Thymely, too... On Tue, Aug 21, 2012 at 11:31 AM, Crawford, Scott <[email protected]> wrote: > Sage advice. > > -----Original Message----- > From: Ben Scott [mailto:[email protected]] > Sent: Tuesday, August 21, 2012 1:22 PM > To: NT System Admin Issues > Subject: Re: Recovering formatted drive > > On Tue, Aug 21, 2012 at 1:58 PM, Steve Ens <[email protected]> wrote: >> Had a (l)user ask me which tool to use to recover data from a >> formatted partition. I told him from his backup! LOL. I guess there >> was none. I've used recuva in the past...any other good tools? Not >> sure if recuva does find data from reformatted partitions or not. > > First, before doing **ANYTHING** else, make a block-level copy of the > physical disk to a file on another (bigger) filesystem. Under a nix, the > command would be something like: > > dd if=/dev/sda of=/path/to/big/storage/disk_image_file.bin bs=32M > > if is input file, of is output file. Do **NOT** mix them up or it will > overwrite the original disk with your empty file. bs sets the block size to > 32 megabytes and is simply faster than the default of > 512 bytes. > > You can do this using many Windows tool, too, but make sure you do a > *block-level* copy. Do not use something which is aware of filesystems or > partitions, as they will tend to optimize out any residual data. Block-level > may also be called "raw copy", "forensic copy", "sector-level copy", > "block-by-block copy". etc. > > Now you have a copy of the disk, in a file. Disconnect the original disk > and store it safely. > > Ideally, do your trail attempts on a copy of the copy. For example, if you > have a utility "foo" that runs natively, you might do this: > > cd /path/to/big/storage > > cp disk_image_file.bin testcopy.bin > > foo testcopy.bin > > If you have a utility that needs to run against a physical disk, write the > test file out to a spare scratch disk and use that: > > dd if=/path/to/big/storage/disk_image_file.bin of=/dev/sdb bs=32M > > Again, do not mix up in vs out or you will overwrite the wrong thing. > > The reason you want to preserve the original in this way is so that if > something goes wrong with a trial attempt, you have something to go back to, > or even to send to a third-party service if need be. > > -- Ben > > ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ > <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ > > --- > To manage subscriptions click here: > http://lyris.sunbelt-software.com/read/my_forums/ > or send an email to [email protected] > with the body: unsubscribe ntsysadmin > > ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ > ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ > > --- > To manage subscriptions click here: > http://lyris.sunbelt-software.com/read/my_forums/ > or send an email to [email protected] > with the body: unsubscribe ntsysadmin >
~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to [email protected] with the body: unsubscribe ntsysadmin
