need to recover data from a data hard disk that I used testdisk on in my attempt to repair mbr from a rootkit virus

data-recovery testdisk

5,565

Solution 1

To recover data from an image on an external USB drive here are the steps needed:

Stop using the damaged drive.
Have an external drive(s) ready holding twice the data amount from your damaged drive 's size. Format with a filesytem able to hold such a large file as will be created from the original drive (e.g. ext4)
Boot Ubuntu from a live session ("Try Ubuntu") .
Mount your external drive using Nautilus.
Verify the mount point of your external drive.
e.g with Properties --> Location on right click menu.
Verify location of your damaged drive with any of these commands in a terminal
```
 sudo fdisk -l
 sudo blkid
```

Create an image of your damaged drive

 sudo dd if=/dev/sdX of=/mountpoint/DRIVENAME/rescue.dd

Replace sdX with your damaged drive (e.g. sda) or partition (e.g. sda1). Replace /mountpoint/DRIVENAME/ with the actual path where your USB drive was mounted.

_{Only in case your damaged drive (sdX) is equal the size of your external drive (sdY) you are able to clone the drive (sudo dd if=/dev/sdX of=/dev/sdY) to perform data rescue on a cloned external drive. Still, working on an image as shown above is a much safer approach.}

It is critical at this point to get the dd command correctly. If you gave the wrong entry to of= you may damage all data that had existed there.

Install TestDisk on your live system as was further elaborated in my answer below:

How do I recover my accidentally lost Windows partitions after installing Ubuntu?

Read the awesome and concise guide from the makers of TestDisk to recover.
In case your drive is huge, mount another drive/partition to hold the recovered data. Note this mountpoint for testdisk.

Run testdisk on the image of your drive:

cd /mountpoint/DRIVENAME/
sudo testdisk rescue.dd

Save recovered directories and files to your backup drive/partiton (give testdisk the mountpoint of this drive as storage location in case it's different to where the image is).
Verify your data are there.
Unmount all drives or shutdown the live session.

In case we had not succeeded to recover our files we may also run PhotoRec which was installed together with the TestDisk suite to recover individual files (but then filenames permissions, and directories will be lost).

Your damaged drive still is untouched. We can even let this drive be recovered by a professional service in case we failed with above steps.

Solution 2

I believe, amongst other things, testdisk should work as a tool to recover your data. However, first and foremost - before you do anything else, you need to guard your last copy of the data. Firstly, only mount it read-only from here on. (You can remount it with the option ro, see man mount)

I suggest getting yourself a large (>2TB) disk and copying a complete image of your current disk over: dd if=/dev/sda of=disk-image.dd where /dev/sda is your read-only mounted all important disk and disk-image.dd is a file on the new disk, make sure there are 2TB free.

testdisk will work on an image as well and should be able to sort the partition table out. Get back with questions and comments and we can take it from here...

A good place to start reading is here: http://epyxforensics.com/node/36 In it's walk through it starts by making a dd copy as I suggested above and continues to work on the copy.

Have you got yourself an examination computer with testdisk, gparted and maybe hexedit installed?

5,565

wardr

I am a grad student single father with 2 daughters, 1 I am raising myself and 1 that has been kidnapped from me. We currently live in Northern California.

Updated on September 18, 2022

Comments

wardr almost 2 years
Before I begin to say what my situation is here, please know i would be FOREVER GRATEFUL for anyone who can help me out with this mess. I have photos on here from years and years of painstaking work. I am a semi-pro photographer and my hard disk contains roughly 1.5 TB of data from photos. Plus 100GB of my entire music library, and all my dvd's I took time to tip on to my hard disk. But my photos are what I'm most concerned about, they are not replaceable.

Now here in short is what happened: I have always had a backup of my data using backblaze, which is an online backup for windows. I decided about 3 months ago I wanted to get a server going for my files using plex and decided Ubuntu was the best way to go. So I was utilizing this backup method using something called "greyhole" and in the process of setting up (2) 2TB hard drives and (1) 1 TB harddrive on this greyhole backup program.

Then that is when I got a rootkit. This thing was nasty and I think after 2 months of trying everything, I had to reflash my bios and STILL had this virus. I had to reformat all my hard drives and backed everything up on to 1 hard drive filling it almost entirely (a 2 TB hard drive). I still did not get rid of this virus it was incredible. Eventually I caught it. It was embedded in my network ethernet card. Anyone reading this should take heed that anything embedded in there can and will infect your router, all your LAN, and stay on your computer even through reflashing of the bios itself!

Anyhow after I seemed to get rid of the thing I still had my files on my hard drive. I didn't want to reinfect my machines, so I tried to re-write the MBR using a utility called testdisk.

BIG MISTAKE

I didn't have a clue what I was doing. And now I can't read my information!

Here is the good news? After testdisk did it's thing (which consisted of me analysizing the drive, and using the WRITE command to do the damage, it only took 1 second for it to be done. Meaning - I didn't sit through a 5 hour process of writing 0's on the drive with "dd". It was a quick little thing I did. So for that reason I'm thinking the data still has to be on the drive.

Here is what I know:
- the drive is a data drive, no OS. I used ubuntu as the OS on another drive.
- formatted as ext3 or ext4
- size = 2 TB
- files = irreplaceable, my entire lifes work - no exageration.
Also - backblaze doesn't have my files anymore because it's been over 30 days. I have written over all my othre backups with 0's due to the rootkit. This hard drive was and is the only source of my files at the time when this happened. Coincidently this is the only time I've been without a backup for many years.

Here is a copy/paste of fdisk -l
```
Disk /dev/sda: 2000.4 GB, 2000398934016 bytes
255 heads, 63 sectors/track, 243201 cylinders, total 3907029168 sectors
Units = sectors of 1 * 512 = 512 bytes
Sector size (logical/physical): 512 bytes / 4096 bytes
I/O size (minimum/optimal): 4096 bytes / 4096 bytes
Disk identifier: 0x0006a14b

   Device Boot      Start         End      Blocks   Id  System
/dev/sda1   *          63  3907024064  1953512001   83  Linux
Partition 1 does not start on physical sector boundary.
```
And lshw
```
*-scsi:0
          physical id: 2
          logical name: scsi2
          capabilities: emulated
        *-cdrom
             description: DVD writer
             physical id: 0.0.0
             bus info: scsi@2:0.0.0
             logical name: /dev/cdrom
             logical name: /dev/sr0
             capabilities: audio cd-r cd-rw dvd dvd-r
             configuration: signature=643a3365 status=ready
        *-disk
             description: ATA Disk
             product: ST2000DM001-1CH1
             vendor: Seagate
             physical id: 0.1.0
             bus info: scsi@2:0.1.0
             logical name: /dev/sda
             version: CC24
             serial: W1E2L5K7
             size: 1863GiB (2TB)
             capabilities: partitioned partitioned:dos
             configuration: ansiversion=5 sectorsize=4096 signature=0006a14b
           *-volume
                description: EXT3 volume
                vendor: Linux
                physical id: 1
                bus info: scsi@2:0.1.0,1
                logical name: /dev/sda1
                version: 1.0
                serial: 05ea2f85-06fd-446c-a885-30614d53630c
                size: 1863GiB
                capacity: 1863GiB
                capabilities: primary bootable journaled extended_attributes large_files recover ext3 ext2 initialized
                configuration: created=2013-03-27 07:57:02 filesystem=ext3 label=foo modified=2013-03-27 08:11:50 mounted=2013-03-27 08:11:50 state=clean
```
Please help what can I do? I'm scared of screwing it up again with testdisk. I just want to recover the files. I can't see how they are gone.

Thank you so much-
- Kaz Wolfe over 9 years
  
  +1 for very well written question and good command output.
DrSAR about 11 years

I have used extundelete successfully. However, that was in a situation of deleted files (rm -r * in a very inappropriate place). In the case of @Head Snow it appears he has hosed his MBR and would need some other tool.
wardr about 11 years

would the files still be there though right?
DrSAR about 11 years

From your description it sounds like they should be still there.
Kaz Wolfe over 9 years

This is almost my exact workflow for data recovery. Have +10 rep.
David Foerster over 9 years

Since AU encourages high quality answers that are not just links to third party resources (and a lengthy explanation why your answer isn't off topic), can you explain how to use Recuva to recover data from a disk with an overwritten partition table?
Fabby about 9 years

@takkat: Have a look here. I would like to edit your answer to change the (optional) 'offending' dd statement to one with an image like in my answer....