Facts to know before you recover a hard drive
- It is vital not write any information on the disk you want to retrieve. The more write cycles exist, more data will be overwritten; and therefore less likely you are to retrieve information.
- You must not retrieve data from the same disk that are used to retrieve information.
- If the affected disk containing the operating system you should disconnect and not boot from it. To access the data you can set it as a slave drive (secondary).
- We do not recommend open or force the hard drive, as you probably empeorarás the chances of a successful recovery.
- Data recovery can be a chore because you can delay you long enough to rescue files, but with a little patience can have a satisfactory level of success.
A "Live CD" is a distribution of Linux that works without installing it on your computer where you are testing.Use the RAM of the computer to "settle" and start. In the report a "virtual drive" that emulates the hard disk of a computer is also installed. This type of distributions only serves to demonstrations and trials, because once you turn off your computer, all you've done is gone.
The TestDisk is a utility for data recovery licensed as free software. It was developed primarily to help recover lost data in partitions and to repair boot disks, problems caused by faulty software, certain types of viruses or human error (such as deleting the partition table). TestDisk can be used to obtain detailed information on corrupted disk. This information can be sent to an expert for further analysis. TestDisk can be used in computer forensics procedures as EWF support the type of file used by the analysis software EnCase hard drives.
PhotoRec is a software designed to recover lost files including video, documents and archives from hard disks and CD-ROMs, and lost pictures (thus the name PhotoRecovery) Memories cameras, MP3 players, USB drives, etc . PhotoRec ignores the filesystem and goes after the underlying data, running even if your file system is severely damaged or has been reformateado.Para more safety, PhotoRec uses read-only access to handle the drive or memory where you recover lost data.
Creating Linux Mint 16 Live CD
1. Starting the boot of Linux Mint 16:
2. Admission to Linux Mint 16:
3. Live Session User:
- Click Home
- Write synaptic
- Double-click on Sysnaptic Package Manager
4. Window Synaptic Package Manager :
- In the search box type testdisk
- Select it
- Right click and select Mark for Installation
5. Window Summary :
- Click alone Apply
- Wait for the installation to finish
- Close the program
To carry out this tutorial Linux Mint is installed on a partition, USB drive (ADATA USB Flash Driver 8 GB without physical damage) was used and was formatted on two occasions: once by accident and another for being infected. In each of the formatting, the USB drive stored different files. Formatting is done without overwriting existing information.
6. The following figure shows the folder PClean Photos Recovered which serve to store all the information recovered by PhotoRec. The unit belongs to 8GB device is infected:
Important: All devices should appear on the Desktop . Double click and make sure they are open. In case of an error go Home , the rectangle write disks and press Enter . Identify your device by its size or description GB (Western Digital, Toshiba, Kingston, etc.). You select it and verifies that it appears asmounted . Otherwise, click the button Play and wait for the program 'monte' the device. 7. The following image shows two files. exe stored in USB memory. Were analyzed (with Virustotal ) and the result was "infected file":
8.Se proceeded to format the device "without overwriting existing information":
9. Enter a Terminal (bottom image's how):
- At Home write terminal and press Enter
- Write sudo su and press Enter
- Enter your password (if you installed Linux Mint on a partition or hard disk, you should enter as "super user")
- Write photorec and press Enter
Note: If you use a Live CD write sudo su (without quotes), press Enter , photorec and Enter . 10. Use the arrow keys on your keyboard and select the device that contains the information to rescue. To identify, draws on its size in GB or description. In this example, the device that stores the information to be retrieved is ADATA USB Flash Driver . Finally, select Proceed and press Enter :
11. With the arrows on your keyboard select the partition of the USB drive: Fat or NTFS. To identify, draws on its size in GB or description:
- Select File Opt and press Enter
12. PhotoRec is supported by a long list of formats. By default, all are enabled:
- Selecting only the formats belonging to recover information.
- Press the button S
- Use the arrow keys, select each of the formats that belong to the rescue information
- To select the format (X) press the "right arrow" on your keyboard
- To save the changes press the button B
- Da Enter
13. Settings recored successfully (there gives Enter ):
- Return the Main Menu (press Enter )
14. Select the partition of the device, select Serch and press Enter
15. Select Other (for Windwos FAT-NTFS):
16. Optional Step | Try analyzes Free and in case you have not fully recovered all information, returns to start another analysis. This time, select Whole . The duration of this analysis will depend on the size of the device and the amount of information to retrieve:
The following configuration is one of the most important in this tutorial. . You must correctly select the route-target device that will store all the information recovered by PhotoRec
For this example another USB drive will be used:
- Select the first line and press the "left arrow" on the keyboard:
- Select the first line again and press the "left arrow" on the keyboard again:
- With the arrow keys, go down, select media and press Enter :
- Selects and Enter in the screed where it appears Mint :
- In the next window you will corrrectamente select the removable storage device serve. If you do not know the device information, do not worry. We will explain where to find it:
- Go to Start , type in the box disks , press Enter and maximizes the window disks
- Select the hard disk or storage device will, Mounted at Media / mint / serial number . That number will serve as a reference for correctly identifying the removable device:
- Return to the window Terminal , selected with the help of the serial number removable device and finally press Enter (See image above)
- In the next window (first line) the destination to send PhotoRec all recovered information appears.Example: Directory / media / mint / 0057-DE9B < serial number of the USB memory or external device:
- Once verified the destination, press the key C
- The analysis will be starting. When finished, close the window Terminal :
- Open the removable device and verifies that all your data has been recovered
Configuration, route and selection of the folder created on the Desktop:
- Select Desktop and press Enter :
- Select capeta created on the Desktop "PClean Recovered Photos" and gives Enter :
- Verifies that the destination is correct and press the button C on your keyboard:
- PhotoRec successfully recovered all the files that were deleted by accident and / or infection: