Archive

Archive for February, 2012

Rescue data from disk in Ubuntu

I was asked to audit a disk in order to see any deleted file. For this task, I used Ubuntu Rescue Remix, an Ubuntu live CD customized with lots of applications for data recovery and forensics. Using a live CD for data rescuing is really useful, as you won’t be writing any data on the disk, and therefore you won’t overwrite anything you want to rescue. On the other hand, using a live CD you’ll be able to turn on the computer, even if the disk is physically damaged.

Once you’ve loaded the live CD, you’ll be ready to start typing Linux commands as usual. Yet, if you are not using an English keyboard, you’ll probably be interested in changing the keyboard layout. Just type loadkeys and your keyboard’s layout code. For example, if you have a Spanish keyboard execute:

loadkeys es

Remember that these commands must be run with root privileges, so type sudo before every command if the systems complains about permissions.

You may want to store the image in a remote server. Let’s use samba to mount a remote folder.

apt-get install smbfs
mkdir /mnt/recovery
smbmount //SERVERIP/recovery /mnt/recovery/ -o user=sambausername
cd /mnt/recovery

Finally, we create the image using ddrescue. Remember that you will need at least as much room as the capacity of the disk you want to rescue.

ddrescue --no-split /dev/sda image_file log_file

If the disk is damaged you might get better results running successive passes.

sudo ddrescue -r 3 -C /dev/sda image_file log_file

Once you have the image done, you can use Autopsy to recover any data from the disk.

Categories: Uncategorized Tags: