This article explores methods of data recovery from partially damaged mediums or the recovery of data in case certain files must be recovered in case they have been previously deleted.

• Regardless what the medium or purpose of the recovery is, you must first ensure that the medium from which the data must be recovered is write-protected. If there is no write-protection available (such as a hard-drive), you should under all circumstances not write to the device at all.
• Ensure that you have some storage medium with a slightly larger capacity than the data on the medium that you want to recover.
• If the data to recover is on an unremovable hard-drive, then boot using a LiveCD - making sure that you have the necessary toolset to work with.
• Dump a raw image of the medium to the backup medium.
• Disconnect the original medium and work on the raw image by using various tools to attempt to recover as much data as possible.

In order to create an image of the medium we wish to recover from, we use the GNU ddrescue tool which is similar to the dd command but with extra capabilities that allow the tool to retry in case of failure.

Under Debian-like distributions, you can install ddrescue with:

aptitude install ddrescue

Let us assume that /dev/sda2 is the medium from which data must be recovered, and /mnt/usb/ is the path to where the data will be recovered (for example, a large-enough USB stick). The ddrescue utility will attempt to rescue data from /dev/sda2 to an image file at /mnt/usb/sda.img whilst creating a log-file /mnt/usb/sda.log that is needed to perform multiple retries - note that ddrescue can be run multiple times using the log-file such that it can make several attempts at recovering data (for example, from a broken medium with spurious hardware failures).

The standard procedure is to:

• copy as much data as possible without retrying or scraping sectors:

ddrescue --no-scrape /dev/sda /mnt/usb/sda.img /mnt/usb/sda.log

• run the previous operation whilst retrying 3 times using uncached reads:

ddrescue --direct --retry-passes=3 /dev/sda /mnt/usb/sda.img /mnt/usb/sda.log

• for the last pass, try again, retrimmed in order to re-read full sectors:

ddrescue --direct --retrim --retry-passes=3 /dev/sda /mnt/usb/sda2.img /mnt/usb/sda.log

You can retry the last operation several times if you wish so. In case the medium (/dev/sda in this example) is not entirely damaged, then you should have at least a partial image of the medium in /mnt/usb/sda.img from which you can attempt to recover files.

If you are lucky, the image could be read without errors or the partition information is still there. In that case you can use Sleuth Kit to attempt and mount the image. Under Debian-like distributions, you can install ddrescue with:

aptitude install sleuthkit

In order to check the image for a partition table we use mmls:

mmls /mnt/usb/sda.img

which should list the partitions. You will get some information (abbreviated here):

...
Units are in 512-byte sectors
...
     Slot    Start        End          Length       Size    Description
...
02:  00:01   0000000032   0001646591   0001646560   0803M   DOS FAT16 (0x06)

we can now attempt to mount the second partition by calculating the number of sectors times the start offset () which should give us the start offset of the second partition:

mount -o loop,offset=16384 /mnt/usb/sda.img /mnt/recovery

The image is now mounted at the /mnt/recovery mount point and you can start recovering data.

More than likely in case of defective hardware, you will not have been able to recover the partition table and you will need to carve files out of the image. There are several ways to accomplish this although none of them are too good because all the described methods recover file contents but not file names creating all the while a huge mess.

There are two tools mentioned there that can be used for carving:

• scalpel
• photorec

With scalpel, you first edit the configuration file in order to enable file types. The configuration file for scalpel is usually placed at /etc/scalpel/scalpel.conf. You would then issue:

scalpel /mnt/usb/sda.img -o /mnt/usb/dump/

which will carve out all the files defined in /etc/scalpel/scalpel.conf and dump them in /mnt/usb/dump.

With photorec (the name is obsolete now since it is able to carve out many file types), you would just issue:

photorec /mnt/usb/sda.img

and then follow the on-screen menus to chose file types and a dump directory.