-
Notifications
You must be signed in to change notification settings - Fork 1
/
Copy pathhow-to-recover-files-from-a-deleted-or-even-overwritten-partition.html
54 lines (53 loc) · 9.79 KB
/
how-to-recover-files-from-a-deleted-or-even-overwritten-partition.html
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
<html>
<head>
<title>Napster's Experiments with Freedom</title>
<link rel="stylesheet" type="text/css" href="http://cdnjs.cloudflare.com/ajax/libs/highlight.js/9.7.0/styles/xt256.min.css">
<script src="http://cdnjs.cloudflare.com/ajax/libs/highlight.js/9.7.0/highlight.min.js"></script>
<script>hljs.initHighlightingOnLoad();</script>
<script type="text/javascript" src="https://cdn.mathjax.org/mathjax/latest/MathJax.js?config=TeX-AMS-MML_HTMLorMML"></script>
<link rel="stylesheet" type="text/css" href="css/post.css">
<script>
(function(i,s,o,g,r,a,m){i['GoogleAnalyticsObject']=r;i[r]=i[r]||function(){
(i[r].q=i[r].q||[]).push(arguments)},i[r].l=1*new Date();a=s.createElement(o),
m=s.getElementsByTagName(o)[0];a.async=1;a.src=g;m.parentNode.insertBefore(a,m)
})(window,document,'script','https://www.google-analytics.com/analytics.js','ga');
ga('create', 'UA-20813670-9', 'auto');
ga('send', 'pageview');
</script>
</head>
<body><h1 id="how-to-recover-files-from-a-deleted-or-even-overwritten-partition">How to recover files from a deleted or even overwritten partition</h1>
<p>First of all, this is something that happened to me and, it is just a post about how I recovered myself from the mess. You are gonna slap me if I tell you how idiotic I was to loose all my data anyway. I was updating my Linux Mint 14 laptop with Linux Mint 15 RC, which has been released yesterday by a fresh reinstall. As usual I backed up all my files in the /home/napster folder, which is nothing but my home folder, to another spare PC here and since all of my critical documents are on Dropbox and Google Drive, that part was pretty safe. Before starting gone-deadly installation, my TOSHIBA-250GB HDD looked something like the following.</p>
<p><img src="images/before.png"></p>
<p>The partition labelled <strong>Data</strong> was the central place where I kept all my stuff like movies, music, photos and e-books and everything as such. And this drive was 200GB in size, and it was around 99% occupied. As you see this is a pretty deadly combination that, if you accidentally lose the data, there is not much space left to stand up and do the recovery from within the disc. Anyway, this is what I did in the apocalyptic re-installation. First I booted the machine with a <em>Linux Mint 15 RC CD-ROM</em> and while the installation process, I have chosen <strong>Replace Linux Mint 14 with Linux Mint 15</strong>. This was somewhat a very bad thing to do, although I didn’t expect all my partitions will be lost. After the installation, I have immediately noticed that all my partitions and data are lost, forever. This is somewhat the HDD looked like after the re-installation.</p>
<figure>
<img src="images/after.png" alt="image"><figcaption>image</figcaption>
</figure>
<p>I was stupid enough to use the new installation for a few more minutes and install a few applications like Chrome Browser or the VLC player. Then I realized that the situation is real worse. With each apps being used, and with each app being newly installed, I’m technically <strong>overwriting</strong> one file or the other in my old partitions. I have stopped immediately, turned off the PC and looked around for solutions. I was pretty panicked and didn’t know what to do. I have headed to some IRC chat rooms and most of them were pretty sure that, I’m never going to get those data back.</p>
<p>I paused for a while and the next thing to do was to audit the damages. I have thoroughly tried to recall what files did I have on the machine before loosing the partitions. I have listed all those I could recall and analyzed which of them are potentially high priority files and which of them I could afford to loose. That opened little bit of a room to settle down for a while. Because most of the files where not that critical and to be honest, almost with any of them, I could live in the absence of them. So by the evening I decided not to approach any professional companies to do this recovery process, and assigned myself to give it a try.</p>
<p><em>Boring Story is over, You may read from here on.</em></p>
<p>For the sake of safety, I have gathered a 500GB external HDD. I thought I could use it in case if I need to profile the entire hard disk to an image. The most important tool to use was <a href="http://t.umblr.com/redirect?z=http%3A%2F%2Fwww.cgsecurity.org%2Fwiki%2FTestDisk&t=ZTA2M2U4ZWYzZTEzMWI0YzM3ODA0ZTA5Y2E5NWI5MDMwMjc2MmE3ZixHdk5Ga01tQQ%3D%3D&b=t%3ALX5p5KDoIXDXw2AOu5I9Ew&m=1"><strong>testdisk</strong></a>. This is an elegantly written open source software, which is the only tool I used in the entire process of the recovery. I have found a lot of threads discussing data loss due to the same incorrect Linux installation attempts. But <em>none</em> of them lead me to a proper recovery solution. Most threads where flooded by commercial data recovery companies and their sucky ads. So, I have found testdisk on the Ubuntu’s data recovery guide. But it was not at all documented there. I have setup a virtual machine quickly to get myself familiar with the interface of the testdisk tool. It is infact a 100% command line tool, with menu like interface much similar to what is provided by <strong>parted</strong> or such tools. I don’t know why I choose testdisk since the other two tools (one was gparted - I knew it was of no use) were documented there properly. Anyway I headed to the <a href="http://t.umblr.com/redirect?z=http%3A%2F%2Fwww.cgsecurity.org%2Fwiki%2FTestDisk_Step_By_Step&t=M2ZlYTBkMDYyOTZhZjYwNDIzNGEzNmNmODM5NzA2ZWI3MjI2Y2VkYixHdk5Ga01tQQ%3D%3D&b=t%3ALX5p5KDoIXDXw2AOu5I9Ew&m=1">testdisk wiki</a> and learned how to do the <strong>Deep Search</strong> process for the lost partitions and how to write the partition table back to the disk itself. The following were the major steps in the process.</p>
<ol type="1">
<li>Boot the machine from a Live CD. I used Linux Mint 15 RC CD-ROM itself, since it was already available, as you would guess. Please note that the entire system is in the RAM when booting live, so the recovery process depends on the available RAM you do have. If possible, extend the RAM before initiating the recovery, or move the HDD to another PC with faster/larger RAM, although I’m not sure the later one is a good idea.</li>
<li>Install the testdisk application. Please note that the installation goes to the RAM as well. So its better not to run any other apps from this Live CD for the sake of speed. Now, run the tool sudo testdisk</li>
<li>Select the correct HDD first. If you have multiple hard disks on your PC, you can identify the correct one with the name or the size of the HDD.</li>
<li>Select the Quick Search and proceed, and this will list you the new partitions, I mean the current available ones. In my case, the one with <em>Linux Mint 15 RC</em> and its 2GB swap.</li>
<li>Select the root partition from the result and proceed to the <strong>Deep Search</strong>. This process is going to take a while, in my case it was around 1.5 hours.</li>
<li>After the Deep Search, you will be getting a list of all deleted partitions that could possibly be recovered to some level whatsoever. It is not at all guaranteed to recover any files with any level of certainty, I mean, it depends on your luck as well. Anyway, from this list of partitions, correctly select the one you need to recover. Strangely, in my case I got two partitions with the same label <strong>Data</strong>. I’m not sure why 2 of such entries appeared.</li>
<li>I selected one of them and pressed Enter to proceed. Now, the partition is displayed with all details about the drive. I could navigate through the file system by using the ⬅ and ➡ arrow keys. You may find very old and previously deleted files on the drive in red color, which could not be recovered. Once the drive is properly identified, proceed to the next step.</li>
<li>Change the partition type from <strong>D</strong> to <em>P</em> or <em>L</em>. <strong>D</strong> represents deleted, <strong>P</strong> represents Primary and <strong>L</strong> represents Logical partitions. If it was a primary drive, you may not be able to change the type to <strong>L</strong> at all. Once this step is done, press enter to proceed.</li>
<li>Now, testdisk will ask you if you want to write back the partition table or not. Choose <strong>Write</strong> and confirm if asked again.</li>
<li>Reboot the PC to complete the process.</li>
<li>Once rebooted, the partitions will be restored and the files in it may found to have incorrect permissions or even some files or folders cannot be accessed at all. Check <strong>chmod</strong> command to see how you could fix this problem.</li>
</ol>
<p>Ok, so that’s the story, I have executed all the steps above, and successfully recovered almost all the files without being corrupted. I faced some boot related issues after the recovery, but I’m not sure yet if it is caused by the recovery process or not. Also, the most important files were recovered and so, a bad day became a good day afterall for me! :)</p>
<div id="disqus_thread"></div>
<script type="text/javascript">
var disqus_shortname = 'subinsebastien';
(function() {
var dsq = document.createElement('script'); dsq.type = 'text/javascript'; dsq.async = true;
dsq.src = '//' + disqus_shortname + '.disqus.com/embed.js';
(document.getElementsByTagName('head')[0] || document.getElementsByTagName('body')[0]).appendChild(dsq);
})();
</script>
</body>
</html>