How dd, nc and fdisk saved my bacon

How do I get data off this thing?

Here’s the situation.  I’m trying to recover data for a client.  Their laptop will not boot into Windows and they need to get data off of it.  To add to the fun, I don’t have an IDE adaptor handy for the laptop harddrive and the laptop is a little crashy (motherboard shorting out?)

I could wait around until I can get my hands on an adaptor, but what fun would that be?

First things first, we need to get the data off of the drive.  Being a minimalist, I first thought of just doing a file copy.  Not knowing whether the file-system is any good, this probably isn’t a good idea.  In any forensics situation you always want to clone your source and then work with it.  i will be taking the same approach, treating the source as “read only” and only modifying the copies I make.  If it turns out the file-system is corrupt I can always clone to a known-good drive and use tools like “chkdsk” (for file-system corruption) or “partimage” (if things are really nasty).

So I have the “donor” machine booted up on a recent cd of Knoppix, connected via crossover cable to our tech station.  I have set ip addressed and tested connectivity between the machines.  Now it’s time for the magic to start.

Using the instructions found here I set my tech station as a netcat “server” and the dead laptop as a netcat “client”.  Score one for the simplicity of pipes, because dd will happily pipe bit for bit data across our netcat tunnel!

“Server”

nc -l -p 9000 | dd of=HarddriveImage.img

“Client”

dd if=/dev/sda | nc 192.168.1.220 9000

I also setup a terminal on the tech station running “watch” to keep an eye on the disk image size

watch -n 1 "du -hca *.img"

Now we wait…in my case 19 gigs…about one hour

We have the image, now what?

Next, I found a handy guide here wayback cache on what to actually do with the image once I got it.  I am familiar with loopback mounting of iso images, but never before have I tried to loopback mount an entire hard drive image.

So first things first, we need one more important piece of information off the dying computer.  We need to know how many cylinders the hard drive has.  This will come into play, later, in our calculations.

fdisk -l /dev/sda

Disk /dev/sda: 160.0 GB, 160041885696 bytes
255 heads, 63 sectors/track, 19457 cylinders
Units = cylinders of 16065 * 512 = 8225280 bytes
Disk identifier: 0x00050229

Device Boot      Start         End      Blocks   Id  System
/dev/sda1   *           1          12       96358+  83  Linux
/dev/sda2              13         136      996030    5  Extended
/dev/sda3             137        1109     7815622+  83  Linux
/dev/sda4            1110       19457   147380310   83  Linux
/dev/sda5              13         136      995998+  82  Linux swap / Solaris

This is a different hard drive, so the cylinder count will vary from below.  The cylinder count for the disk we are using is 2432

Now that we know the cylinders we can try to get fdisk to read the image we cloned to see if it is intact

tech@tech-desktop:~/tmp$ fdisk -C 2432 DiskImage.img

The number of cylinders for this disk is set to 2432.
There is nothing wrong with that, but this is larger than 1024,
and could in certain setups cause problems with:
1) software that runs at boot time (e.g., old versions of LILO)
2) booting and partitioning software from other OSs
(e.g., DOS FDISK, OS/2 FDISK)

Command (m for help): p

Disk DiskImage.img: 0 MB, 0 bytes
255 heads, 63 sectors/track, 2432 cylinders
Units = cylinders of 16065 * 512 = 8225280 bytes
Disk identifier: 0x9dc96e9e

Device Boot      Start         End      Blocks   Id  System
DiskImage.img1               1           5       40131   de  Dell Utility
DiskImage.img2   *           6        2431    19486845    7  HPFS/NTFS

Well, everything looks good!  If you have trouble at this point, keep in mind that the disk may be beyond saving.  Try something like Spinrite and attempt this again.

We know that we want to mount partition 2 “DiskImage.img2” but we need to get the correct start and end blocks.

tech@tech-desktop:~/tmp$ fdisk -l -u -C 2432 DiskImage.img

Disk DiskImage.img: 0 MB, 0 bytes
255 heads, 63 sectors/track, 2432 cylinders, total 0 sectors
Units = sectors of 1 * 512 = 512 bytes
Disk identifier: 0x9dc96e9e

Device Boot      Start         End      Blocks   Id  System
DiskImage.img1              63       80324       40131   de  Dell Utility
DiskImage.img2   *       80325    39054014    19486845    7  HPFS/NTFS

Now all that is left is to calculate the offset so we can tell mount where to start mounting the loopback image.

Offset = StartNumber * 512

So we have 80325 * 512 = 41126400

No we issue the mount command as follows:

tech@tech-desktop:~/tmp$ sudo mount -o loop,offset=41126400 -t ntfs DiskImage.img /mnt/

That’s all she wrote

Well, we’ve been on a whirlwind tale of data recovery, but I am sure we have just scratched the surface of the different techniques that are out there.  So, what tricks have you used for data recovery before?  Any tips or tools you care to share?