Skip to content

littleponywork/DiskDataRescue

BranchesTags

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

3 Commits
LICENSE
LICENSE
 
 
README.md
README.md
 
 
search.py
search.py
 
 

Repository files navigation

DiskDataRescue

Introduction

Github Mainpage This rescue is try to restore target files under no file systems. The success rate is highly depend on the degree of data overitten. The methodology is based on the open source file carving software (PhotoRec) on disk image, and uses simple keyword matching on the carving results.

Scenarios:

  • The original partition is corrupted or overwritten by a new OS
  • Target files are text-based such as .txt, .py, .c, etc.
  • Have old-version target files or know a short-pieces (keywords) of the target files

Prerequisites

  • prepare a live USB/CD for any OS (examples are presented in Linux)
  • prepare a external/writable disk and an environment(called ENV) which can access it.
  • [on ENV] install Python 3 (have tried 3.8.12)
  • [on ENV] install PhotoRec
  • prepare target files in old version or keyword files (each line is a keyword)

Steps for usage

  1. Dump disk image
  2. Carving files
  3. Search target files

Dump disk image

  1. Boot OS in Live Mode with live USB/CD
  2. Mount an external/writable disk

for external NAS sudo mount -t cifs -o username="USER",password="PASSWORD",gid="DDDD",uid="DDDD" "//REMOTE/DIR" "LOCAL_DIR"

  1. Use disk dump command to generate a disk image on the external/writable disk

sudo nohup sudo dd if=DEVICE of=LOCAL_DIR/image.dd bs=4K status=progress > LOCAL_DIR/image_progress.txt 2>&1 &

  • "nohup" quarantines the exectution even if the terminal is closed.
  • dd man page
  • "DEVICE" is the disk to be rescued, such as "/dev/sda".

Carving files

  1. Execute PhotoRec

photorec LOCAL_DIR/image.dd

  1. Choose LOCAL_DIR/image.dd to [proceed]
  2. Choose [File Opt]
  3. Disable all except for "txt", then [Quit]
  4. Choose "Unknown" partition (whole disk) to [Search]
  5. Choose apporiate file system and output directory
  6. Wait for results
  • The output directory will have the following structure.
./
├── [Dir]/
├──├── [File]
├──├── [File]
├──└── ...
├── [Dir]/
├──├── [File]
├──├── [File]
├──└── ...
└── ...

Search target files

Execute search.py, and wait for results

python -dir <SearchBaseDir> -dest <OutputDir> -target <KeywordEntry> [-cr <CheckpointFile>] [-keylen <len>] [-maxFileSize] [-minFileSize] [-thread <num>] Description The program first parse KeywordEntry or all files in KeywordEntry, where any line larger than or equal to <keylen> will be regarded as a keyword. Then, search all directory/files.

Arguments

  • Required
    • -dir <SearchBaseDir> search base dir path, i.e., the output directory of PhotoRec
    • -dest <OutputDir> output dir path.
    • -target <KeywordEntry> target keyword file/dir path.
  • Optional
    • -cr <CheckpointFile> checkpoint file path, defaut is 'checkpoint.txt'
    • -keylen <len> keyword len, default is 30.
    • -maxFileSize <sizeInMB> search max file size in MB, default is 1.
    • -minFileSize <sizeInMB> search min file size in MB, default is 0.
    • -thread <num> max number of workers, defualt is 1.
  • The output directory structure of search.py is similar to that of PhotoRec, but it includes only files that match certain keywords.

About

DiskDataRescue

Topics

matching rescue

Resources

Readme

License

MIT license
Activity

Stars

0 stars

Watchers

1 watching

Forks

0 forks
Report repository

Releases

No releases published

Packages

No packages published

Languages