
----Add your case!----
Do you have an interesting Data Recovery experience using Free/libre tools?
Log in or register and add it to the list of Ubuntu-Rescue-Remix.org case studies.
Case Study: Recover Pages documents from failed Macbook
Submitted by andrew on Wed, 12/02/2009 - 11:07.----Synopsis----
A Macbook became unbootable and the owner contacted a telephone support system. After being guided over the phone in trying to repair the filesystem and resolve the problem, the owner was told that the Hard Disk needed to be reformatted and the OS reinstalled.
The owner needed several Pages documents to be recovered before the drive was to be wiped.
The drive was imaged and the laptop returned to the owner. The owner used a proprietary program, DiskWarrior, to repair the filesystem, but the Macbook was still unbootable. The /home folder was restored and the Pages documents were found and backed up. Subsequently, the OS was reinstalled.
Data recovery was attempted on the image using Ubuntu-rescue-remix and the same level of success was ultimately achieved.
----Imaging----
The Macbook was plugged in and Ubuntu-rescue-remix was booted from DVD by inserting the disk and pressing "c" while the power button was pressed.
An external drive was connected via USB and mounted. The internal drive was imaged using GNU ddrescue.
cd /media/disk-1/
sudo ddrescue /dev/sda image log
The drive was imaged without any errors.
----Initial State of the filesystem----
GNU Parted was used to display the partition table:
$sudo parted image unit b print
Model: (file)
Sector size (logical/physical): 512B/512B
Partition Table: gpt
Number Start End Size File system Name Flags
1 20480B 209735679B 209715200B fat32 EFI System Partition boot
2 209735680B 119899885567B 119690149888B hfs+ Apple_HFS_Untitled_1
The HFSPlus partition is found at 209735680 bytes. It was mounted as a loop device:
$mkdir mnt
$sudo mount -o loop,offset=209735680 image mnt
Listing of the contents of the filesystem revealed only a few folders. Notably absent was the /home folder containing all the owner's data.
The filesystem was unmounted.
$sudo umount mnt
----File Carving----
File carving was attempted using Photorec.
It is important to note the characteristics of Pages files.
"Pages is both a streamlined word processor and an easy-to-use page layout tool. It allows you to be a writer one minute and a designer the next, always with a perfect document in the works."
Pages files are not files. Pages documents are folders. Each folder named "filename.pages" contains an gzipped XML file (index.xml.gz) which contains all of the contents and layout information. Additionally it contains a Contents, Quicklook and Thumbs folders. The Contents folder contains a file named "PkgInfo" which presumable contains the Pages version format information. The Quicklook folder contains a jpg files which is an image of the first page of the document. The Thumbs folder contains tiff images of the document.
None of the data from any of the Pages documents was found using file carving. Only two jpegs were found which were assumed to be from Quicklook Pages folders.
In light of this, the owner was told that it was likely that the data was lost due to the corruption and subsequent repair attempts. The owner decided to try DiskWarrior which was able to repair the filesystem enough to allow the Pages documents to be recovered.
In light of that success, Free-Libre tools were used on the image to try to achieve the same results.
----Filesystem Repair-----
Ubuntu-rescue-remix provides the "hfsplus" package which in turn provides the hpfsck tool.
The "hfsprogs" package provides a better tool:
"Apple provides mkfs and fsck for HFS+ with the Unix core of their operating system, Darwin.
This package is a port of Apple's tools for HFS+ filesystems."
The image was backed up and all repair attempts were performed on the copy. The partition on the backup image file was attached to a loop device.
sudo losetup /dev/loop0 image -o 209735680
The filesystem on the loop device was then repaired. Upon the first attempt, mkfs.hfsplus exited unsuccessfully.
$sudo fsck.hfsplus /dev/loop0
However, after repeated attempts, the filesystem was partially repaired. The Catalog file was also rebuild using the "-r" option. After many attempts, the filesystem could still not be completely repaired.
The loop device was mounted and many more folders were present in the listing.
All of the pertinent missing data was present in subfolders of the "lost+found" folder. The subfolders are named according to inode number and the documents were found by browsing the folders.
The accessing of certain files within these folders caused the loop device to hang. Subsequent attempts to access the loop device including attempts to detach it resulted in unkillable hung processes. Subsequent loop devices were attached to the image, though, and the data was copied with care to avoid the files which caused this problem.
Bug Report: Process hangs when accessing some files in repaired hfsplus filesystem
----Discussion----
This case demonstrated a head-to-head comparison of a proprietary application (DiskWarrior) and Free-Libre, Open Source tools. Although the proprietary application more accurately restored the /home folder and the names of the subfolders within, the amount of important data that was recovered was the same. The proprietary application could not completely repair the system and restore the Macbook to a bootable state so the difference in success is somewhat negligible in this case.
As well, this case brought to light the shortcomings of the hsfsck tool. Subsequent versions of ubuntu-rescue-remix will include the hfsprogs package.
Also, the very poor results form file carving were unexpected. The disk was relatively empty and so file fragmentation should have been very low. Further work needs to be done on improving carving Pages' index.xml.gz files from an image.
----Add your case!----
Do you have an interesting Data Recovery experience using Free/libre tools?
Log in or register and add it to the list of Ubuntu-Rescue-Remix.org case studies.
Case Study: Data Recovery from a Non-Standard External Hard Disk enclosure.
Submitted by andrew on Fri, 09/04/2009 - 10:30.----Synopsis----
An Acomdata external hard drive failed and its data needed to be recovered.
The device made a high-pitched noise when powered up. It was disassembled and the hard disk was removed.
----Imaging----
The 500 Gig internal 3.5 inch disk was imaged using a USB-to-SATA adapter and gddrescue.
$ sudo ddrescue -r 500 -v /dev/sdc image log
Several bad blocks were found, but after a few dozen passes, only a single block was unrecoverable. The imaging process took 18 hours.
----Partition Table----
The enclosure contains a drive with a proprietary partition table. When plugged into a computer, the enclosure's firmware produces two devices. The first is a CDROM image of the various manuals and drivers for the device. The second device is the actual storage drive. When the internal drive is plugged directly into a computer (without the enclosure), there is no partition table detected by any OS.
Tesdisk was used on the image file and a GFI partition (actually, an NTFS filesystem) was detected starting at 256680 blocks (About 125 Megabytes).
$ sudo testdisk image
Alternatively, a hex editor can be used to find the beginning of the NTFS filesystem. The NTFS signature (0xEB 0x52 0x90 0x4E 0x54 0x46 0x53 0x20) was found at 0x7d55000. Midnight Commander's Hex Viewer was used to view the file and find that value.
~$ printf %d\\n 0x7d55000
131420160
Convert from bytes to blocks:
:~$ bc
bc 1.06.94
Copyright 1991-1994, 1997, 1998, 2000, 2004, 2006 Free Software Foundation, Inc.
This is free software with ABSOLUTELY NO WARRANTY.
For details type `warranty'.
131420160/512
256680
----Potential Corruption----
There was one bad block, and therefore one block filled with zeros instead of the native data:
$ cat log
# Rescue Logfile. Created by GNU ddrescue version 1.9
# current_pos current_status
0xC7D56E00 -
# pos size status
0x00000000 0xC7D56E00 +
0xC7D56E00 0x00000200 -
0xC7D57000 0x73A8EAF000 +
That bad block is 0xC7D56E00. Converted into bytes:
$ printf %d\\n 0xC7D56E00
3352653312
Subtract the filsystem offset to find the location of the bad block relative to the NTFS filsystem:
$ bc
bc 1.06.94
Copyright 1991-1994, 1997, 1998, 2000, 2004, 2006 Free Software Foundation, Inc.
This is free software with ABSOLUTELY NO WARRANTY.
For details type `warranty'.
3352653312-131420160
3221233152
#convert into NTFS blocks - NTFS uses 4096 bytes per block.
3221233152/4096
786433
So block (i.e. "cluster") number 786434 is the one with the missing block.
Use ifind to determine if that block is used:
$ sudo ifind -f ntfs -d 786434 -o 256680 image
0-128-1
Use istat to get information about that inode:
$ sudo istat -f ntfs -o 256680 image 0-128-1|less
As it turns out, that's part of the $MFT. The block as well as adjacent blocks were viewed to look for damage:
$ bc
bc 1.06.94
Copyright 1991-1994, 1997, 1998, 2000, 2004, 2006 Free Software Foundation, Inc.
This is free software with ABSOLUTELY NO WARRANTY.
For details type `warranty'.
#get the previous two blocks:
3352653312-1024
3352652288
$ sudo dd if=image of=brokenblock bs=1 count=2048 skip=3352652288
2048+0 records in
2048+0 records out
2048 bytes (2.0 kB) copied, 0.00618151 s, 331 kB/s
Look at it:
$ hd -v brokenblock
00000000 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 |................|
00000010 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 |................|
00000020 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 |................|
00000030 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 |................|
00000040 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 |................|
00000050 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 |................|
00000060 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 |................|
00000070 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 |................|
00000080 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 |................|
00000090 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 |................|
000000a0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 |................|
000000b0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 |................|
000000c0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 |................|
000000d0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 |................|
000000e0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 |................|
000000f0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 |................|
00000100 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 |................|
00000110 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 |................|
00000120 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 |................|
00000130 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 |................|
00000140 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 |................|
00000150 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 |................|
00000160 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 |................|
00000170 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 |................|
00000180 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 |................|
00000190 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 |................|
000001a0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 |................|
000001b0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 |................|
000001c0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 |................|
000001d0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 |................|
000001e0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 |................|
000001f0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 3e 09 |..............>.|
00000200 46 49 4c 45 30 00 03 00 00 00 00 00 00 00 00 00 |FILE0...........|
00000210 07 00 01 00 38 00 01 00 c8 01 00 00 00 04 00 00 |....8...........|
00000220 00 00 00 00 00 00 00 00 04 00 00 00 07 00 00 00 |................|
00000230 3e 09 00 00 00 00 00 00 10 00 00 00 48 00 00 00 |>...........H...|
00000240 00 00 18 00 00 00 00 00 30 00 00 00 18 00 00 00 |........0.......|
00000250 3e 69 5a 35 f3 a2 c7 01 3e 69 5a 35 f3 a2 c7 01 |>iZ5....>iZ5....|
00000260 3e 69 5a 35 f3 a2 c7 01 3e 69 5a 35 f3 a2 c7 01 |>iZ5....>iZ5....|
00000270 06 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 |................|
00000280 30 00 00 00 68 00 00 00 00 00 18 00 00 00 02 00 |0...h...........|
00000290 4c 00 00 00 18 00 01 00 05 00 00 00 00 00 05 00 |L...............|
000002a0 3e 69 5a 35 f3 a2 c7 01 3e 69 5a 35 f3 a2 c7 01 |>iZ5....>iZ5....|
000002b0 3e 69 5a 35 f3 a2 c7 01 3e 69 5a 35 f3 a2 c7 01 |>iZ5....>iZ5....|
000002c0 00 20 00 00 00 00 00 00 00 20 00 00 00 00 00 00 |. ....... ......|
000002d0 06 00 00 00 00 00 00 00 05 03 24 00 42 00 6f 00 |..........$.B.o.|
000002e0 6f 00 74 00 00 00 00 00 50 00 00 00 90 00 00 00 |o.t.....P.......|
000002f0 00 00 18 00 00 00 03 00 74 00 00 00 18 00 00 00 |........t.......|
00000300 01 00 04 80 48 00 00 00 64 00 00 00 00 00 00 00 |....H...d.......|
00000310 14 00 00 00 02 00 34 00 02 00 00 00 00 00 14 00 |......4.........|
00000320 89 00 12 00 01 01 00 00 00 00 00 05 12 00 00 00 |................|
00000330 00 00 18 00 89 00 12 00 01 02 00 00 00 00 00 05 |................|
00000340 20 00 00 00 20 02 00 00 01 05 00 00 00 00 00 05 | ... ...........|
00000350 15 00 00 00 52 aa c8 68 9e ab 9d 61 07 e5 3b 2b |....R..h...a..;+|
00000360 eb 03 00 00 01 02 00 00 00 00 00 05 20 00 00 00 |............ ...|
00000370 20 02 00 00 00 00 00 00 80 00 00 00 48 00 00 00 | ...........H...|
00000380 01 00 40 00 00 00 01 00 00 00 00 00 00 00 00 00 |..@.............|
00000390 01 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 |........@.......|
000003a0 00 20 00 00 00 00 00 00 00 20 00 00 00 00 00 00 |. ....... ......|
000003b0 00 20 00 00 00 00 00 00 11 02 00 00 00 00 00 00 |. ..............|
000003c0 ff ff ff ff 00 00 00 00 00 00 00 00 00 00 00 00 |................|
000003d0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 |................|
000003e0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 |................|
000003f0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 3e 09 |..............>.|
00000400 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 |................|
00000410 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 |................|
00000420 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 |................|
00000430 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 |................|
00000440 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 |................|
00000450 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 |................|
00000460 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 |................|
00000470 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 |................|
00000480 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 |................|
00000490 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 |................|
000004a0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 |................|
000004b0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 |................|
000004c0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 |................|
000004d0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 |................|
000004e0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 |................|
000004f0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 |................|
00000500 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 |................|
00000510 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 |................|
00000520 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 |................|
00000530 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 |................|
00000540 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 |................|
00000550 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 |................|
00000560 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 |................|
00000570 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 |................|
00000580 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 |................|
00000590 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 |................|
000005a0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 |................|
000005b0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 |................|
000005c0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 |................|
000005d0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 |................|
000005e0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 |................|
000005f0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 |................|
00000600 46 49 4c 45 30 00 03 00 6a 10 00 02 00 00 00 00 |FILE0...j.......|
00000610 08 00 01 00 38 00 01 00 78 01 00 00 00 04 00 00 |....8...x.......|
00000620 00 00 00 00 00 00 00 00 05 00 00 00 08 00 00 00 |................|
00000630 20 00 00 00 00 00 00 00 10 00 00 00 60 00 00 00 | ...........`...|
00000640 00 00 18 00 00 00 00 00 48 00 00 00 18 00 00 00 |........H.......|
00000650 3e 69 5a 35 f3 a2 c7 01 3e 69 5a 35 f3 a2 c7 01 |>iZ5....>iZ5....|
00000660 3e 69 5a 35 f3 a2 c7 01 3e 69 5a 35 f3 a2 c7 01 |>iZ5....>iZ5....|
00000670 06 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 |................|
00000680 00 00 00 00 00 01 00 00 00 00 00 00 00 00 00 00 |................|
00000690 00 00 00 00 00 00 00 00 30 00 00 00 70 00 00 00 |........0...p...|
000006a0 00 00 18 00 00 00 03 00 52 00 00 00 18 00 01 00 |........R.......|
000006b0 05 00 00 00 00 00 05 00 3e 69 5a 35 f3 a2 c7 01 |........>iZ5....|
000006c0 3e 69 5a 35 f3 a2 c7 01 3e 69 5a 35 f3 a2 c7 01 |>iZ5....>iZ5....|
000006d0 3e 69 5a 35 f3 a2 c7 01 00 00 00 00 00 00 00 00 |>iZ5............|
000006e0 00 00 00 00 00 00 00 00 06 00 00 00 00 00 00 00 |................|
000006f0 08 03 24 00 42 00 61 00 64 00 43 00 6c 00 75 00 |..$.B.a.d.C.l.u.|
00000700 73 00 00 00 00 00 00 00 80 00 00 00 18 00 00 00 |s...............|
00000710 00 00 18 00 00 00 02 00 00 00 00 00 18 00 00 00 |................|
00000720 80 00 00 00 50 00 00 00 01 04 40 00 00 00 01 00 |....P.....@.....|
00000730 00 00 00 00 00 00 00 00 a6 8e 46 07 00 00 00 00 |..........F.....|
00000740 48 00 00 00 00 00 00 00 00 70 ea 68 74 00 00 00 |H........p.ht...|
00000750 00 70 ea 68 74 00 00 00 00 00 00 00 00 00 00 00 |.p.ht...........|
00000760 24 00 42 00 61 00 64 00 04 a7 8e 46 07 00 00 00 |$.B.a.d....F....|
00000770 ff ff ff ff 00 00 00 00 20 02 00 00 00 00 00 00 |........ .......|
00000780 80 00 00 00 18 00 00 00 00 00 18 00 00 00 02 00 |................|
00000790 00 00 00 00 18 00 00 00 80 00 00 00 50 00 00 00 |............P...|
000007a0 01 04 40 00 00 00 01 00 00 00 00 00 00 00 00 00 |..@.............|
000007b0 a6 8e 46 07 00 00 00 00 48 00 00 00 00 00 00 00 |..F.....H.......|
000007c0 00 70 ea 68 74 00 00 00 00 70 ea 68 74 00 00 00 |.p.ht....p.ht...|
000007d0 00 00 00 00 00 00 00 00 24 00 42 00 61 00 64 00 |........$.B.a.d.|
000007e0 04 a7 8e 46 07 00 00 00 ff ff ff ff 00 00 00 00 |...F............|
000007f0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 |.............. .|
00000800
(Alternatively, hd could have been used:
$ hd -v -n 4096 -s 0xC7D56A00 image)
The zeroed-out block begins at 0x00000400 and there was almost nothing but zeros there anyway according to the repeating pattern of blocks. The filesystem on the image was then mounted:
$ mkdir mnt
$ sudo mount -o loop,offset=131420160 image mnt
And an inventory of the filesystem was made:
$ ls -sh1tR mnt/ >filelist 2>errlist
The files were then copied to another drive and there was no loss of data.
----Alternative----
It's possible to mount the filesystem on the device without imaging it.
(Assuming the device is /dev/sdc)
sudo losetup -r -o 131420160 /dev/loop0 /dev/sdc
mkdir mnt
sudo mount /dev/loop0 mnt
and then to safely unmount it:
sudo umount /dev/loop0
sudo losetup -d /dev/loop0
----Add your case!----
Do you have an interesting Data Recovery experience using Free/libre tools?
Log in or register and add it to the list of Ubuntu-Rescue-Remix.org case studies.
Case Study: Recover deleted .docx file.
Submitted by andrew on Fri, 04/11/2008 - 07:59.Summary: A deleted Office Open Document XML (.DOCX) file was recovered from a USB drive.
Methods: The drive was imaged using GNU ddrescue and the file was found and recovered two different ways. Photorec was used to data carve the file and Sleuthkit was used to recover the file from the filesystem.
Details:
$ mkdir recovery
$ cd recovery
The drive was imaged:
$ sudo ddrescue /dev/sdc1 loopfile log
Photorec was run on the image and the file was recovered as a zip file.
$ photorec loopfile
Alternatively, the deleted files were listed using fls:
$ fls loopfile -r -f fat -i raw
r/r 3: test (Volume Label Entry)
r/r * 5: sample.docx
r/r * 7: sample.pptx
r/r * 9: sample.xlsx
The .docx file was recovered using icat:
$ icat -r -f fat -i raw loopfile 5 > sample.docx
Discussion:
DOCX (.docx, Office Open XML) documents are zip file types and can be recovered using methods used to recover .zip files.
----Add your case!----
Do you have an interesting Data Recovery experience using Free/libre tools?
Log in or register and add it to the list of Ubuntu-Rescue-Remix.org case studies.