Tuesday, April 8, 2008

Data Recovery

Recently I was playing around with some old hard disk that I had formatted and I found that it was really easy to recover data from them even though the files had been deleted and the disk had been formatted.

The purpose of this post is to list methods of retrieving data and give a few tips on preventing data recovery if you are throwing away a computer / disk or selling it.

Firstly, when a file is deleted it is still on the disk. All that has happened is you have removed the pointer to it. When a disk is formatted all that you have done is remove the all the pointers. It's kind of like having a book and ripping out the index. The pages are still there but you don't know how to get to anything.


Data Recovery

A couple of the tools I have been playing with are Foremost and Photorec. PhotoRec is available on windows or Linux and I have found it to be quite good, however Foremost is what I have had most luck with.

Foremost will restore many types of files such as doc, jpg, zip, mpg, zip and many more. it's usage is simple too. I simply point it at a disk or an image file and tell it to either extract everything or just a particular filetype to a location.

foremost -v -o /home/syn/dump -t doc /dev/sdc

In the command above I have told foremost to use an output directory of /home/syn/dump and search for any docs on device /dev/sdc (note /dev/sdc is a hard disk connect by USB in this case). If I had left off the -t switch it would have looked for everything.


Data Deletion

After seeing how easy it was to retrieve deleted items I set about figuring out simple ways to prevent it.

I found that by overwriting the disk I could not get anything out of it using the tools I had. a simple way of overwriting a disk that was totally blank was by using DD with the command below:

dd if=/dev/zero of=/dev/sdc conv=notrunc

Or the same using dclfdd, but with dcfldd I got a progress bar.

But what about wiping free space on a disk that had data on or an OS. Well for that I used Truecrypt. I simply defragged the drive and filled the freespace with one huge Truecrypt file and then deleted it.

After re-running foremost and photorec I was unable to retrieve files that were retrievable before.

Hope this helps someone.

SynJunkie

4 comments:

Anonymous said...

The Truecrypt Idea is good but will not erase the data in "fileslack" (The freespace at the end of stored files) so small documents and fragments could be recovered from these.

BC-Wipre has an option to clear this
http://www.jetico.com/bcwipe3_web_help/html/12_command_line/01_command_line.htm

note I have no connection to BC-Wipe or Jettico just used it as an example.

SynJunkie said...

Thanks for pointing that out. I'll give that a go and update the post.

Syn

aerokid240 said...

To add to the list of Foremost and photorec, Scalpel can be added to that array of tools. Its similar in operation to foremost (its based on foremost as well) and even the developers of foremost recommend using scalpel over it. Its also faster and more efficient.

SynJunkie said...

Great call, i'll check it out.