[ale] Fwd: Hard Drive Death Spiral -- AKA Recovery Software?

Greg Freemyer greg.freemyer at gmail.com
Fri Dec 12 16:15:31 EST 2008


Stephen,

You can find it at http://ptk.dflabs.com/overview.html

DFlabs in an Italian company that is writing PTK.  aiui, PTK is a web
interface that manages "The Sleuth Kit" (TSK).

TSK has been around a while, so I hope it is fairly robust, even if
PTK is not.  (PTK may be as well, but as a new product, I'd expect
some hickups.)

I believe all of the above is Linux only.

Greg

On Thu, Dec 11, 2008 at 4:29 PM, Stephen R. Blevins
<srblevi at worldnet.att.net> wrote:
> Greg, Kind Sir,
>    Where can I learn about PTK.  Google is *not* my friend on this one.
>
>    TIA
>
> Stephen R. Blevins
> srblevi at worldnet.att.net
>
>
>
> Greg Freemyer wrote:
>> The first thing you need / want to do is make a full copy (image) of the drive.
>>
>> So, buy a drive that is atleast 20% bigger.  (just to be sure).
>>
>> Format it ext2 or some other basic FS.  (Definitely not FAT).
>>
>> If the drive is more or less functional use dd to make the image.  If
>> not, look into dd_rescue (or ddrescue, I forget).
>>
>> If it is a data drive, then all you have to do is:
>>
>> boot normally.  dd if=/dev/sdX of=/image_file_on_big_drive bs=4k
>> conv=sync,noerror
>>
>> If it is a boot drive, then boot a linux boot disk and do the same.
>>
>> Once you have that working copy, you need to decide if you want to
>> make even another copy that you keep un-modified.
>>
>> You can use gpart to guess / rebuild your partition table.
>>
>> Once you know where your partitions are and you know what filesystem
>> type you have, you can use various recovery software to move forward.
>>
>> To do the recovery, we use a professional tool, so I'm not sure what
>> low-end / free software is available to do the recovery.  (We use
>> either Encase Forensics ($3,000) or X-Ways Forensics. ($1200))
>>
>> PTK is new opensource recovery tool that was released in the last few
>> months.  It may support linux filesystems.  Not sure.
>>
>> HTH
>> Greg
>>
>> On Thu, Dec 11, 2008 at 10:54 AM, H P Ladds <householdwords at gmail.com> wrote:
>>
>>> Hey All,
>>>
>>> I have a hard drive that appears to be dieing, and I need data
>>> recovery software. Any suggestions?
>>>
>>> History of problem:
>>>
>>> 1. Somehow the partitions on the drive got out of order -- sda6 used
>>> sectors (4376 - 4618) and sda5 had (4619 - 19457).
>>> 2. In an effort to correct this situation, I deleted the partitions
>>> and recreated them using the same sectors.
>>> 3. I was hoping to do a e2fsck to recreate the superblocks and such.
>>> This was a bad plan, and partition sda5 is not mountable.
>>> 4. I did not reformat the partition, so I believe the information is
>>> still there.
>>> 5. I guess what I need to do is reformat the drive without destroying
>>> the data on the disk, which is mostly impossible -- right?
>>>
>>> Yes, I do have the info backed up on DVDs, but this seems to be a good
>>> opportunity to develop some data recovery skills, and maybe I can see
>>> what's on that disk I've had in the freezer for about two years.
>>>
>>> H. Preston
>>> _______________________________________________
>>> Ale mailing list
>>> Ale at ale.org
>>> http://mail.ale.org/mailman/listinfo/ale
>>>
>>>
>>
>>
>>
>>
> _______________________________________________
> Ale mailing list
> Ale at ale.org
> http://mail.ale.org/mailman/listinfo/ale
>



-- 
Greg Freemyer
Litigation Triage Solutions Specialist
http://www.linkedin.com/in/gregfreemyer
First 99 Days Litigation White Paper -
http://www.norcrossgroup.com/forms/whitepapers/99%20Days%20whitepaper.pdf

The Norcross Group
The Intersection of Evidence & Technology
http://www.norcrossgroup.com


More information about the Ale mailing list