hello friends! new(ish)!
Data recovery
What is Data Recovery?
Data recovery, is the method or process of recovering your data. It is usually done after drive failure, accidental deletion of data, or by the police when recovering suspect's data from a computer.
Data Recovery Tools
- extundelete - When using the extended filesystem on *nix, this should be what you try before spending hours waiting for testdisk/photorec to crawl over the partition or image. Just remount as ro, supports recovery of specific, whole directories and filenames.
- TestDisk
- PhotoRec
- Recuva
Note: TestDisk and PhotoRec come as a package, TestDisk is used to "help recover lost partitions and/or make non-booting disks bootable again when these symptoms are caused by faulty software, certain types of viruses or human error (such as accidentally deleting a Partition Table)."[1] Whereas PhotoRec is for recovering data, therefore depending on your needs either one may be appropriate.
First steps in recovering data
- DO NOT WRITE TO THE DRIVE
- Doing so may overwrite the information that you wish to recover
- Follow the process detailed below
- Next time, keep an up-to-date backup
An example of a drive recovery process
Here's what you have to do to save your data, if the hard drive still mounts.
You can tell that your hard drive is failing if it causes your computer to hang in the BIOS when connected, if it has a "Current Pending Sector Count" > 0 in the SMART info, or if it's making unusual noises.
First, get another hard drive large enough to image the failing one onto.
Connect the failing hard drive to an internal SATA port on your computer, if it's in a USB enclosure open it up and remove the drive.
Next, boot from a GNU/Linux LiveCD and use an imaging program that doesn't retry I/O errors endlessly. Mount the failing drive Read-Only first. Use dd_rescue or an equivalent so that it doesn't get stuck forever rereading one sector when it encounters read errors.
Finally, if you are able to mount the disk image, do that. If not able to mount the copy, try Testdisk and Photorec or Recuva to recover data from the image. Recover the saved data to yet another separate partition.
If you had to use PhotoRec, you will probably want to disable recovery of plain text files unless there's something in that format you want to save since it produces a massive amount of tiny text files from most hard drives. Stick to photos and Office documents for most people. Fragmented files will probably be unrecoverable.
Android
dd can be used on Android devices to image their storage partitions. No password is required unless the storage is encrypted.
The device must either have USB Debugging enabled, or be flashed with a custom bootloader (which, when booted into, has USB Debugging enabled). You will also need an external storage card with enough capacity to take the dd image.
Use Android Debug Bridge (adb) from the android-sdk to connect to the device. From there you can mount the external storage card and use dd to image the required partitions.
Data Destruction/Anti Forensics
For data destruction, wiping the entire drive is preferable since most operating systems will leak details of your files (e.g. temporary copies of your document, mentions of it in Most Recently Used lists, log files, registry entries, command history etc).
Full Drive Wiping
DBAN (Darik's Boot and Nuke) is the goto tool for drive wiping. Burn the iso to a cd or write it to a usb thumbdrive, boot from it and then it's just a matter of selecting which drives to wipe and how thoroughly you want them wiped.
One pass is fine. Three if you're paranoid. The Gutmann 35 pass wiping is overkill. Gutmann himself has said that it's unneccesary on modern drives and even when he invented it in the 90s, many of the wipes were for different types of storage medium and the full 35 was overkill for any one device.
You could also boot a live linux distro and use one of the following commands to wipe a drive:
- # shred -vn 3 /dev/sdX
- # dd if=/dev/urandom of=/dev/sdX
Individual File Wiping
For individual files, the linux command "shred" can be used:
- $ shred -vun 3 file
- -v for verbose
- -u to remove the file after shredding it
- -n to specify the number of passes
- -z to add a final wipe of all 0s
SSD Drives
SSD drives (and flash memory cards/thumbdrives) are tricker to securely erase since they perform wear levelling to preserve the life of their flash memory. This means your operating system can never be certain where data is stored on the drive. To mitigate against this:
- Encrypt from day one, so that your raw data will never be stored on the drive.
- Fill the drive to capacity with innocuous data, to overwrite as much as you can (SSDs have reserved areas which you can't get to).
- Don't rely on the TRIM/sanitize functions of the SSD to securely erase anything. These are programmed differently by each manufacturer and are not reliable.
Physical Destruction
Once you've logically sanitized your drive, you may still want to physically destroy it for paranoia's sake.
An easy way to do this is to buy yourself a set of TORX screwdrivers ($5 - $10) and open the drive casing where you can get at the platters. Be careful when handling the platters, as they may break surprisingly easily and send shrapnel flying and cut your hands. Don't try to snap them in half without thick protective gloves and something to contain the shrapnel (you might want to wear protective gloves and goggles even if you don't intend to snap them).
More expensive/industrial solutions are detailed in a fun little 31c3 talk titled Hard Drive Punch - Destroying data as a performative act .
Android
Factory resets aren't good enough to sanitize a device.