Forensic disk recovery

If someone gave you a Sandisk Cruzer 8GB micro USB stick*, which had their entire life of work stored on it. This stick couldn’t be directory listed under Windows 7 only Windows XP.. nothing could be copied off nor copied on to it.

What would you do ?

Well here’s what I did to recover the files.

first of all I tried all the normal windows based solutions:

Chkdsk
Recovery software GetDataBack – (Which has served me well in the past)

No joy! Nothing! Nada! – USB just disconnects when you try anything.

So I turn to Unix for the answer, the USB stick could be mounted and read, it just crashed out when trying to copy the files/directories from the device, saving about 10% of the data.. I’m assuming its a hardware failure of the device.

This is when I turn to open source forensic software – Ubuntu Rescue Remix

Here’s how I used it :

I created a bootable image of the Ubuntu Rescue Disk ‘to a different USB stick’, following the instructions at Pendrivelinux.com

Booted that, then used the following commands :

Create ‘hdd1’ directory in the ‘mnt’ folder
sudo mkdir /mnt/hdd1

Mount your machines hard drive to the folder ‘/mnt/hhd1’
sudo mount /dev/sda1 /mnt/hdd1

Check the ‘mount’ command to see what the USB device your trying to recover is called, in my case its mounted as ‘/dev/sdc1’
sudo mount

Use that information to constuct the following command; ddrescue-retry to read upto 3 times-USB device-name of image to write-name of log to write
sudo ddrescue -r 3 /dev/sdc1 /mnt/hdd1/recovery-image /mnt/hdd1/recovery-log

Create a new directory on your hard drive to store all the recovered files.
sudo mkdir /mnt/hdd1/recovery

Run ‘foremost’ which is some forensic software created by the US Air force; foremost-image name-output directory
sudo foremost -i /mnt/hdd1/recovery-image -o /mnt/hdd1/recovery

This will extract files ‘Without filenames’ to the output directory, slight issue, but lucky to get anything back at all.

* Other USB sticks are available..

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s