UFS Undelete

B

balanga

What do people suggest when trying undelete files on a disk?

I looked at sysutils/testdisk which seems to locate deleted files, but I can't make out if there is a way to undelete files or do you to have to copy them to an alternative media?

Does anyone of a good guide for using Testdisk?
 
balanga said:
What do people suggest when trying undelete files on a disk?
Click to expand...
Never do this - try to undelete files on a disk, unless the missing files are a result of user error (accidental removal of wrong files).
Instead, make an image of the whole disk (yes, you will need storage large enough to keep the image on, and space for recovered data. Disk storage is cheaper than missing data.) and run your recovery tools on the image (actually on a copy of the image). This way you can try as many tools and as many ways as you have patience for.
 
ljboiler said:
TestDisk documentation here.
Click to expand...
Thanks, I've read the documentation numerous times but am having problems figuring out how to use the program.

I have a 500GB disk with many partitions.

On starting testdisk, I select the disk I want recover, press 'proceed' and then select [EFI GPT] and then Analyze. It shows me 21 partitions.
Selecting [Quick Search] redisplays the partitions in green each one prefixed by P (Primary).
Pressing Enter to continue, redisplays the previous list, in white, with the following options:
[Quit] [Return] [Deeper Search] [Write]

I'm not sure what happens if I select write at this point. Does the system attempt to recover this data or write to some other device?


 
tingo said:
Never do this - try to undelete files on a disk, unless the missing files are a result of user error (accidental removal of wrong files).
Instead, make an image of the whole disk (yes, you will need storage large enough to keep the image on, and space for recovered data. Disk storage is cheaper than missing data.) and run your recovery tools on the image (actually on a copy of the image). This way you can try as many tools and as many ways as you have patience for.
Click to expand...
Thinking about it, I'm not in urgent need to recover the data so I may as well get a new device to take a copy of the disk, but not sure what to get...
 
tingo said:
Never do this - try to undelete files on a disk, unless the missing files are a result of user error (accidental removal of wrong files).
Instead, make an image of the whole disk (yes, you will need storage large enough to keep the image on, and space for recovered data. Disk storage is cheaper than missing data.) and run your recovery tools on the image (actually on a copy of the image). This way you can try as many tools and as many ways as you have patience for.
Click to expand...
I've bought a 2TB disk, so intend to create an image of my problem disk.

Should I simply

mount /dev/da02 /mnt
dd if=/dev/da01 (problem disk) of=/mnt/problem-disk.img bs=1M status=progress


It's a new disk which is formatted as exFAT so it may be an idea to format it as ZFS beforehand.
 
After creating a zfs pool, vault and cd-ing into it
I'm trying to run

dd if=/dev/da1 of=problem-disk.img bs=4M status=progress

and it has been running half an hour but no progress has been reported yet, so it looks like I've done something wrong.

Is there any way to tell if the zfs pool is actually filling up?

The pool is 2TB and the disk I'm trying to backup is 500GB.
 
balanga said:
Thinking about it, I'm not in urgent need to recover the data so I may as well get a new device to take a copy of the disk, but not sure what to get...
Click to expand...
After an unsuccessful detour trying to create a backup which hasn't worked for various reasons, I'm back trying to make sense of Testdisk.

Testdisk appears to find all the partitions (21 of them) and the files are identified, but I can't figure out where to start recovering them.
At the moment I'm doing a sector analysis and it looks like this will take the rest of the day.

Looking at the docs, it looks as though https://www.cgsecurity.org/testdisk_doc/partition_recovery.html#partitions-selection

tells me what I need to do, but I'm concerned that I may delete a partition inadvertently.
 
You must log in or register to reply here.
Back
Top