Linux As A Recovery Tool
Linux makes a great primary operating system, but many more people use Linux as a system recovery tool. The Linux Live disk, a common tool for technicians, has a myriad tools for working with almost every type of operating system and partition type. Dozens of free and open source tools are available for analyzing, recovering and repairing computer systems. This has led to a number of Live distributions being or including dedicated tool kits for use by systems’ administrators and professional technicians. These toolkits, such as Knoppix, SystemRescueCD, or Ubuntu Rescue Remix provide recovery tools that can help to extract data from corrupted or deleted partitions.
The File Allocation Talbe (FAT) file system came in 12-, 16-, and 32-bit formats as it was developed. While mostly used by Microsoft
Windows, FAT has since been replaced with the New Technology File System (NTFS) in modern implementations of Microsoft’s operating system. Still, FAT lingers today because of the file system’s use as the default format for USB flash drives and other portable media. The FAT file system can be read and modified by every major operating system on the market, making the system one of the most interoperable. Since Linux has provided full FAT support for quite some time, there are a number of tools for FAT file recovery available.
File carving is a data recovery method used in recovering corrupted or deleted data from a file system. Carving applications search a hard drive for fragments of a file, then piece together the meta data to reconstruct a full file. Since a file is not fully erased from a hard drive until the file has been written over multiple times, data can typically be recovered from FAT partitions that have not been erased or replaced on a hard drive. It is important, for this reason, that you never write recovered files into a directory on the partition being recovered. The three main file carving tools for Linux that support the FAT file system are Foremost, PhotoRec, and Scalpel. All three are used by professionals for digital forensics and all are free or open source. If you already have a Linux Live distribution, you can typically find these tools in your distribution’s software repositories. Detailed instructions for each can be found on the following page.
Simple FAT file recovery is rarely the entire problem. While file carving will take care of recovery, there is often the issue of a corrupted FAT file system to deal with before file recovery can even take place. When a partition has been deleted or lost, you need an application that can guess the beginning and ends of the partition, then rewrite the partition table so an operating system can access the original file system. Linux contains several programs that can accomplish this, but the two most common are TestDisk, from the developers of PhotoRec, and GNU Parted.
Another common problem is the need to reuse a disk during recovery. Since lost data may be written over during this process, you can create an image of the disk, for later analysis, by using the dd or dd_rescue commands available with most Linux distributions. Both commands read and copy a partition bit-by-bit, providing a safe and complete backup.
Foremost was originally developed for the United States Air Force Office of Special Investigations. The application can work with current FAT partitions or with ones cloned using a device imager such as dd. Running in the Linux console, Foremost provides a rather stark interface and requires either configuration by a text file before hand or a detailed set of instructions when launching the application.
Launch a terminal window, then issue the “su” command to become the root user. Optionally, if you have the sudo package installed on your Linux system, you can simply prefix all of the following commands with the “sudo” tag. Use the “mount” command to mount the FAT partition you wish to recover files on. Type “foremost -i /dev/hda1 -o /home/user/recovery” where “/dev/hda1” is the physical name of your FAT partition and “/home/user/recovery” is the name of the directory where you want to store recovered files. You can use the “-t” tag to specify a type of file, in case you only want to recover JPEG images or PDF files.
PhotoRec was developed to recover data off of SD cards, but can be put to a number of file carving uses. The application has a slightly
nicer interface than the others since it has an easy to follow menu system despite being a console based application. As a carver, PhotoRec can work with image files or hard disks.
Launch a terminal window, then issue the “su” command to become the root user. If you are running a system like Ubuntu, you will need to prefix commands with “sudo” instead. Type “photorec” to launch the application. Follow the menus to select your hard drive, FAT partition, and the types of files you wish to recover. You will notice PhotoRec’s vast support and customizability. Most menu items will automatically detect and populate themselves as well. Once you have selected the partition and the file types to recover, use the arrow keys to select a location to save the recovered files and press the “Enter” key.
Scalpel, like Foremost, lacks menus, but is just as effective of a file carving application. The biggest advantage of Scalpel over the others is the application’s frugal code. This enables Scalpel to function efficiently on very low end systems. Additionally, Scalpel can work with images as well as the hard drive’s themselves. Scalpel is the result of a complete rewrite of an earlier version of Foremost.
Open the “/etc/scalpel/scalpel.conf” configuration file in your text editor of choice. You will notice that file types are commented out by default. Uncomment the file types you want to recover, then save the configuration file before continuing. Launch a terminal window, then issue the “su” command to become the root user. If you are running a system like Ubuntu, you will need to prefix commands with “sudo” instead. Type “scalpel /dev/hda1 -o /home/user/recovery” where “/dev/hda1” is the physical name of your FAT partition and “/home/user/recovery” is the name of the directory where you want to store recovered files.
This post is part of the series: Linux Recovery Tutorials
Learn how to use the free and open source operating system, GNU/Linux, to analyze, recover, and repair your computer. Using Linux’s free utilities you can fix lost partitions, resurrect deleted files, and repair seemingly unrepairable hard disks.