File Recovery

Using PhotoRec to recover lost data
Forum rules
When asking for technical support:
- Search for posts on the same topic before posting a new question.
- Give clear, specific information in the title of your post.
- Include as many details as you can, MOST POSTS WILL GET ONLY ONE OR TWO ANSWERS.
- Post a follow up with a "Thank you" or "This worked!"
- When you learn something, use that knowledge to HELP ANOTHER USER LATER.
Before posting, please read https://www.cgsecurity.org/testdisk.pdf
Locked
Message
Author
greg2424
Posts: 5
Joined: 02 Nov 2012, 15:56

File Recovery

#1 Post by greg2424 »

Hi All,

Sorry to bother you all, but I think I have a pretty terminal problem with a memory stick that is very important to me.

I went on leave for a few weeks some time back and when I came back my device had stopped working. Basically the usual issue of Windows not seeing the drive. I put it in my desktop PC which is a little more powerful and it did show up on Disk Management, but as unallocated. I even added it as an evidence item on FTK to see if I could read the hard drive that way which worked but everything was showing as zeros.....I have tried all sorts of software and have come across testdisk and photorec today and despite attempting to carry out recovery, I'm still struggling!

Last week I tried using Diskpart and also ran chkdsk. Diskpart would not allow me to clean the USB drive and I think CHKDSK failed also. I am getting various errors from the drive, mainly I/O errors and some errors relating to the FS being "RAW" which I hadn't heard of recently. I did try to reformat the drive as well at some point as I figured if I could at least get the partition back, I could recover the files off the disk....But I dont believe the format ever worked at all and kept failing on me....It sounds weird, but it's almost like the disk is in some kind of "Read Only" mode in the background as I just dont seem able to change anything on this drive.

I tried testdisk and although I got a handle on the command line interface, I was unsure whether my hard drive had been formatted as NTFS or FAT32 (although I think the former is most likely), so I didn't want to get too deep until I knew a bit more about what I was doing.....I am getting a fair few errors on the log relating to "ReadFile The request could not be performed because of an I/O device error" and when I tried Photorec, it just came back to me with zero files carved out.

If anyone has any ideas, I am happy to go ahead and follow the instructions and take screen prints of errors or copy and paste log errors as I'm going along and post them on here. My knowledge on hard drive forensics is "fair", I work in the e-discovery industry and as you can imagine, we frequently get data sent to us where recovery needs carrying out and although I always end up sending the work out to the experts, I do like to try and run some level of internal investigation.

Thanks all, and hopefully you can get this data back for me as I'm pretty screwed without it in honesty!

Thanks

Greg

User avatar
cgrenier
Site Admin
Posts: 5432
Joined: 18 Feb 2012, 15:08
Location: Le Perreux Sur Marne, France
Contact:

Re: File Recovery

#2 Post by cgrenier »

If there is a lot of read errors, you should clone the disk using ddrescue to a new empty one as described in
http://www.cgsecurity.org/wiki/Damaged_Hard_Disk Once it's done, try tor ecover your data from the clone.

greg2424
Posts: 5
Joined: 02 Nov 2012, 15:56

Re: File Recovery

#3 Post by greg2424 »

Hi, Thanks for this information. I have been reading through the ddrescue page you linked me to, but it seems that the software is designed to run across Unix\Linux OS's. Do you know if the tool has a "Windows based" variant? Or a similar tool which is designed for Windows specifically?

Many Thanks

greg2424
Posts: 5
Joined: 02 Nov 2012, 15:56

Re: File Recovery

#4 Post by greg2424 »

Actually, I see it mentions about running on Knoppix, so will try and get that downloaded first.....Thanks again!

greg2424
Posts: 5
Joined: 02 Nov 2012, 15:56

Re: File Recovery

#5 Post by greg2424 »

Hi. I dont think the Knoppix will work. I downloaded 7.0.4 and saved the .iso file to a CD. I have changed my boot sequence to boot from CD ROM drive first but it still just boots Windows.

Is there anyway of cloning the device in the same way within Windows?

Thanks

dragonfly41
Posts: 67
Joined: 14 Sep 2012, 20:51

Re: File Recovery

#6 Post by dragonfly41 »

You don't "save" the *.iso to a CD .. you have to "burn" your *.iso to a bootable CD.
If you have a spare flash stick here is a utility for burning *.iso to USB flash stick.
http://downloadsquad.switched.com/2009/ ... with-wint/
Provided always that your PC BIOS can boot from USB.

You can also try clonezilla for cloning either entire drive or partitions.
http://clonezilla.org/liveusb.php

greg2424
Posts: 5
Joined: 02 Nov 2012, 15:56

Re: File Recovery

#7 Post by greg2424 »

Thanks for this, I have managed to boot Knoppix 7, but I am just trying to make the clone now and seem to have hit another issue. I have included a screen print of the "fdisk -l" that I ran from the console, but it is not showing the device I need to copy, the device listed as /dev/sdg1 is where I intend to clone to.

Does anyone have any idea why this device is not showing?
Screenshot from 2012-11-07 104249.png
Screenshot from 2012-11-07 104249.png (138.69 KiB) Viewed 5373 times

User avatar
cgrenier
Site Admin
Posts: 5432
Joined: 18 Feb 2012, 15:08
Location: Le Perreux Sur Marne, France
Contact:

Re: File Recovery

#8 Post by cgrenier »

If you run "testdisk -l" or "lsusb", do you see your memory stick ?

Locked