need to recover data from a data hard disk that I used testdisk on in my attempt to repair mbr from a rootkit virus
Solution 1
To recover data from an image on an external USB drive here are the steps needed:
-
Stop using the damaged drive.
-
Have an external drive(s) ready holding twice the data amount from your damaged drive 's size. Format with a filesytem able to hold such a large file as will be created from the original drive (e.g. ext4)
-
Boot Ubuntu from a live session ("Try Ubuntu") .
-
Mount your external drive using Nautilus.
-
Verify the mount point of your external drive.
e.g with Properties --> Location on right click menu. -
Verify location of your damaged drive with any of these commands in a terminal
sudo fdisk -l sudo blkid
-
Create an image of your damaged drive
sudo dd if=/dev/sdX of=/mountpoint/DRIVENAME/rescue.dd
Replace sdX
with your damaged drive (e.g. sda
) or partition (e.g. sda1
). Replace /mountpoint/DRIVENAME/
with the actual path where your USB drive was mounted.
Only in case your damaged drive (sdX
) is equal the size of your external drive (sdY
) you are able to clone the drive (sudo dd if=/dev/sdX of=/dev/sdY
) to perform data rescue on a cloned external drive. Still, working on an image as shown above is a much safer approach.
It is critical at this point to get the
dd
command correctly. If you gave the wrong entry toof=
you may damage all data that had existed there.
- Install TestDisk on your live system as was further elaborated in my answer below:
-
Read the awesome and concise guide from the makers of TestDisk to recover.
-
In case your drive is huge, mount another drive/partition to hold the recovered data. Note this mountpoint for testdisk.
-
Run testdisk on the image of your drive:
cd /mountpoint/DRIVENAME/ sudo testdisk rescue.dd
-
Save recovered directories and files to your backup drive/partiton (give testdisk the mountpoint of this drive as storage location in case it's different to where the image is).
-
Verify your data are there.
-
Unmount all drives or shutdown the live session.
In case we had not succeeded to recover our files we may also run PhotoRec which was installed together with the TestDisk suite to recover individual files (but then filenames permissions, and directories will be lost).
Your damaged drive still is untouched. We can even let this drive be recovered by a professional service in case we failed with above steps.
Solution 2
I believe, amongst other things, testdisk should work as a tool to recover your data. However, first and foremost - before you do anything else, you need to guard your last copy of the data. Firstly, only mount it read-only from here on. (You can remount it with the option ro, see man mount
)
I suggest getting yourself a large (>2TB) disk and copying a complete image of your current disk over: dd if=/dev/sda of=disk-image.dd
where /dev/sda is your read-only mounted all important disk and disk-image.dd is a file on the new disk, make sure there are 2TB free.
testdisk will work on an image as well and should be able to sort the partition table out. Get back with questions and comments and we can take it from here...
A good place to start reading is here: http://epyxforensics.com/node/36 In it's walk through it starts by making a dd copy as I suggested above and continues to work on the copy.
Have you got yourself an examination computer with testdisk, gparted and maybe hexedit installed?
Related videos on Youtube
![wardr](https://i.stack.imgur.com/JRALs.jpg?s=256&g=1)
wardr
I am a grad student single father with 2 daughters, 1 I am raising myself and 1 that has been kidnapped from me. We currently live in Northern California.
Updated on September 18, 2022Comments
-
wardr almost 2 years
Before I begin to say what my situation is here, please know i would be FOREVER GRATEFUL for anyone who can help me out with this mess. I have photos on here from years and years of painstaking work. I am a semi-pro photographer and my hard disk contains roughly 1.5 TB of data from photos. Plus 100GB of my entire music library, and all my dvd's I took time to tip on to my hard disk. But my photos are what I'm most concerned about, they are not replaceable.
Now here in short is what happened: I have always had a backup of my data using backblaze, which is an online backup for windows. I decided about 3 months ago I wanted to get a server going for my files using plex and decided Ubuntu was the best way to go. So I was utilizing this backup method using something called "greyhole" and in the process of setting up (2) 2TB hard drives and (1) 1 TB harddrive on this greyhole backup program.
Then that is when I got a rootkit. This thing was nasty and I think after 2 months of trying everything, I had to reflash my bios and STILL had this virus. I had to reformat all my hard drives and backed everything up on to 1 hard drive filling it almost entirely (a 2 TB hard drive). I still did not get rid of this virus it was incredible. Eventually I caught it. It was embedded in my network ethernet card. Anyone reading this should take heed that anything embedded in there can and will infect your router, all your LAN, and stay on your computer even through reflashing of the bios itself!
Anyhow after I seemed to get rid of the thing I still had my files on my hard drive. I didn't want to reinfect my machines, so I tried to re-write the MBR using a utility called testdisk.
BIG MISTAKE
I didn't have a clue what I was doing. And now I can't read my information!
Here is the good news? After testdisk did it's thing (which consisted of me analysizing the drive, and using the WRITE command to do the damage, it only took 1 second for it to be done. Meaning - I didn't sit through a 5 hour process of writing 0's on the drive with "dd". It was a quick little thing I did. So for that reason I'm thinking the data still has to be on the drive.
Here is what I know:
- the drive is a data drive, no OS. I used ubuntu as the OS on another drive.
- formatted as ext3 or ext4
- size = 2 TB
- files = irreplaceable, my entire lifes work - no exageration.
Also - backblaze doesn't have my files anymore because it's been over 30 days. I have written over all my othre backups with 0's due to the rootkit. This hard drive was and is the only source of my files at the time when this happened. Coincidently this is the only time I've been without a backup for many years.
Here is a copy/paste of fdisk -l
Disk /dev/sda: 2000.4 GB, 2000398934016 bytes 255 heads, 63 sectors/track, 243201 cylinders, total 3907029168 sectors Units = sectors of 1 * 512 = 512 bytes Sector size (logical/physical): 512 bytes / 4096 bytes I/O size (minimum/optimal): 4096 bytes / 4096 bytes Disk identifier: 0x0006a14b Device Boot Start End Blocks Id System /dev/sda1 * 63 3907024064 1953512001 83 Linux Partition 1 does not start on physical sector boundary.
And lshw
*-scsi:0 physical id: 2 logical name: scsi2 capabilities: emulated *-cdrom description: DVD writer physical id: 0.0.0 bus info: scsi@2:0.0.0 logical name: /dev/cdrom logical name: /dev/sr0 capabilities: audio cd-r cd-rw dvd dvd-r configuration: signature=643a3365 status=ready *-disk description: ATA Disk product: ST2000DM001-1CH1 vendor: Seagate physical id: 0.1.0 bus info: scsi@2:0.1.0 logical name: /dev/sda version: CC24 serial: W1E2L5K7 size: 1863GiB (2TB) capabilities: partitioned partitioned:dos configuration: ansiversion=5 sectorsize=4096 signature=0006a14b *-volume description: EXT3 volume vendor: Linux physical id: 1 bus info: scsi@2:0.1.0,1 logical name: /dev/sda1 version: 1.0 serial: 05ea2f85-06fd-446c-a885-30614d53630c size: 1863GiB capacity: 1863GiB capabilities: primary bootable journaled extended_attributes large_files recover ext3 ext2 initialized configuration: created=2013-03-27 07:57:02 filesystem=ext3 label=foo modified=2013-03-27 08:11:50 mounted=2013-03-27 08:11:50 state=clean
Please help what can I do? I'm scared of screwing it up again with testdisk. I just want to recover the files. I can't see how they are gone.
Thank you so much-
-
Kaz Wolfe over 9 years+1 for very well written question and good command output.
-
DrSAR about 11 yearsI have used extundelete successfully. However, that was in a situation of deleted files (
rm -r *
in a very inappropriate place). In the case of @Head Snow it appears he has hosed his MBR and would need some other tool. -
wardr about 11 yearswould the files still be there though right?
-
DrSAR about 11 yearsFrom your description it sounds like they should be still there.
-
Kaz Wolfe over 9 yearsThis is almost my exact workflow for data recovery. Have +10 rep.
-
David Foerster over 9 yearsSince AU encourages high quality answers that are not just links to third party resources (and a lengthy explanation why your answer isn't off topic), can you explain how to use Recuva to recover data from a disk with an overwritten partition table?
-
Fabby about 9 years@takkat: Have a look here. I would like to edit your answer to change the (optional) 'offending'
dd
statement to one with an image like in my answer....