lunedì 7 settembre 2015

Disk Recovery with Linux and testDisk tool.

Make an image before doing ANYTHING, then make a copy of the image, and do your work on that. Then you can always revert back to a pristine image of the card in case something messes up the image.

dd if=/dev/sde1 of=sdcard.img bs=1M
fdisk -l /root/sdcard.img will give you all the info about the img file created 
 
 
Always
Then you can setup a loop device with that image and work with that:



# losetup -f gives a list of loop devices available
# losetup /dev/loop0 disk.img
# file -s /dev/loop0
/dev/loop0: Linux rev 1.0 ext3 filesystem data
# mount -o loop /dev/loop0 /mnt
[...]
# umount /mnt
# losetup -d /dev/loop0
then use testdisk on the mounted file system.
 
(to install testdisk apt-get install testdisk) more here:
 
http://www.cgsecurity.org/wiki/TestDisk_Step_By_Step 


 
(Your loop device will be /dev/loop0 or similar, find out with losetup -a)

OTHER INFO.
The problem is that the .img files are not images of a partition, but of a whole disk. That means they start with a bootloader and a partition table. You have to find out the offset of the partition and mount it with the offset option of mount.
If you do a
Code:
fdisk -l /path/to/image
it will show you the block-size and the start-block of the partition. You can use that to calculate the offset.
For example, I have an image of a bootable stick with a 4GB FAT32 partition. The output of the fdisk command is
Code:
Disk Stick.img: 3984 MB, 3984588800 bytes
249 heads, 6 sectors/track, 5209 cylinders, total 7782400 sectors
Units = sectors of 1 * 512 = 512 bytes
Sector size (logical/physical): 512 bytes / 512 bytes
I/O size (minimum/optimal): 512 bytes / 512 bytes
Disk identifier: 0x0004bfaa

    Device Boot      Start         End      Blocks   Id  System
Stick.img1   *         128     8015999     4007936    b  W95 FAT32
So I have a block-size of 512 bytes and the start-block is 128. The offset is 512 * 128 = 65536.
So the mount command would be
Code:
mount -o loop,offset=65536 Stick.img /mnt/tmp
 then do testdisk on image directly.

testdisk ./image.imge