====== Disk Information ======
Handy commands:
* **lsblk** -- Lists all attached drives, including partitions\\ Ex: lsblk
* **udevadm** -- Gives detailed information about a drive\\ Ex: udevadm info --query=all --name=/dev/sd | grep ID_SERIAL_SHORT
====== Disk Testing ======
Handy Commands:
* Checking a drive's SMART attributes:
* GUI:
- Install gnome-disk-utility (If not already installed)\\ apt-get install gnome-disk-utility
- Run: gnome-disks
- Select your drive and then select the menu button in the top-right corner:\\ {{::screenshot_2018-08-22_11-17-49.png |}}\\ {{::screenshot_2018-08-22_11-24-41.png |}}
* Command Line:
- Install smartmontools apt-get install smartmontools
- Overall health report: smartctl -H /dev/sd
- Detailed SMART information: smartctl -i /dev/sd
* Running SMART tests (non-destructive to data)
* GUI: gnome-disks\\ Open "SMART Data & Self-Tests", click "Start Self-Test", and select a test to run.
* Command Line: smartctl --test=short /dev/sd\\ smartctl --test=long /dev/sd
* Thoroughly Testing Drive Media (**CAUTION: DESTRUCTIVE TO DATA**)\\ badblocks -vws /dev/sd
====== Data Recovery ======
If the hardware is suspect, then the first thing to do is get a byte-for-byte copy of the drive's contents into a disk image file. The less time spent using possibly faulty hardware the better. For this, use ''ddrescue'' instead of ''dd'', as ''ddrescue'' will repeatedly try to recover from errors as it tried to salvage data, whereas dd will simply fail.
apt-get install gddrescue
ddrescue -A -f /dev/sd broken.img
This copy will remain unchanged while we work. Make a copy of this file, and only alter the copy. This way, if anything goes awry then we can go back to square one without having to rely on possibly faulty hardware again.
cp broken.img work.img
Use testdisk to search for and repair disk partitions.
apt-get install testdisk
testdisk work.img
Using testdisk involves using the arrow, escape, and enter keys.
- Confirm that you want to use the disk image work.img, click "Proceed"\\ {{ :screenshot_2018-08-22_11-54-59.png |}}\\
- Select the disk image partition table type. Ex: Intel\\ {{ :screenshot_2018-08-22_11-57-20.png |}}\\
- Click: Analyse\\ {{ :screenshot_2018-08-22_11-58-16.png |}}\\
- Click: Quick Search\\ {{ :screenshot_2018-08-22_11-59-08.png |}}\\
- Click: Enter to continue\\ {{ :screenshot_2018-08-22_12-00-07.png |}}\\
- Click: Deeper Search\\ {{ :screenshot_2018-08-22_12-00-46.png |}}\\
- Click: Enter to continue\\ {{ :screenshot_2018-08-22_12-01-27.png |}}\\
- Click: Write\\ {{ :screenshot_2018-08-22_12-02-14.png |}}\\
- Click: Y\\ {{ :screenshot_2018-08-22_12-02-54.png |}}\\
- Click: OK (You do not need to reboot)\\ {{ :screenshot_2018-08-22_12-03-46.png |}}\\
- Click: Quit\\ {{ :screenshot_2018-08-22_12-04-21.png |}}\\
- Click: Quit\\ {{ :screenshot_2018-08-22_12-04-54.png |}}\\
Use photorec to recover deleted files.
mkdir RECOVERY RECOVERY/DELETED RECOVERY/RECOVERED
photorec work.img
- Confirm that you want to use the disk image work.img, click "Proceed"\\ {{ ::screenshot_2018-08-22_12-32-18.png |}}\\
- Select partition, click: Search\\ {{ ::screenshot_2018-08-22_12-33-21.png |}}\\
- Select the filesystem type\\ {{ ::screenshot_2018-08-22_12-34-09.png |}}\\
- Select directory to save recovered files.
- Select: RECOVERY\\ {{ ::screenshot_2018-08-22_12-35-28.png |}}\\
- Select: DELETED\\ {{ ::screenshot_2018-08-22_12-36-06.png |}}\\
- Press: C\\ {{ ::screenshot_2018-08-22_12-37-04.png |}}\\
- photorec will process for a while. When finished, select: Quit\\ {{ ::screenshot_2018-08-22_12-38-17.png |}}\\
- Select: Quit\\ {{ ::screenshot_2018-08-22_12-38-59.png |}}\\
- Select: Quit\\ {{ ::screenshot_2018-08-22_12-39-34.png |}}\\
Files that the filesystem thinks have been deleted are now stored in ''RECOVERY/DELETED/''. Filenames are most likely trashed, so the only way to identify a file is to open it up.
Recover other files:
- Find a list of partitions:\\
fdisk -lu work.img
Disk work.img: 1.9 GiB, 2055208960 bytes, 4014080 sectors
Units: sectors of 1 * 512 = 512 bytes
Sector size (logical/physical): 512 bytes / 512 bytes
I/O size (minimum/optimal): 512 bytes / 512 bytes
Disklabel type: dos
Disk identifier: 0x00000000
Device Boot Start End Sectors Size Id Type
work.img1 63 4014079 4014017 1.9G 5 Extended
work.img5 496 4014079 4013584 1.9G 6 FAT16
- Find the offset from the beginning of the disk image file to the partition that you want to work with:\\ \\ ''OFFSET = SECTOR-SIZE * START = 512 * 496 = 253952''\\
- Attach the partition to a loopback device:\\ losetup -o 253952 /dev/loop0 work.img\\
- Attempt to fix the partition:\\ fsck -y /dev/loop0 2>&1 | tee fsck.log\\
- Mount the fixed partition read-only:\\ mount -o ro /dev/loop0 /mnt\\
- Copy files into ''RECOVERY/RECOVERED'':\\ cd RECOVERY/RECOVERED ; (cd / && tar -cvf - mnt) | tar -xvBpf - 2>&1 | tee ../tar.log\\
- Optional: Get a list of files for which tar failed:\\ grep ^tar: ../tar.log\\
- Optional: Find a list of files of size 0 bytes:\\ find . -size 0 -ls 2>&1 | tee ../zero-size.log\\
- Unmount the filesystem:\\ umount /mnt\\
- Detach the loopback file:\\ losetup -d /dev/loop0\\
Final contents of ''RECOVERY'' directory:
* ''RECOVERY/DELETED'' -- Files recovered that the filesystem previously thought had been deleted.
* ''RECOVERY/RECOVERED'' -- Files that could be copies off of the disk image. Some files may be corrupt though.
* fsck.log -- A log of all the changes that fsck made while fixing the filesystem.
* tar.log -- A log of all the files copied from the disk image into ''RECOVERY/RECOVERED''. Any files that could not be copied are listed here and may be found with ''grep ^tar: log.tar''.
* zero-size.log -- A log of all the files in ''RECOVERY/RECOVERED'' that are empty.