Hi Dan
It so happens that computer forensics and data recovery is my
occupation, so I m sure that I can help out. The most important thing is
to stop using the drive straight away to minimise further data loss and
to give yourself the best chance of recovery.
The next thing to do in an ideal situation is to grab an image of the
disc. I would suggest that you use dd if you're able to, then image the
disc unmounted direct to another drive of a similar size. Something like:
# dd if=/dev/<name of your unmounted broken drive> of=/dev/<name of your
target drive> bs=512 conv=noerror,sync
should do the trick.
Then you can perform any recovery activities on the image, rather than
risk the original device.
There are then any number of open source forensic tools which can
potentially be used to dig out your data. One is xxd (comes as part of
vim) which is a commandline hex editor for manual file system analysis
and extraction. Slightly more refined are sleuthkit (a set of
commandline tools) and autopsy ( a browser based gui for sleuthkit).
These can be a bit tricky to operate but there are plenty of docs on the
web site. Ther is also a commercial program called SMART which is very
good at data extraction. It costs, hoever a free version is available in
the form of a bootable CD. SMART can also do the imaging for you as well
if you do fancy using dd. I think there may be a file limit on the free
version though, not too sure now.
If you don't fancy any of that lot then I would be happy to take a look
for you. If you data is not particlularly confidential, perhaps we could
do it at a meeting as a kind of working demonstrtion.
Good luck.
Stu
Daniel Watkins wrote:
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Hi list,
I've recently repartitioned a drive from two ext3 partitions to one and,
without a reboot, attempted to place data onto it. This, unfortunately,
resulted in this data being lost when the new FS was mounted at my last
boot.
However, I'm not entirely without hope, as the drive is showing a 4.4 GB
usage (about as much as was previously on there). However, I cannot see
this data by any method I know of.
Does anyone know how I could get a hold of it?
Cheers,
Dan
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.4 (GNU/Linux)
iD8DBQFEv+0UlFI7BNKVCIkRApEZAKCCrjw2DkE45Vd4nPbId5CvDuhNvACfQ/7X
3EGQ6CcMWp3jIC7AGcBXxDU=
=Cb8H
-----END PGP SIGNATURE-----
_______________________________________________
Peterboro mailing list
[email protected]
https://mailman.lug.org.uk/mailman/listinfo/peterboro
_______________________________________________
Peterboro mailing list
[email protected]
https://mailman.lug.org.uk/mailman/listinfo/peterboro
