Friday, February 24, 2017

Data Recovery

  • TestDisk
TestDisk is powerful free data recovery software! It was primarily designed to help recover lost partitions and/or make non-booting disks bootable again when these symptoms are caused by faulty software: certain types of viruses or human error (such as accidentally deleting a Partition Table). Partition table recovery using TestDisk is really easy. 
http://www.cgsecurity.org/wiki/TestDisk

  • ddrescue is frequently recommended for hard drive cloning, as it is a powerful, free data recovery utility and included by default in many Linux distributions
it doesn’t truncate files or write zeroes to its output file, it can be run successively to fill in bad sectors that were missed in earlier passes.
it is an effective option for restoring low-priority data from a failing hard disk.
ddrescue should not be used on hard drives that make excessive sounds or that show any other signs of permanent damage
Before starting this process, you will need a copy of ddrescue (preferably on a CD or DVD), a fully functional hard drive, and the damaged drive. 

To image from disk to disk:
root# ddrescue -f -n /dev/[baddrive] /dev/[gooddrive] /root/recovery.log


To image from disk to image file:
root# ddrescue -f -n /dev/[baddrive] /root/[imagefilename].img /root/recovery.log

https://datarecovery.com/rd/how-to-clone-hard-disks-with-ddrescue/

  • a system rescue disk for Linux that can be used as a bootable USB stick or CD.
http://www.system-rescue-cd.org/

  • Data recovery techniques are used to recover information that has been deleted or compromised
Data recovery techniques are often a major part of computer forensics.
When data is removed from a system it is either deleted or overwritten.
Just because a file is deleted that does not mean the data is gone. 
The Operating System simply removes the pointer from the file, but the data is still there

Data is recorded onto magnetic media by using ones and zeroes.
When the data is overwritten, the disk will only detect the new data leaving only remnants of the old data
The time to read the remnants would be very time consuming and all the old data would not be read correctly.
This would cause a very problematic and impossible puzzle to solve


Techniques
Perform a forensic analysis of the computer
Search for one file or a single file type
Attack encryption methods
Restore disk using an existing image
Examine data in RAM
Examine disk at the cluster or sector level
Analyze data using hex editor
Create hash of entire disk,Export for use in another tool

Types of Damage
Physical Damage
Logical Damage

Logical damage is primarily caused by power outages that does not allow the file to be completely written to the storage device.
Some Results are:
File is left in an inconsistent state
DATA totally lost
Cause the system to crash
Strange behavior
Partial storage

Methods exist than can make data recovery very difficult or impossible.
These methods should be used to secure financial information, medical records, or classified data

Techniques to Prevent Recovery
Write over deleted space with random data
1s and 0s
Make space appear random
Use a unique or uncommon algorithm
Some recovery tools can reverse the algorithm and recover the data

Use a tool to “wipe” data securely
Automates process of covering up deleted data
Tools are available to End User
Sometimes included with security software suites

Data Recovery Techniques
Florida State University
CIS 4360 – Computer Security
Fall 2006
https://www.google.com.tr/url?sa=t&rct=j&q=&esrc=s&source=web&cd=1&ved=0ahUKEwiar9OagYnXAhWjQZoKHeGKBmUQFggnMAA&url=http%3A%2F%2Fwww.cs.fsu.edu%2F~burmeste%2FCIS4360%2FFall2006%2FprojectPresentations%2FDataRecoveryTeq.ppt&usg=AOvVaw1TEZ2Rd2b52q0IQmvzgNxN

No comments:

Post a Comment