Page 1 of 1

File Recovery

Posted: 02 Nov 2012, 16:16
by greg2424
Hi All,

Sorry to bother you all, but I think I have a pretty terminal problem with a memory stick that is very important to me.

I went on leave for a few weeks some time back and when I came back my device had stopped working. Basically the usual issue of Windows not seeing the drive. I put it in my desktop PC which is a little more powerful and it did show up on Disk Management, but as unallocated. I even added it as an evidence item on FTK to see if I could read the hard drive that way which worked but everything was showing as zeros.....I have tried all sorts of software and have come across testdisk and photorec today and despite attempting to carry out recovery, I'm still struggling!

Last week I tried using Diskpart and also ran chkdsk. Diskpart would not allow me to clean the USB drive and I think CHKDSK failed also. I am getting various errors from the drive, mainly I/O errors and some errors relating to the FS being "RAW" which I hadn't heard of recently. I did try to reformat the drive as well at some point as I figured if I could at least get the partition back, I could recover the files off the disk....But I dont believe the format ever worked at all and kept failing on me....It sounds weird, but it's almost like the disk is in some kind of "Read Only" mode in the background as I just dont seem able to change anything on this drive.

I tried testdisk and although I got a handle on the command line interface, I was unsure whether my hard drive had been formatted as NTFS or FAT32 (although I think the former is most likely), so I didn't want to get too deep until I knew a bit more about what I was doing.....I am getting a fair few errors on the log relating to "ReadFile The request could not be performed because of an I/O device error" and when I tried Photorec, it just came back to me with zero files carved out.

If anyone has any ideas, I am happy to go ahead and follow the instructions and take screen prints of errors or copy and paste log errors as I'm going along and post them on here. My knowledge on hard drive forensics is "fair", I work in the e-discovery industry and as you can imagine, we frequently get data sent to us where recovery needs carrying out and although I always end up sending the work out to the experts, I do like to try and run some level of internal investigation.

Thanks all, and hopefully you can get this data back for me as I'm pretty screwed without it in honesty!

Thanks

Greg

Re: File Recovery

Posted: 04 Nov 2012, 19:10
by cgrenier
If there is a lot of read errors, you should clone the disk using ddrescue to a new empty one as described in
http://www.cgsecurity.org/wiki/Damaged_Hard_Disk Once it's done, try tor ecover your data from the clone.

Re: File Recovery

Posted: 05 Nov 2012, 12:03
by greg2424
Hi, Thanks for this information. I have been reading through the ddrescue page you linked me to, but it seems that the software is designed to run across Unix\Linux OS's. Do you know if the tool has a "Windows based" variant? Or a similar tool which is designed for Windows specifically?

Many Thanks

Re: File Recovery

Posted: 05 Nov 2012, 12:15
by greg2424
Actually, I see it mentions about running on Knoppix, so will try and get that downloaded first.....Thanks again!

Re: File Recovery

Posted: 05 Nov 2012, 18:15
by greg2424
Hi. I dont think the Knoppix will work. I downloaded 7.0.4 and saved the .iso file to a CD. I have changed my boot sequence to boot from CD ROM drive first but it still just boots Windows.

Is there anyway of cloning the device in the same way within Windows?

Thanks

Re: File Recovery

Posted: 06 Nov 2012, 10:31
by dragonfly41
You don't "save" the *.iso to a CD .. you have to "burn" your *.iso to a bootable CD.
If you have a spare flash stick here is a utility for burning *.iso to USB flash stick.
http://downloadsquad.switched.com/2009/ ... with-wint/
Provided always that your PC BIOS can boot from USB.

You can also try clonezilla for cloning either entire drive or partitions.
http://clonezilla.org/liveusb.php

Re: File Recovery

Posted: 07 Nov 2012, 12:38
by greg2424
Thanks for this, I have managed to boot Knoppix 7, but I am just trying to make the clone now and seem to have hit another issue. I have included a screen print of the "fdisk -l" that I ran from the console, but it is not showing the device I need to copy, the device listed as /dev/sdg1 is where I intend to clone to.

Does anyone have any idea why this device is not showing?
Screenshot from 2012-11-07 104249.png
Screenshot from 2012-11-07 104249.png (138.69 KiB) Viewed 5377 times

Re: File Recovery

Posted: 14 Nov 2012, 08:00
by cgrenier
If you run "testdisk -l" or "lsusb", do you see your memory stick ?