Data Recovery on rm files 1

POPKORN · Jul 5, 2005

Hello everyone,

I am running solaris 9 which is connected to a clariion storage unit over fiber. The issue at hand is that I had my wedding pics in a raid 5 and I burned them on to a CD to send them to be printed. I made the stupid mistake of deleting the pics without checking the cd first and now the CD don't work and my wife "LOL" I guess you guys can imagine. I have heard about TCT coroner's tool kit but, being the case that this is the largest raid egg 1.2TB, I dont have access to another one this size so I cannot use this tool. Is there any other way to recover these images??

any help or pointers would be greatly appreciated.

Popkorn

daFranze · Jul 6, 2005

sorry popcorn, there is no easy way to recover deleted files from an UFS Filesystem; rm will just delete the reference to the first inode and as long as there aren't any other writes to this FS you may have a chance to recover something; you better ask one of these dataminers, I never tried this myself

Best Regards, Franz
--
Solaris System Manager from Munich, Germany
I used to work for Sun Microsystems Support (EMEA) for 5 years in the domain of the OS, Backup and Storage

SamBones · Jul 6, 2005

I think the chances of recovering anything deleted from an active raid array is close to impossible. Even if you get a page or sector here or there, it won't be enough to reconstruct an image.

I think I would spend a lot of time trying to get something off of the CD you burned, that is assuming something got successfully burned onto it. Maybe try it in a variety of different machines. I've burned CDs before that were happy in some machines, but not in others.

Anyway, good luck!

daFranze · Jul 7, 2005

Sam, it does not matter of "simple HDD", CD or RAID5, it's the filesystem level on which you try to recover...

But I agree with you: maybe it's easier to recover the CDROM.

Best Regards, Franz
--
Solaris System Manager from Munich, Germany
I used to work for Sun Microsystems Support (EMEA) for 5 years in the domain of the OS, Backup and Storage

SamBones · Jul 7, 2005

Hi daFranze,

The reason I stated it the way I did is because I've used a data recovery service in the past to salvage data off of a damaged single drive. I was amazed at what they were able to recover. They even retreived some things that had been "deleted". This is reconstructing files at the page/sector level and can be done regardless of file system. It's costly and time consuming, but it is possible.

With the data spread across a raid array, it makes that kind of recovery much harder, close to impossible.

daFranze · Jul 8, 2005

ok, I agree, if the FS is damaged that much you have to go to blocklevel but in the eyes of the OS it does not matter what the media itself is. If you don't have information about how this R5 was built you will have noch chance. If you know this R5 was made of "disk A which was c1t0d0s0" "disk B c2t0d0s0" "disk C c3t0d0s0" and "disk D c4t0d0s0" you can reconstruct the R5 (in SVM it's metainit -r), from this point of view it's just a LUN for the OS.

One of my colleagues's friends work for a company which restores data, he can tell stories...

Best Regards, Franz
--
Solaris System Manager from Munich, Germany
I used to work for Sun Microsystems Support (EMEA) for 5 years in the domain of the OS, Backup and Storage

POPKORN · Jul 10, 2005

Well guys, got some great news. I installed the sleuthkit and autopsy and with the combination of these two and dd I was able to recover pretty much all the pictures. There were 187 pics I recovered 164. I cannot be any more greatfull to these two programs. If anyone is interested in a precedure on how did I performed this let me know. I will be more than happy to create a mini howto and paste in here.

Thank you all for your comments.

POPKORN

twantrd · Jul 11, 2005

Could you paste a mini-howto on what you did as I'm very interested. Thanks!

-twantrd

SBSaikia · Jul 11, 2005

Hi Popcorn,

Great to know ur news.

Plese let us know the steps, it will be great help in case of urgency like the one you faced.. ;-)

Thanks in advance.

SBS

SamBones · Jul 11, 2005

Wow! Sounds like sleuthkit and autopsy were real marriage savers! Yes, please post a FAQ or how-to.

POPKORN · Jul 12, 2005

OK guys, I have not forgot, I have just finished backing up all the data and I think im gonna recreate the problem as I am not 100% sure step by step and I dont want to post something erroneus in here, I shall have something concrete by the end of this week.

Sorry for taking so long, it is just that work got piled up and I have a few date lines to meet. But you have my werd.... it will be here soon.

popkorn

POPKORN · Jul 19, 2005

OK guys, sorry for the delay but here it is...

you only actually need 2 tools for the job. DD and another progrma called foremost. I have a huge array and that was my main concern because I did not han an array as big as the one with datat lost to copy an image of the drive using dd to another array.

This instruction that I am providing by no means will provide 100% data back. It also asumes you have some basic linux /unix skills. I just happened to be very lucky and all my images were the first things dropped in the array. So I only needed about 60G of space to recover my pics as they took the initial 40 some gigs of the array.

first tool you will need is dd. If you can make an image of the entire drive even better, if you cannot them make the image as big as possible. In my case my array was over 1.2TB but I was very lucky that when I did DD to this array I only transfered about 60G because thats all the space I had left, it just so happens that the pictures were there as they were the first thing recorded into the array.

Once you have the DD image. You are going to need a program called foremost wich can be used on windows or any linux / unix env. I am enclosing the readme for reference.

FOREMOST
----------------------------------------------------------------------

Foremost is a Linux program to recover files based on their headers and
footers. Foremost can work on image files, such as those generated by dd,
Safeback, Encase, etc, or directly on a drive. The headers and footers are
specified by a configuration file, so you can pick and choose which
headers you want to look for.

Here's a sample set of headers and footers:

# extension case-sens max-size header footer (option)
#
# GIF and JPG files (very common)
gif y 155000 \x47\x49\x46\x38\x37\x61 \x00\x3b
gif y 155000 \x47\x49\x46\x38\x39\x61 \x00\x00\x3b
jpg y 200000 \xff\xd8\xff \xff\xd9

once you get this program installed and confured you can modify the headers and footers like metioned above to scan for the file types that are on that dd image. You need to know the headers and footers of the file types. If you don't the program will not work. Once you change and add the footers and heathers to the config file all files in the dd image that match these will be placed on a folder in directory called output.

There are 2 things to take into account. In my case I was just looking fopr images. These files do not take a lot of space so it was easier. In the even your looking for executables or large " 1G++ files " you will need at least 2 places to put data. If you only have 1 drive available and its 120G drive you can split it in 70/30 70% for dd image and 30% to place the files it found. If you need the functionality of searching by keywords if you dont have headers and footers information I would suggest you fully read the sleuthkit and autopsy documentation. Its a little more elaborate than this but if you dont have headers and footers this is the way to go. I have asked other people and they have had very good results with these two programs including on large raid systems. You will find files that were deleted. If you broke the raid conf or reconfigured the raid in any way your pretty much $%#^ed....

So as long as they were just deleted you have a very good chance in getting them back. Just make sure you dont use the same raid to store the files it found or else you will be overwritting everything and recovery will be inpossible.

I hope this helps... and if anyone has any sucess all I ask is for you to post here what were you able to recover and how so that other people can benefit from this as it is a very hard and debatable subject and a lot of people say its almost impossible. I am a living proof that it can be done. Hell these programs might as well just saved me a divorce hahahahahah.

Good luck to everyone needing this.

POPKORN

POPKORN · Jul 19, 2005

Ohh guys I forgot something very important. If you are running and a storage array like me you need to either find DAE unit or add more disks to your array and create another array. This new array can mounted over NFS or samba and then will be able to analyze the dd image elsewere..

I really hope this info can help other people.

POPKORN

daFranze · Jul 26, 2005

juest read the instructions... Great, thanks!
If you look at this it looks quite easy!

Best Regards, Franz
--
Solaris System Manager from Munich, Germany
I used to work for Sun Microsystems Support (EMEA) for 5 years in the domain of the OS, Backup and Storage

Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

Data Recovery on rm files 1

POPKORN

Technical User

daFranze

Technical User

SamBones

Programmer

daFranze

Technical User

SamBones

Programmer

daFranze

Technical User

POPKORN

Technical User

twantrd

Technical User

SBSaikia

IS-IT--Management

SamBones

Programmer

POPKORN

Technical User

POPKORN

Technical User

POPKORN

Technical User

daFranze

Technical User

Similar threads

Part and Inventory Search

Sponsor