Standard Mischief

I had these really important photos on my hand-held device, with a backup on the PC when I caught a case of teh stupid and erased them one night to make some space. On next sync, the files were “deleted” per standard sync procedure, which in a ext3 file system means that the inodes were erased, effectively marking those spots on the hard drive as available for reuse. I didn’t really think about the files going “poof” until about 36 hours later.

Quote from me: “Oh crap”

When I got home, I shut the system down. While the PC was up, there was always a chance that something would write to disk, and overwrite those important files. After some study and research, I found Foremost, a program to do “file carving”. What this program does is search an image of a filesystem and copies out any series of bytes that have the proper start and ending hex strings. you can look through the raw data and copy out anything that looks like a jpeg or a html file, or just about anything else you want to search for. Here’s something of a step-by-step. This is basically what I did, except without the tedious research between many of the steps to make sure I was doing the right thing.

1. Boot the PC using a Linux live CD that does not automatically mount hard drives. I used an old copy of Ubuntu I had lying around, therefore instructions here will be tailored to that distro. By default, Ubuntu will use any swap space it finds, but will not auto-mount any file systems.
2. I had space on my hard drive, so I used a partition program to make a new 8 GB partition.
   If there wasn’t any space, I’d likely have to install another hard drive or something. I used whatever came with Ubuntu, likely Gparted, to format the partition.
3. In Ubuntu, you will need to go to software sources and enable via check box the universe and multiverse options. I believe everything is in the universe repository, but why do this step twice?
4. Drop down into console (command line) and mount your new partition. You could also mount anything where you have enough space, and this could be network drives or flash drives, or anything that works for you. Just don’t mount the partition that contains the files you want to recover. I used $ sudo mkdir /home/hda4 to create the mount point, and then $ sudo mount -t ext3 /dev/hda4 /home/hda4 to mount the partition.
5. Use dd to make an image of the unmounted partition where recovery took place. I used $ dd if=/dev/hda3 of=/home/hda4/image.dd bs=4096 conv=notrunc,noerror
6. Get Foremost. I used $ sudo apt-get install foremost
7. I also had to get some tools for interfacing with Palm PDA. Depending on what you want to carve, you likely won’t need this. For me it was $ sudo apt-get install pilot-link
8. Run Formost on your disk image. I had to write my own formost.conf file. Full details are on the man page. I won’t go into details because it’s not likely that you will be searching for the exact same kinds of files as I was. I was looking for files that ended in jpg.pdb, and I had to create some example files first and then do hexdumps to see what the files start and end with. Fun.

In the end I recovered the photographs, but I ended up not ever needing them. They were from a hit and run accident where the lady that plowed into me ended up stopping long enough to talk to me and call someone else, but then abruptly left when I was on the phone with the police. Luckily, I had pictures of the other vehicle with license plates and after contacting her insurance, and every possible delay, her agent finally cut me a check for the damage.

I’ve really got to work on my incremental hard disk backups.