Data recovery

  • Posted on: 26 June 2018
  • By: charm
Recovering data with Photorec

Recently someone dropped off a laptop for assessment. The laptop powered on, but couldn't boot from the hard drive. We booted to a Linux live environment and ran Gsmartcontrol. GSmartcontrol showed the drive had unrecoverable errors. When we mentioned that the drive was failing the person asked if it might be possible to recover data. Normally for anything critical we recommend people go to a professional data recovery service - the service is usually expensive, but for a good reason, pro's have clean rooms, very expensive hardware and highly specialized knowledge and skills (for example - you can't necessarily replace a HD circuit board with one from the same model). The person mentioned that they knew they needed to back up and didn't really care if they recovered their music and pictures, but that it would be nice if we tried. Since they didn't really care that much about the data we said we'd give it a go.

Normally for functional drives where someone has just deleted data we'll use Recuva on Windows. Since this drive was failing the first step we tried was a dd backup of the drive. Unfortunately dd quit with an error before it captured all of the drive. We've used different Linux tools in the past for data recovery. This time we chose Photorec. I haven't tried Photorec before, Foremost has been my tool of choice in the past. Photorec is a part of the Testdisk software package. On *buntu install Photorec/Testdisk by typing:

sudo apt install testdisk

Next ensure the drive you're recovering from is plugged in and turned on. Thermaltake makes a "toaster" the Blacx Duet that we used to plug the drive into our Xubuntu system. Photorec should be run with root priviledges:

sudo photorec

When Photorec starts you need to pick the source and destination drives. Photorec took about 2 1/2 hours to run on the 320GB hard drive. It recovered a little more than 6,000 files, mostly .exe and .xml files. It was pretty clear that none of what Photorec recovered was actually content the person wanted (mp3's and photos). There were a few images, but they were all images from the OS installation.

Initially Photorec only saw the first partition on the drive. After recovering data from that partition it suddenly saw the two other partitions. We ran photorec on the second partition and the time to recover shot up to over 500 hours. After about 20 minutes the hours left dropped to around 94 hours. We knew from talking with the person who dropped off the drive that this second partition held most of the data they wanted.

In addition to mp3s and jpegs we recovered a lot of font files, .c and .xml files. It took some time, but the fact that we were able to recover data from a drive that Windows didn't want to touch (other than to format) and Linux barely saw (it wouldn't mount the second partition) is a pretty big deal. The person who dropped off the system knew it was unlikely we'd be able to recover data, so in this case we're pretty happy that we were able to recover a good amount of what they figured they'd lost. They've assured us that they will back up on their next system.