Have you ever deleted any important data from your computer on accident? Data that has been deleted remains on the drive until it’s overwritten. This is due to the fact that when a file is deleted it’s reference is deleted from the Master File Table (MFT) which references all of the files on a particular drive. When the reference is deleted from the MFT the operating system knows there is now free space that can be used, but the actual data remains on the disk unless overwritten. We can use data recovery tools such as Foremost to read all the data on the drive and recover as much as possible.
In this tutorial we will be using Foremost data recovery tool and Ubuntu Linux. Any flavor of linux will work in this tutorial. If you are using Windows check out recover Deleted Data from USB Flash Drive with Restoreation
Foremost works on several different file system types including, FAT, NTFS, EXT3, and more. What we will be doing is making a RAW image to prevent losing any more data during analysis and then running Foremost on that RAW image. To get started we first need to install foremost. In Ubuntu Foremost can be installed as follows:
sudo apt-get install foremost
If your using a different flavor of linux check out http://foremost.sourceforge.net and find installation instructions on that website. Now that foremost is installed it’s time you plug in your flash drive. We now need to find the name of our flash drive. The following command will show all partitions on all drives, using the size you can determine which one is your flash drive
sudo fdisk –l - In other linux operating systems you may need to remove sudo.
We have now got the name of the drive, in my case it’s /dev/sdb1. With the flash drives name we can create the RAW image of the flash drive. We will be using dd. dd is a common Unix program whose primary purpose is low-level copying and conversion of RAW data. We will be using it to create an exact copy of the flash drive. In the following example we are saving the RAW image to thumbdrive.image.
sudo dd if=/dev/sdb1 of=thumbdrive.image – Here again, you may need to remove sudo on other linux systems.
You can now remove your flash drive because we have got the RAW image. All that is left is to create a folder for the output and running foremost on our RAW file. The following creates the folder output and then gives foremost the image file and the parameter –o is the output folder in this case is called “output”.
mkdir output
foremost thumbdrive.image –o output
Now you can open the output folder and you will see several folders and audit.txt. Read audit.txt because it has loads of useful information about the recovery. It’s now time to see the files you have recovered. Each of the folders with have a file format name, for example JPG and in that folder it will contain all of the JPG images.
If your interested in a more targeted approach which recovers only 1 file format. The advantages of this is it is quicker and usually does a better job you can use the following. In this case the type of file we are after is a PDF file.
foremost –t pdf –i thumbdrive.image –o output
That’s all there is to data recovery in linux with Foremost. Thanks for reading this far and any questions and comments can be left bellow and if you found this article interesting please subscribe via RSS. Later this week we will learn how to permanently delete data from a flash drive.
Take it easy.
Sorry, All comments for this post were deleted on accident.
Hi! In the red klooper allot in reinforce of my english jer, buti very perceptive re set forth .
Next time include sources please =)