How dd, nc and fdisk saved my bacon25 Feb 2010
How do I get data off this thing?
Here’s the situation. I’m trying to recover data for a client. Their laptop will not boot into Windows and they need to get data off of it. To add to the fun, I don’t have an IDE adaptor handy for the laptop harddrive and the laptop is a little crashy (motherboard shorting out?)
I could wait around until I can get my hands on an adaptor, but what fun would that be?
First things first, we need to get the data off of the drive. Being a minimalist, I first thought of just doing a file copy. Not knowing whether the file-system is any good, this probably isn’t a good idea. In any forensics situation you always want to clone your source and then work with it. i will be taking the same approach, treating the source as “read only” and only modifying the copies I make. If it turns out the file-system is corrupt I can always clone to a known-good drive and use tools like “chkdsk” (for file-system corruption) or “partimage” (if things are really nasty).
So I have the “donor” machine booted up on a recent cd of Knoppix, connected via crossover cable to our tech station. I have set ip addressed and tested connectivity between the machines. Now it’s time for the magic to start.
Using the instructions found here I set my tech station as a netcat “server” and the dead laptop as a netcat “client”. Score one for the simplicity of pipes, because dd will happily pipe bit for bit data across our netcat tunnel!
nc -l -p 9000 | dd of=HarddriveImage.img
dd if=/dev/sda | nc 192.168.1.220 9000
I also setup a terminal on the tech station running “watch” to keep an eye on the disk image size
watch -n 1 "du -hca *.img"
Now we wait…in my case 19 gigs…about one hour
We have the image, now what?
Next, I found a handy guide here wayback cache on what to actually do with the image once I got it. I am familiar with loopback mounting of iso images, but never before have I tried to loopback mount an entire hard drive image.
So first things first, we need one more important piece of information off the dying computer. We need to know how many cylinders the hard drive has. This will come into play, later, in our calculations.
fdisk -l /dev/sda Disk /dev/sda: 160.0 GB, 160041885696 bytes 255 heads, 63 sectors/track, 19457 cylinders Units = cylinders of 16065 * 512 = 8225280 bytes Disk identifier: 0x00050229 Device Boot Start End Blocks Id System /dev/sda1 * 1 12 96358+ 83 Linux /dev/sda2 13 136 996030 5 Extended /dev/sda3 137 1109 7815622+ 83 Linux /dev/sda4 1110 19457 147380310 83 Linux /dev/sda5 13 136 995998+ 82 Linux swap / Solaris
This is a different hard drive, so the cylinder count will vary from below. The cylinder count for the disk we are using is 2432
Now that we know the cylinders we can try to get fdisk to read the image we cloned to see if it is intact
[email protected]:~/tmp$ fdisk -C 2432 DiskImage.img The number of cylinders for this disk is set to 2432. There is nothing wrong with that, but this is larger than 1024, and could in certain setups cause problems with: 1) software that runs at boot time (e.g., old versions of LILO) 2) booting and partitioning software from other OSs (e.g., DOS FDISK, OS/2 FDISK) Command (m for help): p Disk DiskImage.img: 0 MB, 0 bytes 255 heads, 63 sectors/track, 2432 cylinders Units = cylinders of 16065 * 512 = 8225280 bytes Disk identifier: 0x9dc96e9e Device Boot Start End Blocks Id System DiskImage.img1 1 5 40131 de Dell Utility DiskImage.img2 * 6 2431 19486845 7 HPFS/NTFS
Well, everything looks good! If you have trouble at this point, keep in mind that the disk may be beyond saving. Try something like Spinrite and attempt this again.
We know that we want to mount partition 2 “DiskImage.img2” but we need to get the correct start and end blocks.
[email protected]:~/tmp$ fdisk -l -u -C 2432 DiskImage.img Disk DiskImage.img: 0 MB, 0 bytes 255 heads, 63 sectors/track, 2432 cylinders, total 0 sectors Units = sectors of 1 * 512 = 512 bytes Disk identifier: 0x9dc96e9e Device Boot Start End Blocks Id System DiskImage.img1 63 80324 40131 de Dell Utility DiskImage.img2 * 80325 39054014 19486845 7 HPFS/NTFS
Now all that is left is to calculate the offset so we can tell mount where to start mounting the loopback image.
Offset = StartNumber * 512
So we have 80325 * 512 = 41126400
No we issue the mount command as follows:
[email protected]:~/tmp$ sudo mount -o loop,offset=41126400 -t ntfs DiskImage.img /mnt/
That’s all she wrote
Well, we’ve been on a whirlwind tale of data recovery, but I am sure we have just scratched the surface of the different techniques that are out there. So, what tricks have you used for data recovery before? Any tips or tools you care to share?