So, my drive failed. One day it was fine, the next day the OS was grinding along, barely responding to commands. So, being a Windows kind of guy, my first reaction was to reboot. The system didn't come back. The Linux boot loader just reported IO errors on the kernel and stopped. Sigh, it's a good thing I've learned my lessons over the years and had a fairly recent backup. You do have a recent backup, right?
Having a backup, and not being particularly concerned, I thought I'd take the time to learn some Linux data recovery techniques. Besides, it was a good opportunity to install a new, bigger drive and upgrade to the latest version of Ubuntu. Anyway, after fussing and farting around, I managed to get nearly all of my data back from the failing HD. Now, if I were faced with it again, here is the order that I would do things. It's not the order that I did do things, but, hey, I did learn a thing or two in the process.
- Get an Ubuntu LiveCD to boot the failed system from. I tried a couple of other LiveCDs but my system is an older Mac Mini Power PC (PPC) so there aren't a lot of choices in the LiveCD arena. The couple that I did try lacked decent tools or even the ability to install more, so I went back to Ubuntu, which is my distribution of choice and the only one I have any real knowledge of. So, there may be better tools out there, but this article is using Ubuntu.
- Get a USB drive that has more free space than the entire partition size you are trying to recover. Not the used space, the entire space.
- Boot from the LiveCD.
- Enable all the software sources.
- Install DD_Rescue. Using a terminal session to typing: "sudo apt-get install ddrescue" will do it.
- Identify the failed drive partition by typing: "sudo fdisk -l" It should be /dev/hda1 or something like that. Make sure you know the right drive or this whole process is going to be kind of pointless.
- Connect your working USB drive and wait for it to auto-mount. Ubuntu is nice that way. Note the path to it, which should be something like /media/disk ... whatever it's volume label is anyways.
- Use DD_rescue to copy your entire failed drive to an image file on the USB. Type: "dd_rescue /dev/hda1 /media/drive/recover_hda1.img" This is just Command -space- Source -space- Destination, nothing complicated. Of course, you need to replace these parameters that match the ones you identified previously, and you can pick whatever filename you want. If it's a large drive, this is going to take quite some time, not the name picking, the file copy. Well, some people seem to spend a lot of time picking names, but that's your problem if you do.
- Okay, so now you have a backup of the readable part of the failed data. From here, you have several choices. If your problem is just scrambled format information, then you can try to recover the partition on the failed drive. If the drive is failing at a hardware level, then this approach is rather pointless. You could instead replace the failed drive or you could use a second USB drive. Either way, you're going to have to use DD_Rescue to copy the image file back to the drive, just reverse the command parameters - file to dev.
- Okay, you now have a drive with the data you want recovered and an image file backup of said drive, so it doesn't matter if you do anything wrong with said data drive in the process of recovery, right? You can always repeat the process of using DD_Rescue to copy the file information back to the drive.
- You have several recovery options: partition recovery, file recovery, and carving. In partition recovery, you can use a utility called TestDisk (which you'll have to install just like DD_Rescue) to scan the drive for partition information. There's lots of information out there on how to use it so I'm not going to put it here. It's not the easiest program to use but, considering the technical nature of what it does, well, it could be a whole lot worse. In file recovery, you want to use a tool like fsck, which is kind of like the old DOS checkdisk. There are lots of command-line options, just type: "fsck --help" or maybe "man fsck" for a list. In file carving, you use a tool like PhotoRec to scan through the drive looking for recognizable file patterns. Use this as a last resort because it will not recover your drive folder structure or filenames. You just get a list of files that you have to go through, one by one, to see what they are. And, yes, it recovers a whole lot more than just photos. So far, I've not had to resort to file carving.
- At this point, you should have a drive or folder with your recovered data, or at least all the data you're going to get recovered, in it. The next process is to get your system back up and running with the new data. I recommend copying this data to a USB drive and then just re-installing your system. After that, it's a fairly simple matter to selectively locate and copy back your old data to the new system.
So, here's a summary of useful tools:
- Ubuntu Live CD (to do anything on a system with no functional operating system)
- DD_Rescue (to copy data, drive to drive, drive to file, or file to drive)
- TestDisk (to recover lost partitions, among other things)
- Fdisk -l (to list drive partitions)
- fsck (to check the file structure of a partition)
- PhotoRec (to carve files - note there are other file carvers as well. This one comes with TestDisk)
- chown (to take ownership of your recovered files - you may need to do this)
- chmod (to allow a non-root user to access the recovered files - so you can use nautilus to move them around)
2 comments:
Post a Comment