Security :: NTFS Data Recovery From Ubuntu Live CD?
Dec 6, 2010
I have a windows install that is totally hosed, bluescreens, etc. I want to try to force mount it from Ubuntu to get whatever data I can, but it won't allow me to mount. It keeps telling me to run chkdsk /f and reboot twice. But that's not possible. I was wondering if there are any ntfs tools for Ubuntu or any data recovery tools I can use to get what I can from this drive.
The other day one of my hard drives on my windows system decided to stop working. Not entirely sure what happened, but it seemed that it just erased its partition header, although I wasn't able to recover it.
Anyway, I successfully got an image of the drive using GNU_ddrescue (yay!), and I'm currently salvaging what CAN be salvaged with foremost.
way to get EVERYTHING off of the drive? I mean, it seems that it's all intact (since foremost is finding so much stuff).
I've tried mounting the partition, but it's not working. (I'd post the output from the terminal, but the forum thinks there is/are URL(s) in it....)
I'm using Ubuntu 10.04 and am trying to use it to recover data from a failed External HDD (NTFS).
The drive failed with an accompanying smell of electric burning and subsequently was not recognised by Windows. It would recognice the enclosure, but told me that the drive had to be reformatted.
I removed the drive from the external enclosure and hooked it up to my PC with a power cable and USB to SATA connector. I can mount the drive in Ubuntu (eventually) and I've learned enough about BASH to navigate through the files on the drive.
Those that I can access I am able to copy across to my internal drive (VERY slowly, but it does do it) but a lot of the directories show up with an Input/output Error when I run the ls -l command.
Is there any way for me to be able to access these files or to recover them? Should I be trying a different technique rather than just attempting to access and copy the files?
i 've been using fedora 14,15 for like few months and i still have a 4GB NTFS partition win XP pro.i have installed fedora in about like 20gb for root and home ext4.i rarely use win xp nowadays (once in a week) considering i was using windows for like years.i have a commondata partition of about 130GB NTFS.i now dont want to use the windows and i want to convert the 130GB NTFS to ext4, but i am worried that if somehow at some point i crash my partition tables and i was using ext4 i wouldn't be able to recover the data as easily as i would in a windows.i want to know whether there is a reliable ext4 data recovery tool for fedora?igoogled and i found this link .. if any of you guys have used these tools can you share the experiences ?Mondo RescueTestDisk safecopy PhotoRecddrescue
A friend has a embedded system (korg recorder) with a ata drive in it, that crashed. We are trying to come up with ways to retrieve the data off of the drive. I'm asking in security as this seems like it would be close to forensics, hence security. Hints on software for linux to help either recover files, move files, copy/clone the drive? I'm not so concerned about the korg's os on the drive, as we can create a new blank drive and install that, its the data that is critical, that needs to be recovered. The original korg os was only recognizing drives up to 100gbs so I'm guessing this might be a fat16 filesystem if that helps. Well, that and the program installed to the drive to run it in the korg is an exe.
I was copying a bunch of files between hard drives. For some reason I have permissions issues, but I was able to copy the data using cp in the terminal (I know I can sort out permissions, but that's something for another thread).So, I start copying files just fine, but cp doesn't have any sort of progress indication. So, I started up another two terminal windows, cd'd to the source and destination folders, and ls -l'd each to compare the folders.
At this point, I realised that I'd forgot to add -r to the cp command, so cancelled it. I decided it'd be better to start again and add -r in, and repeat the command. So, I went to the folder, went up a level, then rm -r'd the folder I was just in. It wasn't until I'd gone through with the command that I realised I was actually in the source folderSo, putting aside all the obvious things like 'You dope, you shouldn't have been messing around with rm -r, let alone sudo' and 'With great power comes great responsibility' and 'This never would have happened if you'd just sorted out your missions and usedNautilus', is there any way I can recover the data? I know it's possible in ext2, but not in ext3, but it's on an NTFS partition. Is it possible to recover files from this
By mistake I did mke2fs to my Windows NTFS ParticionTo my understanding It has Modified the inodes only,Can I recover somehow the NTFS inodes?, I lost everything and I know the things are there.I've tryed particion recover, but that's not the problem, the particion is there, and it's NTFS, but the filesystem isnt
Yesterday, my Windows 7 machine managed to somehow destroy a SD card with some pictures on it. Now, every time the card is inserted into a computer running windows, or the camera it came from, it asks to be reformatted. Obviously I would like to recover the pictures from the card.
I tried a scanning the card with a windows program "card recovery" and the program was able to scan the card and find the images on it. But I have to pay $40 to actually copy them from the card to the computer.
So I did some digging and tried to find a way to recover the data for free using my Ubuntu machine.
Some details about my hardware: Running Ubuntu 9.04 SD card: 8Gb SDHC from PNY Optima The camera was a Nikon D5000
What I have done so far: I used ddrescue to create an image of the card. However, at this point, most of the instructions I found only have you try and mount the image. Then I used the testdisk utility and the mmls utility from the SluethKit to try and find a partition on the SD card image that I could mount. Both of these programs failed to identify a partition on the card.
A friend's old Compaq Presario came with Windows XP. However, when it got buggy (without his knowledge or consent), his kids overwrote his OS by installing a warez edition of Windows 7 Ultimate. Unfortunately, that wiped out all his data, including photos of his late wife that he does not have backed up. I want to recover those if possible. I don't want to install anything because that may overwrite the photos if they're still there in some shape or form.
What I'm wondering is if there's a DVD-bootable distro of Linux specifically for data recovery. If I could boot to that, I could run its data recovery utilities without danger of putting anything on the hard drive. Once I've recovered the photos and backed them up to an external hard drive, I'm going to make his PC legal by installing Ubuntu. That's no problem. I'm very up to speed on that. What I need to learn is the best data recovery strategy via some type of bootable Linux. I suspect someone has written such a tool given how often people lose data due to viruses, accidental deletions, formats, etc.
I run 9.10 from a live usb with persistece, and got /etc/sudoers awfully messed up. now i'm told to fix in through 'recovery mode', but i don't think live usb has one. is that true? what about my sudoers? is there another way to fix it?
I just erased +200GB worth of photos, documents, music and videos on my external hard drive.I wanted to try the new Ubuntu Lucid Lynx Alpha 2, so I downloaded the .iso, launched the live USB disk creator and tried to format my 1GB pendrive to make room for the OS. Somehow, I ended formatting my 320GB external USB hard drive. The hard drive had to partitions (one EXT3 and one NTFS), but now it only has a FAT partition that spans the whole drive.I understand that the new FAT partition may have erased the EXT3 data structures at the beggining of the partition, making file recovery next to impossible.A confirmation dialog on the live USB disk creator wouldn't have hurted either.
A while ago my harddrive kinda failed. I didnt notice untill I got "Grub error 17" one time when I was trying to boot my computer. The problem is not really that I couldnt log on to my computer, but rather that I have alot of important information on the computer I would hate to lose. At the time I used Ubuntu 8.04 and had reiserfs filesystem on the computer. I bought a new computer and decided to wait untill I could rescue the data before doing to much dmg to it. But I dont really remember if I tried something to fix it before I realised that it was the harddrive and bad sectors that made me get gruberror 17. Hopefully I didnt do anything.
Anyway. Now today I had some extra time, so I decided to dive in. I booted from a linux mint disk and used ddrescue to transfer all the rawdata over the network to an image file laying on an ext4 drive. Once there I used reiserfsck to try and repair the filesystem. After that i mounted the image file and tried to access the files. Thats where the probelms started. I could see the whole treestructure of the harddrive and everything seemed ok, but when i tried to open the files, none of the pictures, documents and so on could be opend, and when I tried to open stuff like MP3 files they played quite strange. Videofiles was really messy, kept changing resolution and was almost always just gray and green squares on the screen. I decided to use ddrescue and move the files from the image file and on to a clean disk. So when I was done I could mount the filesystem on the new disk, but with the same resault, so I did reiserfsck again, and when that didnt help I did a buildtree also. Still with the same resault. So I decided to investigate the data abit. Opening files at random trying to understand what had hapend. And I saw that some MP3 files (the easiest to open) was some kind of mixing between several difrent mp3 files. Some files wasnt even in the same folder, so it was probably just that the file pointer was pointing at the wrong data on the disk. I dont know how that works really, so I dont know how to go on.
So now to the question. How do I get the data back? Have I done something wrong, can I redo somethig? I still have the broken disk and can take data from it once again, but I want to wait to do that untill I really know what to do. I also still have the image file, and the disk with the copied data. I have a ubuntu 9.10 system at my disposal atm.
I have somehow managed to eradicate all of my films and music...I was going to update my external HDD (typical) and so I highlighted everything and went to drag it. My finger kind of slipped while the cursor was in the the same folder and I got a message saying something like:"Source file is in this destination. Cannot move. Do what?"There's me thinking not much can go wrong at this point so I clicked "Skip all".Everything disappeared
The file system says there's still only 500GB free on my 1.5TB, so the files are there but I just can't see them.how I can get them back?There's nothing in my 'Deleted Items' and I had a play with scalpel and PhotoRec and I either couldn't get them to work or they said they'd take way more time than I have.
Edit: Where did that smiling devil come from? That's really not how I feel right now.
I'm trying to learn how to use foremost, a data recovery tool. I thought a nice place to start would be by attempting to recover a file from a test image. The foremost website links to this site which has a FAT Undelete Test #1 challenge. The challenge is to recover files from a 6 MB FAT disk image. I tried running this command. foremost -t all -i /home/<user>/Desktop/6mb.img -o /home/<user>/Desktop/output but all I got was a folder with an audit.txt file in it.
Today I wanted to make a backup of my Ubuntu server. Since the program wasn't working for me, I rebooted my computer and right now it wont boot. Now I entered recovery mode and I'm trying to recover my /var/www and /etc/mrtg folders. I want to copy them to my USB-Stick but Ubuntu wont do this.
The command I tried: Code: cp -r /var/www /dev/sdg1/www I already created the folder via a other system. I also tried to mount the USB stick: Code: mount /dev/sdg1 /mnt/usbe But im getting the following error: error while loading shared libraries: /lib/libsepol.so.1: Invalid ELF header.
I'm running 10.04 LTS (64 bit) During a recent attempt at dual booting Windows 7, the Windows installer made a boot partition on the wrong drive, formatting the drive, and therefore destroying all my data.
The original partition was NTFS, and the new (unwanted partition) is NTFS.
Is there something in Linux I can do to recover the data that was there, or am I going to have to install Windows on yet another drive and use some Windows tools?
The data on this drive is extraordinarily important, containing ten years of digital photos, my source codes, and musical compositions (protools sessions etc).
I'm trying to recover my Western Digtal 500GB hd (connected through IDE), I've already succesfully recoverd 80GB with copyr.dma (didn't have a bigger IDE drive laying around). and want to do the rest of the drive with GNU ddrescue. I use the Parted Magic live cd to do this. The problem is that I can't find my HD, although it is listed when I look in the Hardware info app. How can I access it as /dev/hda or /dev/sda or whatever it wants?
While install Ubuntu on an existing xp pro I accidentally formatted my hard disk. Is there any way to get back my files it contains e books pdfs photos music files and movies. Data recovery. My Hard Disk 80GB SCSI NTFS.
My laptop died. I was running FC11. I have taken my harddrive out and connected it to an usb-adaptor and mounted it on my FC11 desktop. However, when I open it all I see is grub. Palimpsest sees both the 250MB of grub and efi etc., and it also sees 120GB of LVM2. I cannot however access any of my data.
I erased my partition table. Can anyone recommend a good method of reconstructing it? And if this is impossible, can anyone recommend a good method of data recovery? I had an ntfs partition with windows 7 and a larger ext3 partition that ran Debian.
I'm running Test-disk on the SystemRescueCD at the moment (cross your fingers).
I have just upgraded my lenny box to squeeze. I did it by clean-installing squeeze. The installation was successful, but I just noticed that I had forgotten to backup some important files I had on this machine before the installation...
It's my first time i switched to linux (fedora13) and i wanted to check out ubuntu10. Started installation but somehow (stupid!) selected not the right harddrive to install new system from an iso dvd. Well installation was not successfull, because not the right drive was selected.I came back to fedora but my "storage" harddrive that i had all my collected data and projects is lost. Basically it's like new formated and some files from the ubuntu 10 are on it. None of my files. Is there any way to recover it back? I don't even have a clue how do you install software to fedora13?(I'm a newbee that was sick and tired using and upgrading windows - so now mac OZ and linux)
I'm building another PC that will be used as a workstation specifically for recovering data from hard drives and backing up the info and I want to install linux as the OS. Which Distro would you reccomend I use?
While attempting to install FC12, Anaconda took it upon itself to overwrite the partition on my backup disk. Now I need to figure out if there's a way to get at least some of my data back. If there's a better place for this question, please let me know and I will happily move it. Using Linux since 1993, other Unixoid systems since 1986. I bought this machine back in 2004 or so. It was a pretty decent machine back then, but it's showing its age now: 370Mb of RAM, 2 hard disks with 80Gb and 120Gb (I don't think the other specs are relevant, but just let me know if I'm wrong). In a fit of insanity, I decided to install Gentoo on it. Don't get me wrong: I love certain things about Gentoo. But the constant fiddling that's required, while it can be fun at first, gets old kinda quick.
So various and sundry things have been going wrong with it here and there (CD-ROM, sound card, etc ad infinitum), and, finally, it wouldn't even load X any more (almost certainly some final Gentoo update which broke something) and I said "screw it, I'll just put Fedora on it." This is what I use at work, and plus I have a good friend who has far more patience with admin stuff than I do and Fedora is what he knows. So, last night, I pick up an FC12 CD that I have lying around and decide to finally just reinstall the whole thing. I went so far as to buy myself a Passport USB drive, 319Gb, and have been backing up up all my stuff very regularly to that drive. I go through one final cycle of backing up and verifying before I start the reinstall.
So my drive is solid, and contains everything I could possibly need (and probably quite a bit of stuff I don't). After booting into FC12, I used Palimpsest to explore the partitions on the existing hard disks. Not sure which was which, I mounted the Passport, where I have cleverly saved a copy of my fstab. Using this, I can see which of my partitions were /boot, /, /home, etc. Most of my personal data has been put into separate partitions so that I could reinstall without blowing away the data. I hope that I can do that there, but, if I can't, no matter: I have a backup. I find some bits of empty space and delete a few of the partitions and recreate them, consolidating the empty space. Still confident in my backup, of course.
So I run Anaconda. Nothing happens. Eventually, I figure out that it won't run the graphical interface because I don't have enough memory. I can use the text version, no biggie. It gets to the part about the disks. I tell it which hard disk to install itself onto. For some reason I think it's going to pop up and ask me about the existing partitions and whether I want to keep them or rewrite them (maybe that's a previous version of Anaconda? or a different installer altogether, who can remember). It does not. It babbles something at me about LVM (which I've personally never really used before), and then promptly locks up. Obviously standard Fedora on a low-RAM machine like this is doomed to failure.
I poke around on the Internet, and I eventually stumble on the Fedora "spins" and select FC13/LXDE. Hopefully this will have better luck. Reboot with the new CD, take a look at my hard disks. It has completely overwritten the old partitions, replacing them with LVM partitions. But not a big deal: I have a backup. Take a look at the Passport. Its ext2 filesys has also been replaced with an LVM partition. Proceed to beat head against wall. So, obviously what happened is, since I (foolishly) had the backup drive mounted at the time I ran Anaconda, it assumed I wanted it to take over that drive as well, and just formatted everything it could lay hands on as LVM. It certainly never asked me my opinion on the matter.
But, fine, I shouldn't have had it mounted. The question is, what do I do now? My first, panicked instinct, was to just set the partition type back to 83 (I believe LVM is 8E), which I did (using cfdisk). That might have made it worse; I dunno. But I'm pretty sure I haven't written anything else to the disk since then. I've tried testdisk (nothing useful; although it can seemingly find the underlying deleted partition, it won't actually do anything with it), and a bevvy of Windows Linux recovery programs (Stellar Phoenix, DiskInternals, Raise, and R-Linux), all of which were completely useless except for R-Linux, which scanned the disk for eight hours and was still going when I had to interrupt it (I may come back to that one, but so far it doesn't look too promising).
My primary problem is that I can't make an image of the disk because this little Passport is the biggest hard drive in the house. I would certainly feel better if I could image everything off it and then play with the image. But, of course, it doesn't matter that very little of that 319Gb was actually being used: I still need 319Gb worth of space to make an image. I ordered another (larger) Passport, which should be here Wed. Once I have that I believe I can do something like so: Code: dd ifs=/dev/sdX ofs=/mnt/bigpassport/smallpassport.img bs=512 Right? Then I can muck about with that image in some amount of safety.
Of course, I also have the original hard drives, which are not so large. testdisk can identify the original partitions on those too, but, again, won't actually do anything with them. If I could find something that would image just the partitions I care about, I could probably save those as well, but I don't have any other external hard drives with 120Gb of space free. Can I somehow take the info that testdisk is giving me about those original partitions and use dd to get only that part of the image? Are there other recovery tools I haven't considered? I have a Windows (Win7) laptop, a Linux laptop (FC10, I think), although its power cord is flaky so it's not too reliable, a smaller Mac, a really old Windows box (XP on it, I think), and this formerly-Linux box, which I can only boot off CD's at this point. There's nothing on this disk worth the 500 bux that professional data recovery would charge me, but it's worth a day or two of my life to try to get at least some of it back.