@the Polls! Your Vote is…..?
Loading ...Highest Rated
- Why is Linux Faster than Windows?
(5.00 out of 5) - Enable 5.1 Surround Sound on Linux – Ubuntu 8.04 Hardy (5.00 out of 5)
- The Simple Way to Get 5.1 Surround Sound Audio Working in Ub... (5.00 out of 5)
- 130 Useful Linux Based LiveCD Versions. (5.00 out of 5)
- Building a Web Developer / Designer PC Using Ubuntu Linux – ... (5.00 out of 5)
- Update Gimp in Ubuntu Hardy 8.04 – The Fast Way (5.00 out of 5)
- Top 12 Best Games for Ubuntu Linux – #4 World of Padman (5.00 out of 5)
- Why I Quit Windows and Switched to Linux (5.00 out of 5)
- Why is Linux Faster than Windows?
Mar
11
Digital Forensics in Linux – Reclaiming Data Off a Failed Hard Drive.
March 11, 2008 | By: UbuntuLinuxHelp | 5 Comments
Posted in Applications, How to..., Linux Projects - Hands On
(No Ratings Yet)
Loading ...
I recently spoke with a lady who operates a Forensic Accounting consultancy. During the course of our conversation, she indicated that from time-to-time she receives requests for computer data related assistance. Namely, obtaining deleted information off hard drives or data off failed drives. Her business operates on Windows based platforms and she was wondering how productive I had found Linux. (I'm an Ubuntu Linux user). And if I could use Linux to garner "lost" data (sending drives to professional labs is very expensive for her clients). While I'm not a data "reclamation" or computer data forensic expert (by any stretch of the imagination), nevertheless I've delved into this aspect on occasion. (Mostly when a hard drive fails).
It left me wondering as to the status of some of the software I have used in the past. Now that I've garnered much more experience, I was intrigued as to how (if possible) I could provide this business limited services. If not, could I at least access the data on the failed drive?
Here's the scenario. I have an older 10GB hard drive that had failed and I've stored away (for the last 2 weeks). I remember there was almost no data on it. I wondered if I was able to get the data off that drive, it had Ubuntu Linux 7.10 on it (ext3). I already had one backup of the data prior to the failure so simply stored the drive on the shelf for no particular reason. If I was unable to get the data off the drive, I wouldn't have cared because I already had a backup. I just want to see if I could do it. And, if I could, share this information with others - to help them.
Back to the present. I plugged the drive back into a working system and sure enough, I cannot access it. It powers up and spins, but the GUI cannot access it. I read some years ago that one tactic is to place the drive in a freezer for a couple of hours or so before trying to reclaim data. I kept the PDF I read back then, and it was called "200 Ways to Revive a Hard Drive".
While freezing the drive might enable access, I still might need some applications to actually grab a copy of the data. I though, I'd only have one shot at booting up and accessing the drive, so assumed the best course of action was to create an image of the drive and work with that. Creating images in Ubuntu Linux is not a difficult task to do and can easily be performed on the command line ( in terminal), using the following commands:
sudo mkdir /mnt/image
sudo mount -t ext3 /dev/hdb1 /mnt/image
sudo dd if=/dev/hda of=/mnt/image/10gdrive.raw
So I was set to go. I had the following ready:
The existing PC with another working 10GB hard drive in it (which I formated to ext3, the same as the failed drive), to be booted up with an Ubuntu Linux LiveCD. This is important because I wanted to create the image of the failed drive and needed to put it on the working drive. If the working drive were in use, then that would not be possible, therefore booting off the LiveCD would provide this functionality.
I plugged the failed (frozen) hard drive and turned on the system. After the LiveCD boot completed, I was able to use the above commands to initiate the image creation (of the failed drive). Will it run? If it does, will it remain operating for the period of the image creation?
Well, it did last the surprising hour and a half it took for the image to be made. So I suppose, the hard drive failure must have been just something simple that prevented reading of data. I now had the image to work with and see if I could get any data.
I powered down the system and removed both hard drives. The "bad" hard drive can be used as a paper weight :) and the good "image" drive I set aside for the next step.
I plugged a new hard drive into the system, actually it was the original one that already had Linux on it (Ubuntu Feisty), and plugged the imaged drive into the second ATA connector and powered up the system.
However, let's stand back for one moment so that I can explain the next steps (at least what worked for me). A couple years ago I was introduced to Sleuthkit which is a series of command line scripts used for data forensics. Also Autopsy, which provides a GUI interface and aff (which needs afflib). Why aff? I'm not overly trained in the technical aspects, but I do know that the use of other compression formats requires Autopsy to have the file decompressed first, but using the afflib was the best (at least that's what was in my notes at that time. I don't remember where I originally read this), as it allows Autopsy to use the compressed file. Also, I want to see if I can burn a 10GB hard drive to a DVD because:
"...AFF implements the LZMA compression system, which can produce disk image files that are dramatically smaller than other tools on the market today. Compared with the Expert Witness format used by EnCase and other tools, AFF images are typically 30% to 50% smaller..."
To clarify, Install Sleuthkit, Autopsy and aff compression, so you can work with the image. The disk image is currently in raw format so aff format gives us something we can work with and burn to DVD. The command to install the tools is:
sudo apt-get install autopsy afflib
Note: I didn't have to install Sleuthkit because it gets installed automatically when you install Autopsy.
Now that we have the required tools, lets convert the image to something burnable to DVD:
sudo afconvert -X9 -o /root/10gdrive.aff /media/dvdrecorder/10gdrive.raw
Here are what the switches in the above command mean:
-X9 Sets the compression to 9 (the maximum).
-o Output to a file.
Note: "afconvert --help" will give you the switch option explanations.
What this command actually does is convert the image back to a compressed .raw and send it to the DVD. The data did fit, but only because there were hardly any files on the original bad disk, so the empty space was compressed to virtually nothing. (At least that's how I interpreted it). If I messed something up, I had the backed up image on DVD.
The rest was a simpler matter of using Autopsy and following the instructions.
The PC now has the following:
A working hard drive, using Linux (Ubuntu).
The "imaged drive" plugged into the PC as well.
To start up Autopsy open a terminal and type: "autopsy" and you will see a screen that shows you this:
Just follow the instructions and you'll see:
I ignored the Javascript warning because security was not an issue. Remember, I just wanted to see if I could do this and share what I learned.
Moving on...
Oh... I need to add a "host"...
Simply follow along and play with the tools. You'll be surprised what you can see! ;)
Needless to say this was a good exercise for me. The real motivation for me to do this (and document my "journey" in this blog), is to see how much I can learn. That's also what Opensource is about right? The more I play with Linux, the more I learn and the greater the confidence level.
And... just a side note, for those readers not aware. A very good (and free) trouble shooting tool I also use is UBCD (Ultimate Boot CD). It's a troubleshooting, fixer upper, data scanning, high speed formating, disk testing... the tools go on and on. Very cool, try that one out too, as you won't be disappointed.
On a lighter "fun" note, we can still put those dead drives to good use! ;)
Hard Drive Speaker System.Build a 15,000 rpm Tesla Turbine using hard drive platters.
Pulling apart a desktop hard drive to get rare earth magnets.
Hard drive platter clock.
Hard Drive Fridge Magnet.
Hopefully some of you will find the above information of help. :)
Related posts:
- My Hard Drive Failed! – Easy, Fast, Simple Ubuntu Package Recovery.
- How to Install VMware in Ubuntu Linux
- Installing an Ubuntu Linux Hardy 8.04 LAMP and FFMpeg Server With a GUI – Installation of OpenSSH.
- Building a Web Developer / Designer PC Using Ubuntu Linux – Revisited
- Browser Problems – Creating a Linux Based Virtual Box – Part 2 of 2
Comments
-
-
Weekly Top Commentors
teo constant... (2)
UbuntuLinuxHelp (2)
Arindam (1)
dave (1)
David (1)
MVStunter (1)
reza (1)
Excellent article. I did something similar with an overwritten drive from a client, as well as another drive with a single bad sector. Both were Windows systems, the first with an XP reinstall over their precious data.
In both cases, I created an image (failed drive with either ‘dd_rescue’ or ddrescue’, and the overwritten drive with ‘dd’) and was able to recover the data. The overwritten drive, I tried FileRec for Windows (horrible), RecoverJPEG (Linux, decent), and PhotoRec (amazing).
I meant to write a blog post about each, but never did. I’ll make sure to bookmark your article, however! Thanks again!
Very interesting post. I’m a beginner in the computer forensics world and enjoyed reading this.
@left.crupps – You’re always welcome to write a related post for this blog (making sure there are credits and a link to you). ;)
As a matter of fact, anyone can become a contributor! Just send a message here: http://ubuntulinuxhelp.com/con.....tact/
For those interested in the apps mentioned…
PhotoRec: http://www.cgsecurity.org/wiki...../PhotoRec
RecoverJPG: http://www.rfc1149.net/devel/r.....ecoverjpeg
Very interesting article. I actually have a 500 GB external hard drive that is making the dreaded clicking noise. I can still access most of the data, but I really need to make an image of it. I’ll be sure to see if I can use the tools you provided to create a working image of the drive :D
@Christian – Oh… I know that noise well!!!! Yuck! ;)
Good luck!