Page 1 of 1

For the Future: Recovering from WD Book Live

Posted: 27 Sep 2019, 04:59
by WayneAnderson
I deleted a Python file today. Oops. There went 12 hours of work.
Aaaand because it was on a NAS device mapped to windows, there's no previous versions by default, and no recycle bin. Poof.

Turns out getting to the data on this particular NAS was a serious pain the rear end, so here's what I did.

I was attempting to recover data from a 2TB Western Digital Book Live (WD Book Live). The device is a few years old now.

1) Remove the drive from the NAS device. (Snap off cover, remove screws from back plate - side away from ethernet port , remove rear vibration isolation mount, tilt drive until you can unwedge the other side from the frame, remove the other vibration isolation mount, then remove the daughter card screwed onto the bottom of the drive and slide it away from the SATA interface. Save all parts for reassembly.)

Observation: The drive is formatted oddly. I tried several different utilities to mount the data partition to windows. No luck. You named it, if it showed up in the first few pages of google, i tried it.

2) Install virtualbox or an alternative that lets you (for free) mount a raw drive. I used virtualbox and the rest of the instructions will reflect that.

3) Create an ubuntu (or preferred flavor) VM. I used ubuntu and the rest of the instructions will reflect that.

4) On your ubuntu VM, update it with latest packages, and install fuseext2 and testdisk, if its not already there.

5) Install the virtualbox guest additions.

6) Shut down your ubuntu VM in virtualbox.

7) On windows, go to start menu, type in "cmd" and right click the "Command Prompt" item that shows up in your start menu search. Choose run as administrator.

8) In the elevated command prompt window, enter:

Code: Select all

wmic diskdrive list brief
Note which "DeviceID" corresponds to the drive from your NAS device. For example, at the time, mine was \\.\PHYSICALDRIVE2

9) In the elevated command prompt window, we need to setup a VMDK file for virtualbox which "passes through" the physical disk to the VirtualBox linux instance.
In your command prompt, we need to specify the filename for the VMDK and the physical drive number like this:

Code: Select all

VBoxManage internalcommands createrawvmdk -filename "<FileName>" -rawdisk <DeviceID>
So if you created the VM in default location, and your deviceID was like mine, it would look like:

Code: Select all

VBoxManage internalcommands createrawvmdk -filename "C:\Users\Wayne\VirtualBox VMs\UbuntuRecoveryVM\NASPassthrough.vmdk" -rawdisk \\.\PhysicalDrive2
NOTE that if your command prompt is not elevated, you will get an error. By default, in windows you arent allowed to touch or check physical drives if you arent admin.

10) Close VirtualBox if you havent already. Go back to the start menu and find the virtualbox listing, right click it, choose to "run as administrator".

11) In the elevated instance of virtualbox (required to do the physical disk passthrough), go to your recovery VM's settings, find the storage devices, choose to add a storage device. Add an existing disk. Navigate to the vmdk file from the command we did earlier. In our example, ours was at "C:\Users\Wayne\VirtualBox VMs\UbuntuRecoveryVM\NASPassthrough.vmdk"

It will think for a moment and then attach.

12) Create a virtual shared folder in your VM's settings. This is a share that will appear to your linux VM that can be natively accessed as a directory on windows as well. Easy sharing between host and guest. Create a fresh directory and select that in the virtual shared folder. Remember what you called the share (the "Name" in the virtual shared folder configuration).
In my case, I chose to create one called "VMShare" on d:\VMShare\ in the windows file system and intended to map it to a folder simply called "share" in my home directory in Ubuntu.

13) Start your recovery VM that we loaded the tools on earlier and just attached the drive to.

14) Finish mounting the virtual shared folder we just created in your recovery VM. For our ubuntu example, we can do:

Code: Select all

mkdir ~/share
sudo mount -t vboxsf VMShare ~/share
15) In your recovery VM, the easiest way to do this would be to use testdisk.

When you look at the drive list, if you only have a primary drive for the VM, and then this passthrough disk, odds are that the NAS disk that we are making raw access to will show up as /dev/sdb

This NAS device showed up with 4 partitions. The data partition will be the one that shows it has the majority of the drive assocaited with it - in my case roughly 1800 GB partition. /dev/sdb4

16) Attempt to use testdisk to identify and restore your file according to
https://www.cgsecurity.org/wiki/TestDis ... e_for_ext2
or you may also find this useful:
https://vitux.com/how-to-recover-delete ... -testdisk/

When you go to advanced, scroll down to the correct drive and partition. In our case it was /dev/sdb and then choosing the 4th partition on that disk.

Also, when you navigate to the deleted file and copy it, navigate to your "share" folder in your home drive - its the mounted virtual shared folder, remember - and save the file(s) there.

Wouldnt you know it - when I got to the file and tried to copy it, I had the problem of it showing up as 0 length, which means it couldnt be recovered this easy way.

17) Time to use PhotoRec.
Example video for using PhotoRec: https://www.youtube.com/watch?v=lX_yOzcP7Xg
Remember to save recovered files to the share that we setup which is the virtual shared folder.

18) Search through the files being identified and recovered for your file(s) that you need. In my case, my python file showed up as a java file, but I knew generally speaking what I was looking for, the general size. Hint: if its a text file like a programming file or a text file, or even productivity files well understood by windows like office files. Use explorer's search function and set "search in file contents" Think of something in the file that would not appear often - a phrase or word that is weird or different or unique.

That helped me zero in on the files I needed quickly.


Credits:

These links were super helpful when I was doing a lot of "figure this crap out myself":

Step by Step for Test Disk
https://vitux.com/how-to-recover-delete ... -testdisk/

Raw disk access on VirtualBox
https://www.serverwatch.com/server-tuto ... ox-vm.html

The oddity of not being able to figure out what the heck kind of filesystem the 4th (data) partition was on this WD Book drive.
https://john-hunt.com/2013/04/25/recove ... r-similar/

Ubuntu and VirtualBox Shared Folders
https://help.ubuntu.com/community/Virtu ... redFolders