Re: Recovering formatted drive

Tue, 21 Aug 2012 11:28:24 -0700 

On Tue, Aug 21, 2012 at 1:58 PM, Steve Ens <[email protected]> wrote:
> Had a (l)user ask me which tool to use to recover data from a formatted
> partition.  I told him from his backup!  LOL.  I guess there was none.  I've
> used recuva in the past...any other good tools?  Not sure if recuva does
> find data from reformatted partitions or not.

  First, before doing **ANYTHING** else, make a block-level copy of
the physical disk to a file on another (bigger) filesystem.  Under a
nix, the command would be something like:

        dd if=/dev/sda of=/path/to/big/storage/disk_image_file.bin bs=32M

  if is input file, of is output file.  Do **NOT** mix them up or it
will overwrite the original disk with your empty file.  bs sets the
block size to 32 megabytes and is simply faster than the default of
512 bytes.

  You can do this using many Windows tool, too, but make sure you do a
*block-level* copy.  Do not use something which is aware of
filesystems or partitions, as they will tend to optimize out any
residual data.  Block-level may also be called "raw copy", "forensic
copy", "sector-level copy", "block-by-block copy". etc.

  Now you have a copy of the disk, in a file.  Disconnect the original
disk and store it safely.

  Ideally, do your trail attempts on a copy of the copy.  For example,
if you have a utility "foo" that runs natively, you might do this:

        cd /path/to/big/storage

        cp disk_image_file.bin testcopy.bin

        foo testcopy.bin

  If you have a utility that needs to run against a physical disk,
write the test file out to a spare scratch disk and use that:

        dd if=/path/to/big/storage/disk_image_file.bin of=/dev/sdb bs=32M

Again, do not mix up in vs out or you will overwrite the wrong thing.

  The reason you want to preserve the original in this way is so that
if something goes wrong with a trial attempt, you have something to go
back to, or even to send to a third-party service if need be.

-- Ben

~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/>  ~

---
To manage subscriptions click here: 
http://lyris.sunbelt-software.com/read/my_forums/
or send an email to [email protected]
with the body: unsubscribe ntsysadmin

Reply via email to