This installment has very little to do with the Programming aspect of my life and very much to do with the Janitor aspect. Somebody my wife knew from our kid's playgroup had decided to reinstall Windows on his laptop. This caused all of the digital pictures he had of his kid to be blown away. Needless to say, he know that my wife's husband (that would be me) "... did something with computers." He also knew enough to think "They can't really be gone. What if the FBI wanted to get my files?" He should feel happy the FBI didn't want to get his files, but that's a different story.
Like any good nerd, I took this as an opportunity to learn a little more about using computers. I had a copy of knoppix (NOTE: I used version 3.7 when this was done) hanging around, so I knew that I could boot the laptop and get an image of his hard disk. My issue was I had never done much to recover deleted files. The laptop's file system was NTFS, so that narrowed the field a little bit. FAT32 is easy to find tools for as that format is supported both on Linux and Windows. After doing some poking around and talking to a few people I settled on using The Sleuth Kit and Autopsy. In addition to the software, I had an 80 GB maxtor external USB drive.
First I plugged in my hard drive into my machine. I booted it up in Knoppix and partitioned the drive into two disks, one about 20 GB for the files and such, the other 60 GB for the laptop's hard drive. I didn't know how big the hard disk was, so I was as generous as possible. Turns out it was only about 20 GB, so I could have been more stingy with allocating a partition to save the image of the laptop to. I used QTParted to partition the USB drive. This is where I made my first mistake. Not having done this before I simply made both partitions FAT32 disks. This was a big mistake for the partition that would hold the disk image as the disk image file was around 20GB, or about5 times larger than the largest file allowed by a FAT32 system. I repartitioned the space using ext2. Problem solved.
On the smaller partition I downloaded The Sleuth Kit and Autopsy and compiled them. Since I was using knoppix, I didn't go through the entire make install dance, as I couldn't have installed it without working some magic anyway. I just typed out the entire path name when I wanted to run the programs. This turned out to be easier for me in the short run. At this point somebody may want to pipe up and point at some distributions of knoppix (or other Live CD's) that have The Sleuth Kit installed already. I had looked into this and at the time NTFS support was a relatively new addition and the CD images for these distributions had a version that did not support NTFS.
So now that I have the OS running, the tools compiled and the hard disk setup, I needed to get the image. This is where I made my second big mistake. I am by no means a Unix guru. I know enough to be dangerous. Unix eunuch may be more like it. Anyway, not surprisingly, there were bad sectors on the disk and I just started a plain old dd instance and kicked off the copy. About 45 minutes into it dd found the first bad sector and halted, dutifully telling me it found a bad sector. So after about 30 seconds of research I had discovered the sync and noerror options and ran
dd if=/mnt/hda1 of=/mnt/img/laptop.dd conv=sync,noerror
This ran along merrily and after a while it was done. I had noticed some odd output on the screen along the way and when I tried to open the image in Autopsy, I couldn't get squat. Only after some more research and re-reading the dd docs did I realize I was a moron for mounting the drive and I should have done this
dd if=/dev/hda1 of=/mnt/img/laptop.dd conv=sync,noerror
Finally, I had an image I could use.
Now that I had a useable image, I could return the laptop and get to work on recovering files without stopping this guy's work. I had never used The Sleuth Kit or Autopsy before, but the learning curve wasn't too steep. Autopsy does a very good job of helping you set up a case so you can work with the image files. In recovering the deleted files, I simply went through the interface, chose deleted files and picked out anything that looked like a picture. All the photos had jpg extensions and there was also a quicktime movie I was able to save. I had been told where the pictures were likely located, so that made life a little easier. In addition, the Autopsy interface was explicit about which files were deleted and recoverable and which were just deleted. I just used the right click option from the browser to save the files off to my original, smaller partition. As I was going through the files I had thought about writing a script to automate this, since all this stuff could be hacked at anyway as its all open source, but there were only about 65 files so it wasn't terribly time intensive.
Autopsy makes poking around a hard drive all too easy. If you've heard in theory that a hard drive can never really be deleted, Autopsy makes this very clear in practice. All kinds of stuff that was in the browser cache, deleted from the recycle bin or overwritten by reinstalling the OS was just waiting to be investigated. I'm sure most of the people reading this are aware that deleting the file doesn't mean its gone, but it's one thing to hear that and another to actually see it in practice.
First let me make painfully clear the things I screwed up. In doing so I did no lasting damage to my computer or to the computer I was working on. This is one of the beauties of knoppix. It boots the machine's hard disks read only and you have to do a little bit of finagling to get things screwed up to a point where they won't work. This takes a lot of the pressure off. Here are the some tips I can offer to help you get started based on my experience:
conv=sync,noerror Other than these few errors, the process went pretty well and I learned a lot. I am always amazed at the power of some of the freely available tools out there. Knoppix is something that should be in every serious software developer's toolkit. You have a ready to go linux distribution that fits on a single CD and it has just about all the tools you need to do some very intricate tasks. The auto detection feature is about as good as Windows. I've never had knoppix fail because of hardware it could not recognize. Those few tools that are missing, like TSK and Autopsy, are easy enough to add should you want to do so. In addition to this I sent a copy to my parents to help them recover files from a windows machine riddled with spyware, I use it for testing python and perl scripts for cross platform support and I've introduced it to a few people at work that occasionally need to work in linux environments but don't need to commit a disk partition to the OS.
Other than learning some new software tools and helping somebody out who was in a pinch, this exercise made me keenly aware of the need to invest in a good hard disk shredder.