• RSS
  • Twitter
  • FaceBook

Security Forums

Log in

FAQ | Search | Usergroups | Profile | Register | RSS | Posting Guidelines | Recent Posts

Crashed Hard Drive (Recover Files)

Users browsing this topic:0 Security Fans, 0 Stealth Security Fans
Registered Security Fans: None
Post new topic   Reply to topic   Printer-friendly version    Networking/Security Forums Index -> Computer Forensics and Incident Response

View previous topic :: View next topic  
Author Message
n3mp01
Just Arrived
Just Arrived


Joined: 05 Nov 2007
Posts: 0


Offline

PostPosted: Tue Nov 06, 2007 2:51 am    Post subject: Crashed Hard Drive (Recover Files) Reply with quote

Hey, I have a 500GB SATA hard Drive, that has very important information on it. I did a bit of searching on the forums and found 1 thread with a bit of information. They recommended a program TestDisk, Sleuth Kit and another one that cost money. Was just looking if anyone has come cross any other good, preferably free software that will be able to recovery from a crashed partition.
Back to top
View user's profile Send private message
RoboGeek
SF Mod
SF Mod


Joined: 13 Jun 2003
Posts: 16777166
Location: LeRoy, IL

Offline

PostPosted: Tue Nov 06, 2007 3:38 am    Post subject: Reply with quote

if its just a crashed partition, many bootable linux distros can get it ok. I'm not a fan of windows based software - most of it is a waste of money

Your biggest issue will be SATA drivers. Most distros will have them though.

And stay far away from any software that claims to repair drives - like spinrite. If it screws up, it makes data recovery very expensive, if not impossible
Back to top
View user's profile Send private message Visit poster's website
capi
SF Senior Mod
SF Senior Mod


Joined: 21 Sep 2003
Posts: 16777097
Location: Portugal

Offline

PostPosted: Tue Nov 06, 2007 7:09 pm    Post subject: Reply with quote

RoboGeek wrote:
And stay far away from any software that claims to repair drives - like spinrite. If it screws up, it makes data recovery very expensive, if not impossible

You touched an interesting point. Could you please elaborate on your opinion regarding Spinrite? I've read contradictory opinions (plus of course the ever-present Gibson marketing mumbojumbo) and I'd like to hear from someone such as yourself who actually knows what they're doing in that department.

Would you recommend using the software for anything at all, or is it useless or even counter-productive?
Back to top
View user's profile Send private message
RoboGeek
SF Mod
SF Mod


Joined: 13 Jun 2003
Posts: 16777166
Location: LeRoy, IL

Offline

PostPosted: Tue Nov 06, 2007 11:58 pm    Post subject: Reply with quote

Anything that rewrites to the drive has a chance of overwriting data. Spinrite will attempt to read bad clusters and write them to an area of the drive marked as free. But sometimes the free space is actually files you need to recover.

I use it regularly, but not as a data recovery tool - I use it for repairs. If you image the drive first, then run spinrite - if you have a problem you haven't lost anything. You can always recover date from the image file. But with ANY tool that recovers files - don't run it from the same drive, or save to the same drive, or repair files on the drive. The same goes for forensic investigations. Things can be hidden in slack space, metadata files and other areas you don't want to modify. Not to mention you don't want to change the MAC of the files if you need them for timelines
Back to top
View user's profile Send private message Visit poster's website
trwarren
Just Arrived
Just Arrived


Joined: 10 Jan 2008
Posts: 0


Offline

PostPosted: Thu Jan 10, 2008 8:53 pm    Post subject: Good Ole Ubuntu! Reply with quote

I did the very same thing last night with a hard drive out of a machine that had the my documents folder private.
booted up Ubuntu from CD, plugged in the drive to a USB to IDE interface, and bang! I had my recovery. the folks were impressed. so much, they are installing Ubuntu on an old machine to learn and play. : )
always a good day in Linux.
Back to top
View user's profile Send private message
The_Real_Gandalf
Trusted SF Member
Trusted SF Member


Joined: 14 Apr 2004
Posts: 0
Location: Athens,Greece

Offline

PostPosted: Fri Jan 18, 2008 1:03 pm    Post subject: Reply with quote

caution...

When you are attempting to restore or clone a drive/files, always use a write-block hardware , which will block any attempt to write on it.
By the time you power on the drive , flags and slack space of the drive are always changing , from the booted system OS (does not matter if it is a live-cd or not).

Files and in general drives , should be treated as read-only devices.

Especially if you are talking about cases going to court. A single record in your MFT or a change in slack space , could bring down your whole case and research.


Gandalf
Back to top
View user's profile Send private message Visit poster's website AIM Address
Display posts from previous:   

Post new topic   Reply to topic   Printer-friendly version    Networking/Security Forums Index -> Computer Forensics and Incident Response All times are GMT + 2 Hours
Page 1 of 1


 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum

Community Area

Log in | Register