Linux : Recover lost files after you accidentally wipe your hard drive

TestDisk can recover lost partitions of virtually any filesystem. PhotoRec can recover files of most types, including most picture and video formats. PhotoRec can be used on existing partitions, or can be used to recover files on deleted partitions without having to recover the underlying partitions. Both PhotoRec and TestDisk can be run on DOS, Windows (9x, NT, 2000, XP, 2003), Linux, FreeBSD, NetBSD, OpenBSD, Sun Solaris, and Mac OS X, and, their developers claim, can be compiled and run on most Unix systems.

The recovery

PhotoRec recovers files by finding deleted files and copying them to disk. This means that files should not be recovered to the same disk partition on which the deleted files reside (unless you're recovering from a disk image file), because that could lead to the deleted data being permanently overwritten.

Another important thing to remember is that PhotoRec will most likely recover a lot of files. This means that the partition on which the recovered files are to be stored should have at least as much free space as the size of the partition on which PhotoRec is searching for recovered files.

Possible setups for recovery include:

1. Recover the files to a separate hard drive.
2. Recover the files to a networked storage drive.
3. Recover the files to a separate partition on the same hard drive.
4. Image the hard drive using a tool like ddrescue and recover files using only one partition.

As I had completed erased my partitions, I could not use the third option. The second option introduces problems associated with network speed and latency. The fourth option is worth considering in the case of an incident response where the image of the hard drive is used as evidence.

You can download both PhotoRec and TestDisk in a single archive file. The files photorec_static and testdisk_static are the executable files, and can be executed from the command line.

Make sure that the recovery partition is mounted (I mounted it at /var/recovery). Don't mount the hard drive that contains the deleted files; if the partition remains unmounted, you can't overwrite the data it contains.

Recovery steps

PhotoRec recovers files to the directory from which it is run. Therefore, I changed into the /var/recovery directory and ran photorec_static. If the PhotoRec executable does not run with this command, make sure that you either copy the executable to the /usr/bin directory or type in the full path where the program resides.

How to prevent recovery

How easy it would be for my sensitive data to be recovered if I ever got rid of an old computer or hard drive. Luckily, you can wipe data from a hard drive in such a way as to prevent files from ever being recovered. Whitedust Security gives the following as options for secure data removal.

1. Writing over existing data with "junk" data.
2. Giving the hard drive an acid bath.
3. Degaussing the hard drive with a degausser.
4. Damaging the disk with fire.

Assuming you do not want to render the hard drive unusable, the best options are either writing over existing data or degaussing the hard drive. If you don't have access to degaussing equipment, use a program like Wipe that writes over data with patterns known to cause data to become unrecoverable. Based upon your paranoia level, you can wipe your data with as many passes as you see fit. Some recommend 22 passes, while others say 99 is needed for absolute security. If you are only worried about the casual snooper who only has access to tools like PhotoRec, then three or four passes should suffice.  For further information Read this article

Tags: lost partitions, recover lost files, linux, photorec, dos, windows, FreeBSD, NetBSD, OpenBSD, hard drive, hard disk, partition, drive image, TeskDisk, recovery, prevent recovery, wipe

Can't find what you're looking for? Try Google Search!

	Web eshwar123.blogspot.com