Difference between revisions of "Forensics, Undelete, and Data Recovery"

From Noah.org
Jump to navigationJump to search
Line 122: Line 122:
  
 
You can also try [http://code.google.com/p/innodb-tools/ innodb-tools] if you are willing to put in a lot of work.
 
You can also try [http://code.google.com/p/innodb-tools/ innodb-tools] if you are willing to put in a lot of work.
 +
 +
== Other Resources ==
 +
 +
[http://www.forensicswiki.org/wiki/Tools:Data_Recovery Forensics Wiki] This is a very handy site and good for finding other tools.
 +
 +
[http://www.forensicswiki.org/index.php?title=Websites Forensics Wiki's Resources] A link to some more links.
 +
 +
[http://www.informationweek.com/news/storage/disaster_recovery/showArticle.jhtml?articleID=208403254&pgno=1 Disaster Recover] This is an InformationWeek article with good info.

Revision as of 17:25, 19 August 2008

There is no undelete in Linux. You're screwed.

OK, maybe not... If possible, cut power to the machine or drive. Don't let anything else get written to the drive. New data could potentially overwrite the deleted files. If the drive is on a battery-backed cache RAID controller you might also want to remove the drive from the controller and bring up the drive in a different machine. That might be going overboard, but it depends on how desperate you are. If you try simply unmounting the drive then that will actually guarantee the caches are synced to disk which could cause even more data loss.

On most filesystem deleted files are not actually erased. Their space it marked as available and the file actually remains on the disk until the drive overwrites the space with a new file. This could happen right away or it could take a long time before the file is actually lost.

Most data recovery tools fall into the category of "data carving". These tools try to scan the disk as a stream to identify bit patterns associated with common filetypes such as JPG, Word files, mp3, and video files. These tools sometimes recover corrupt files. The also can rarely recover filenames or other metadata.

Some data recover tools make more use of knowledge of the underlying filesystem. For example, there are special tools only for ext2 or NTFS. But a tool that helps recover deleted files from an ext2 filesystem will not work on an ext3 filesystem even through the underlying format is the same.

data extraction

To recover data you will need to extract it from the source drive to work on it in a separate work drive.

dd

The venerable old `dd` command is the most common way to copy a raw dump of a device. Of course, the /dev/sdb device should be unmounted.

dd if=/dev/sdb of=~/recovery/rawdata.dd bs=8k

Sleuthkit

This toolkit has a variety of tools for extracting raw data from a drive. The most valuable one to me has been `dls` which is similar to `dd` except that it will extract raw data only from the unused parts of a drive where deleted files will be found. This saves time in later steps because you don't have to search through the entire drive for deleted files.

The Sleuthkit

data carving tools

These tools try to find data in streams based on patterns.

PhotoRec

This tool is probably the best tool I've used for recovering files. It was originally a special purpose tool for recovering photos deleted from flash memory cards, but it has grown into a general purpose tool that can identify many types of files.

PhotoRec

recoverjpeg

This specializes in just jpeg files:

recoverjpeg

scalpel

Scalpel is based on an early version of `foremost`. Supposedly `foremost` is a little better at finding files, but `scalpel` is faster and will handle files larger than 2GB. Couldn't hurt to try both...

scalpel

foremost

Foremost

ext2 file recovery tools

These tools are becoming less relevant since ext2 is not as popular as it once was.

e2undel

This tool specializes only in ext2 filesystems.

e2undel

recover

This tool specializes only in ext2 filesystems.

recover

Example Recovery

Install some tools

Install `foremost` and `dls`

aptitude install sleuthkit  # This is a collection of forensic analysis tools that includes `dls`.
aptitude install foremost 

dls

You can use `dls` to dump the raw binary data of the free space on a partition. You can pipe that directly into `foremost` which intelligently tries to reconstruct files in raw binary streams.

`dls` works sort of like `dd` except that it dumps unallocated blocks. You can use `dd` instead of `dls`, but then you would be grabbing all the raw data from a disk including data from files that are not deleted. This example assumes the drive partition you want to recover from is /dev/sdb1.

dls /dev/sdb1 > ~/recovery/rawdata.dd

foremost

`foremost` recovers files from a disk image. You use it with `dls` like this:

dls /dev/sdb1 | foremost 

If you want to reduce the amount of useless files that are recovered you can specify the file type you are looking for. For example, to recover any Microsoft Office documents you might do something like the following.

dls /dev/sdb1 | foremost -tole

To recover JPEG pictures do this:

dls /dev/sdb1 | foremost -tjpg

database recovery

MySQL

For fropped MyISAM tables you can try undelete tools.

InnoDB tables are stored in a single file, so this won't work. For InnoDB tables you can try using data carving tools on the ibdata file. This file is often found in /var/lib/mysql/ibdata1 and is accompanied by /var/lib/mysql/ib_logfile0 and /var/lib/mysql/ib_logfile1 which store transaction info. At this level data carving is probably not going to be much more sophisticated than opening ibdata1 in an editor and searching for strings. I actually recovered large portions of a wiki by running ibdata1 through the `strings` command and then sifting through the mess.

You can also try innodb-tools if you are willing to put in a lot of work.

Other Resources

Forensics Wiki This is a very handy site and good for finding other tools.

Forensics Wiki's Resources A link to some more links.

Disaster Recover This is an InformationWeek article with good info.