What is Reddit's opinion of
Foremost?
From 3.5 billion Reddit comments
15 reviews of this app found across Reddit:
TestDisk, PhotoRec, and Scalpel should help. I typically go for TestDisk and PhotoRec, managed to pull a bunch of data off an old drive.
Worth mentioning that PhotoRec will give you files, but not in any useful layout since it just dumps any file it finds. TestDisk looks for overwritten partitions and attempts to restore them, so you might have better luck with that.
~Everything below assumes Linux and a terminal;
Use linux to dd an image to a disk with enough free space for the whole disk being copied.
dd if=/dev/sdb of=/home/username/Desktop/diskimage.iso
where /dev/sdb is your disk and can be determined by
df -h or
fdisk -l
and looking for the right details.
I'd recommend reading the man page for dd as there are options for handling bad block errors and other disk issues.
Then use Foremost to scan the disk image for all files.
It can take a bit of tweaking to get Foremost to get all the files you want but it will recover anything that looks like a readable file.
If it recovers video, be sure to check the whole video as it sometimes can mash 2 different mpeg file together into one file.
All of the windows or osx based file recovery software tools are rubbish and rarely work on truly screwed up filesystems.
Foremost is designed to recover files from intentionally ruined filesystems and is able to reconstruct partial files.
Use XnView and VideoLan to play/check partial media files. Documents can be touch and go as there is so much variation in each formats error handling.
Your friend decided his files weren't important enough to make proper backups. He can't complain now.
What you should have done:
I recommend working on a machine that contains only the broken disk and an empty disk at least as big. If you leave your own disk in there, it's far too easy to mistakingly destroy your data. [If you don't have an empty disk, go buy one before you do anything else. You'll need it anyway, to put the recovered files on!]
Never boot on Windows with the disk, until you know for sure it's 100% functional. Too easy to destroy the data for good.
Boot into Linux (I usually use SysRescueCD), use fdisk or parted to have a look at the partitions. If a partition is detected, try (not too hard) to mount it in read-only mode, and copy the files to a working hard disk.
If you can't mount the partition, copy the disk itself in a file (or an empty hard disk), using e.g. dd. You'll probably want to use
dd conv=noerror, so that it continues to copy even in case of an error.
Once that's done, stop the machine, and unplug the hard disk. You can then work on the copy.
(Remember, if the disk is iffy, the first time you manage to copy the bytes might very well be the last.)
You might want to try a recovery tool like Foremost on your copy.
If it can find, say, JPEG files, then all hope is not lost: The files are there somewhere.
If it can't, then either dd failed badly (and the disk is dead), or the disk is encrypted. Some USB enclosures do that kind of shit. (Or it might be some vendor-specific partition scheme. That happens too. Especially when RAID is involved.)
Install a new, blank disk in the enclosure, and see what happens.
A great way to recover data is through Foremost (http://foremost.sourceforge.net/)
Tools needed: Computer Knoppix live disc http://knoppix.net/ Good hard drive Bad hard drive
Here is a tutorial http://www.howtoforge.com/recover-deleted-files-with-foremost
There are a few different ways of performing a recovery through foremost, but the nice thing is you only need a couple Linux commands. I can go through the process if you feel comfortable with linux/commands.
Part or all of those files may still exist, even if windows has been reinstalled. Stop using the computer until you can get home to try and recover them. If you have an extra hard drive that's bigger, it would be best to make a full image of the physical drive using a program like ftk imager, or just dd if the drive is on a machine that has that. Once you've done that, you can use something like foremost, which is a unix tool to analyze the image for common file types based on headers, so even though the filesystem is gone, it may still find the files, assuming new data hasn't been written to the sectors they were in yet.
If you know somebody that is comfortable with linux, as a quick "see if I get anything useful quickly" you can run foremost http://foremost.sourceforge.net/ against the drive.
I have had to do data recovery off one of those chinese DVRs before, and, if I recall, they were using a normal ext3 filesystem. I think.
If the disk itself is still spinning, but the partition itself seems to be corrupted, I can heartily recommend giving Foremost a try. It is a free and open source program originally developed by the US military, which can recover files from reformatted or corrupt partitions by doing a low-level binary scan of the disk, and looking for familiar patterns that look like the insides of files. You'll of course not recover the file names and folder structures (that's metadata in the file system table and not part of the files themselves), but as long as the drive itself works, you'll likely get back most of your images and movies :).
I've used it several times before at work, and it was one time even able to recover most of a coworkers emails from a partition that had been reformatted several years earlier, since most of the harddisk had not been overwritten since the formatting. It's quite straight-forward to use, but you might want a Linux geek to help you out :).
If you're not familiar with linux, it will be extremely tough. It's not quite like working in dos (if you're familiar with that).
It helps to have a guru walk you through it, but there are guides you can find that may help. The program I prefer to use is called foremost (http://foremost.sourceforge.net/)
Found some info for you: http://www.howtoforge.com/recover-deleted-files-with-foremost That should help get you started, or at least let you know what you're in for.
You'll need to determine the target's partition when you plug it to your computer and then set an output directory (NOT on the same drive!) to save the recovered data to.
Basically, the way recovery works is this: the space a file was using is just freed up for other data when that particular file is deleted. As long as that space isn't filled with other data, the file can usually be (mostly, if not completely) recovered. So, the more you use the device, (take pictures, movies, e-mail, websurf, etc) the less likely you'll be able to recover older data. It will greatly depend on how long ago your friend's trip was.
I'm actually surprised I'm the only one to bring this to your attention. Reddit, I am disappoint.
I know OP probably wouldn't have had time to do this themselves, but the open-source tool Foremost is a lifesaver when it comes to recovering deleted files. You could have recommended the student attempt to recover their data that way, it would have been a great learning experience and they probably would have gotten their files back.
Foremost is a file carver, as are Scalpel, Magic Rescue, recoverjpeg and PhotoRec.
http://foremost.sourceforge.net/
I would think that most tools approach file carving by looking for headers and footers. They would then assume that a file is contiguous, in which case they would be unable to assemble fragmented files. Some tools are smarter and will calculate entropy, for example.
I believe JpegDigger is one tool which can intelligently locate and assemble JPEG fragments in FAT file systems. The cluster chains that define each file are stored in the FAT, and this information is destroyed when the file system is reformatted.
You can recover some data, at probably a large enough cost in time and effort that it's not worth it for /boot, by possibly recreating the partition (if the table has changed) exactly as it was before, and recreating the filesystem using special arguments to mkfs (different possibilities depending on the filesystem type), or by using data forensics tools like sleuthkit or foremost, to which I'll include links presently. I would highly recommend making a raw image copy of the partition as it stands now, because if you need it up more doing this, you're less likely to be able to get one of the other solutions to work.
http://foremost.sourceforge.net/
... But as I said, if it's /boot, it's likely not worth the trouble. Mount everything up, reformat, reinstall the kernel packages and boot loader. There's generally nothing else there.
Almost everything in IT is extremely boring for what it is. What makes it interesting is applying it to what interests you. I would never have learned what I know now without really loving pentesting. I couldn't sit down and learn networking for the sake of making two things talk. It just isn't interesting enough for me. But I definitely will so that I know how to pop a reverse shell or transfer a payload, or understand all the different nmap scans.
Programming got interesting for being able to create my own tools, understand memory corruption, and look at bug fixes to see what was changed. One project I did really enjoy was writing a peer to peer messaging app, but I was driven to do that because I ultimately wanted to write an encrypted messenger. Nothing past educational (not rolling my own stuff for real world use) but again, driven by am interest other than just programming.
As far as formal schooling, I credit my 2 year A.S. degree with getting me into IT. But most of what has helped me has been self taught.
A quick and fun tool to maybe stir up some interest is foremost.
http://foremost.sourceforge.net/
Make a Kali liveusb and play around with it on an old USB. Create files, delete them, and see if they are still there. Then use the shred command to see what changes and view the file using xxd <path to file>. This isn't forensically "secure" as flash devices tend to have some persistent memory that isn't accessible; ideally you would use this on spinning disks, but for the sake of learning it explains the process.
Foremost is pretty excellent. It will recover a lot of data you'll have to sift through, but if there are some files you absolutely want to recover (and they're of a type foremost supports), it will find them more often than not. It's a simple file carver, though, so it won't recover directory structures or file names or anything else that's kept in the inode table.
Turn off your computer.
Try installing Ubuntu on a USB key (use another PC to do this).
Boot your computer from this USB key.
Install foremost (sudo apt-get install foremost)
You can use foremost to recover anything it can find using a command like:
sudo foremost -i /dev/hda -o /recovery/foremost
More info here
If that doesn't work, I can't help you, your data may be permanently lost :(