Performing forensics on a hard drive
Update: March 9, 2012 – I recommend checking out David Pettifor’s article on Data Recovery using Linux tools. The article on this site is a primer on recovering data from a formatted/overwritten drive. This technique works well on hard drives that have been formatted or have had an operating system reinstalled on the system, but in my experience it does not work for drives that have been DBAN’ed (more on this later). The idea behind this is you’ve reinstalled your operating system and suddenly realized that you had pictures of your first born, your child’s graduation, or something you really need to recover. This primer assumes you have some basic Linux command line knowledge. It helps to know basic commands like cd, ls, dd, mount, dmesg, and grep.
Why not just use Windows tools like Recuva? Recuva is a great tool and kudos to Piriform for making such a cool tool available to Windows users, but Recuva cannot recover from Linux partitions, and the tool encourages the bad habit of recovering from the drive (rather than creating an image first and working from the image).
The tool we’re going to use, foremost, is available in the Ubuntu repositories, so if you’re an Ubuntu user Hurray! To install foremost, type:
sudo apt-get install foremost
One of the cardinal rules of recovering data is don’t work from the original source, create an image of the drive and work from the image. We can create an image simply by using the dd command. But before we get to creating an image a word about the machine you’re using to recover. My experience is that it helps to use a system that has a lot of hard drive space available. You could boot from a minimal linux cd and install foremost then run from CD. I prefer to work from a workstation on which I already have Ubuntu installed. I plug the drive I want to recover into the system using an external USB adapter. You can find these pretty cheap ranging from $10CDN to $20CDN.
Another cardinal rule is never recover data to the drive you’re trying to recover from. It might seem obvious, but I’ve showed different recovery methods to people over the years and have seen them trying to recover to the drive they were trying to retrieve data from – don’t do it!
So lets assume you’re booting from an Ubuntu PC and that the drive you’re going to recover to is that drive /dev/sda1. Lets also assume your home directory is /home/linuxuser. The first thing we want to do is plug in the drive we want to recover from and issue the following command:
dmesg | grep sd
Grep shows us all instances of sd from the dmesg command (showing us our drives). I attached a 1GB hard drive that was failing (you can hear the clicking) to my PC and issued the dmesg command and one of the lines I got was:
[10406.842782] sd 8:0:0:0: [sdb] 2131584 512-byte logical blocks: (1.09 GB/1.01 GiB)
[10406.880149] sdb: sdb1
There were no other partitions on the drive so we know we want to make an image of /dev/sdb1. What I’ve noticed in my experiments is the more I tried to recover data the more degraded a drive became. It seems recovery tools have to write to the drive to perform recovery operations. The more writing that happens the more the original data is degraded. Let’s create that image file:
sudo dd if=/dev/sdb1 of=RecoverMe.img
I generally run this command in my home directory (/home/linuxuser). This takes the input (if) from /dev/sdb1 (the partition on the hard drive) and stores it as a file on my hard drive. Because I’m working with a tiny drive we’ll only see a 1GB file. If you’re working with a large drive it’s going to create a large file the size of the partition you’re recovering. After creating the file we still need to recover from the file so leave yourself plenty of space to reover files. I recommend having at least triple the size of the partition/image you’re recovering. I’ve used foremost to recover Windows images from a system that had run Ubuntu for over 5 months. Note: the .img extension is not necessary, I just like to use it to remind me what the file is.
Before we recover files (the fun part) we should give ourselves permission to access the RecoverMe.img file. We created it using sudo, so it has an owner and group of root. Lets change that:
sudo chown linuxuser.linuxuser RecoverMe.img
Chown changes the ownership. Having linuxuser.linuxuser changes both the user and the group to linuxuser. The dot in the middle separates the user and group permissions. Creating the image will take awhile depending on the size of the partition. I typically go and get a coffee or do something else while waiting for the file to be created. I like to keep recovered data in a folder named HOLD:
mkdir ~/HOLD
Now let’s run foremost and recover some data:
foremost -vqwQ -o HOLD/ -t all -i RecoverMe.img
If you run foremost with just the basic switches -o and -i you’ll see long strings of garbage. The -vqwQ switches format the recovered data files on the screen quite nicely. The important switches: -o specifies the output directory, where your recovered files go, -i specifies the input file (or device) you’re recovering from, -t specifies the types of files you want to recover. In the example above I told foremost to recover “all” files, but you can specify a specific types of files. Say you only want to recover pictures, jpg, png, gif, the command would be:
foremost -vqwQ -o HOLD/ -t jpg,png,gif -i RecoverMe.img
To find out more about the different file types foremost supports type man foremost (foremost must be installed for the man page to work). Briefly foremost supports movies, pictures, different document formats (including MS Office and OpenOffice), Adobe Acrobat, Windows executables and some compressed formats.
Interestingly I once used formost to recover Windows files from a system that had Ubuntu Linux installed. It just goes to show that formatting and reinstalling really doesn’t mean your data is safe. Using DBAN (Darik’s Boot And Nuke) does seem to made data irretrievable by tools like foremost. I only tried one DBANned drive, but I was not able to recover even a single file from the drive. Normally foremost recovers tens of thousands of files (if you specify all). So if you want to protect against recovery from tools like foremost, DBAN is the free software way to go.