Nothing like a real-world challenge to lead me to burn through a few hours of research and followup.
It all started with this post by Dwight Silverman over at the Tech Blog:
Long story short, a business system crashed, some system recovery was applied, and the result was that critical files disappeared. Dwight was brought in to help try to get them back and asked for advice from his blog followers.
Stop, Drop, and Roll
When you encounter the situation where your data is gone, here are some immediate steps to help mitigate the disaster:
- Shut down the system immediately. Don’t try to do a “System Restore”. Don’t try to replace a year’s worth of data by putting the contents of the Recycle Bin back on the system. Shut it down immediately. If it is mission-critical just kill the power and skip the graceful power-off steps.
- Don’t try to do anything else at the moment. The more you fiddle, repair, and “fix” the system trying to get the files back in your panic and stress, the greater likely-hood of overwriting the data on your drive. It’s also easier to make silly mistakes when you are stressed.
- Walk away, take a deep breath and develop a strategy for your recovery attack.
- Unless your drive hardware cratered or a secure-deletion/wipe occurred, there is a very good chance the data is still sitting there. The trick will be to access it again.
- I personally recommend pulling the drive out of the system and either placing it as a “slave” drive in another system or into a USB drive enclosure to access. This increases the chance you will avoid rebooting the system accidentally.
- If it is mission-critical data you are trying to resuscitate, get an image-capture of the drive before doing anything else. No file-based imaging will do; you must do a sector-based image capture so we can get every bit of data that the original has, including those that are no longer recorded in the file allocation table. Ghost and Linux’s “dd” methods are good examples. Clonezilla, ImageX, DriveImage XML are not.
- Some imaging solutions will allow you to mount the image so you can work with your copy rather than the actual drive. That brings more options to the table.
- Forensic experts use both write-back blockers with the physical drive as well as software that is configured to read only, all to avoid compromise of the original drive. They do this to preserve the integrity of the original contents which is something we should keep in mind as well.
- Plan for where you will put the files if you recover them. Have another USB drive or storage device handy to move the (hopefully) recovered files to. Writing the recovered files back to the same drive risks corrupting the files and data with overwriting.
For even more tips and guidance, check out the following guide from Easeus:
Freeware Recovery Software
In most of my situations, I am using Windows as my recovery environment. Either via Win PE boot disk or with Windows XP/Vista as the host and the target drive as a slave or mounted image. Thus most all the tools I’m mentioning are Windows-based. That is the sea I swim in at home and work so I have to be prepared to support it.
Many of these are “portable” meaning they can run from a LiveCD or USB device. Particularly flexible if you are using a Win PE based boot disk. Check the licensing as some may be free for personal use but may not be free for business use.
PC Inspector File Recovery – This remains my primary tool for file recovery. The interface is a bit wonky but it seems to get the job done really well. Scans can take a long time to process an entire disk, but it has been very successful in the attempts I have needed it for.
Recuva - Undelete, Unerase, File Recovery – This is my second “go-to” file recovery tool. It is very easy to use and has a non-technical interface. As an added bonus there is a previewer window to view images on pre-recovered files (graphic files) as well as file properties and information. The fast scan rarely provides many finds, but the in-depth scan can recover loads of stuff…if you are patient! It also has a filter tool to narrow down the results in various file formats or you can enter your own wildcard criteria if you are looking for a particularly named file. See this Using Recuva tutorial for more.
PhotoRec – CGSecurity – Although geared primarily to recovering graphics-related files that have been deleted, it can handle other files as well. The GUI is command-text based, so nothing sexy here, but you don’t have to look sexy to be good! As an added benefit it runs on a variety of OS. PhotoRec Step By Step is a great tutorial.
TestDisk – CGSecurity – Same folks as PhotoRec but this tool is focused primarily at getting back systems partitions that have been damaged or destroyed. Besides the MBR and partition recovery work, it also can recover deleted files and/or copy them to another drive.
DiskDigger – Dmitry Brant – Had to update this post to add this new release in. Portable and does not require an install. Also has a preview feature so you can see what it is you are about to recover, and how much of the data from the file is present. Nice GUI, easy to use, does sector-based scanning for the file-search, and filtering of scans for particular file types common to most home-user and office systems. Spotted tonight via Lifehacker.
Roadkil.’s Undelete – No bells or whistles. Just a simple and direct deleted file-recovery application.
DataRecovery – A step up on the simplicity scale. Unpack and run. No install needed. Fast and deep scans available. Sort and filter results. Also allows you to secure-wipe deleted files for never-again-recovery. GUI interface is simple for beginners.
ADRC Data Recovery Tools - A full package of advanced data recovery tools. Not only can you recover deleted files, but you can also create a disk image for backup and restore it to another drive, you can copy files from drives with bad sectors, do a disk clone, backup/edit/restore your boot parameters and much more! The website is off line sometimes so you might want to try this alternative download location: The Portable Freeware Collection - ADRC Data Recovery Tools
SoftPerfect File Recovery – Very simple to use interface and not many items. Great if you have to suggest just such a program tell your extended family member to try without your supervision but it’s a non-critical file (say grandma’s cookie recipe that is written down elsewhere in the house)
Recover Files – Heavy duty tool that is hard to believe is free. This has a lot of options for filtering results, looking for specific sizes or dates, and hiding of overwritten or temporary system files. The interface is nice as well. Because it is able to display results in the original folder structure, it makes it easier to navigate in your search for a particular deleted file(s).
Undelete Plus – Another professional-grade product and interface for heavy-duty searching and sorting of recovered file results. Nice
Pandora File Recovery – offered in both a free “installable” version as well as a portable version shipping on USB drive for purchase. Many of the same features as others, but with some other bells and whistles like estimating the success of recovery, previewing certain files and properties before recovery, etc.
Restoration 3.2.13 – No install needed. Download, unpack, and run. Very simple interface and not many options. If tiny is what you want, this is a good option.
NTFS Undelete – High marks for two different reasons. First it has a nice clean and clear interface that doesn’t require much work to get started. Second, they provide a ISO-download to instantly create your own boot disk with the application on it already. Very nice for folks who aren’t into rescue-disk building. Oh yeah, did I mention it was open-source?
Ultimate Data Recovery – Another undelete program option.
FileExtractor – Another open-source tool for recovering deleted files. While the interface is a bit GUI-simple, a big plus for the non-technical folks is that it is wizard-based. So once you get the program running it will hold your hand and guide you through the recovery stages.
FreeUndelete – Simple and uncomplicated interface.
Boot-Disk Based Recovery
There are also a number of tools that can be used to boot a system “off-line” and recover the files of the drive in place.
While not rocket-science, they do generally require a bit more technical skill to use.
However, they also up the ante in flexibility and chance of success.
Trinity Rescue Kit – Heavy duty Linux based tool. It packs a lot of heavy lifting tools in a small package. Drawback is that it is script/cli based so unless you are familiar with Linux, it might be too scary for some. For tips see these two posts: Trinity Rescue Kit: Usage Howto and 4sysops - FREE: Trinity Rescue Kit (TRK)
SystemRescueCd – Linux LiveCD that allows off-line booting of a system. Comes with great partition recovery and management tools along with some file recovery tools previously mentioned above. A solid solution. For more details see Quick start guide.
Windows FE – (GSD Blog post) - You have to build and pack it up yourself, but the benefit of Win FE is that it is set to prevent write-back to any local drives it finds. Keeps you from overwriting the drive by accident.
Win PE -- (GSD Blog post collection) – Windows PE is a built-it-yourself LiveCD environment that has a big plus of being able to run most “portable” Windows applications. So if you have a favorite Windows supported file-recovery program and it is portable, it just might run great off this boot-environment in an OS you are comfortable in.
VistaPE (project page) and Custom Win PE Boot Disk Building (GSD Blog post) – Build a Vista-based Win PE 2.0 boot disk with lots of awesome tools and utilities. I love this project and have done a lot of work in it. If other Linux LiveCD projects didn’t have so many awesome tools and utilities, I would probably use it exclusively.
Ultimate Boot CD – An awesome pre-packaged collection of tools and utilities (mostly simple-GUI only) on a bootable CD. Simply a must-carry in every sysadmin and troubleshooting responder’s toolkit. Packs a number of file-recovery tools on the disk.
UBCD for Windows – A WinPE 1.0 (XP-based) project builder. Create a great tool with lots of utilities. Similar to Bart’s Preinstalled Environment (BartPE) bootable live windows CD/DVD project but a bit more updated and with some different program offerings. It takes some work and resources, but produces a great and useful tool.
Aftermath
In Dwight’s case he was very lucky and was able to use Recuva despite all the previous work and remediation done on the system before he got there.
They broke most of the “rules” but still made off like bandits.
Which gives hopes to everyone else that if he can do it, even in those circumstance, mere mortals might also stand a chance to get grandma’s cookie recipe back from the brink of deleted disaster.
Pick out one or two or three, with slightly different items to provide you a number of options, then practice and get comfortable and experienced in using them.
And consider this; if these free tools can help mere mortals, imagine what a trained and experienced forensic examiner can do with the right tools, skills, and proper acquisition and recovery procedure! It makes my heart warm with envy.
If you want it really gone, then you need to do a secure wipe of either the entire disk or at least the “free-space”…but that’s another post.
Cheers!
--Claus V.
No comments:
Post a Comment