DaemonForums  

Go Back   DaemonForums > FreeBSD > FreeBSD General

FreeBSD General Other questions regarding FreeBSD which do not fit in any of the categories below.

Reply
 
Thread Tools Display Modes
  #1   (View Single Post)  
Old 26th August 2008
LateNiteTV LateNiteTV is offline
Port Guard
 
Join Date: Jul 2008
Posts: 19
Default data recovery.

i have a harddrive that currently has freebsd 6.3 on it. ive used it for years and was wondering if there was any possible way i can recover files on it, even though it has been reformatted probably more than 20 times and have had probably 10 - 15 different operating systems on it. is this possible? if so, can someone point me in the right direction... thank you.
Reply With Quote
  #2   (View Single Post)  
Old 26th August 2008
J65nko J65nko is offline
Administrator
 
Join Date: May 2008
Location: Budel - the Netherlands
Posts: 4,125
Default

If you want to recover only text, you could use dd(1) on the whole disk and strings(1) to see and store and all text to another computer or disk.

Other formats will be very difficult
__________________
You don't need to be a genius to debug a pf.conf firewall ruleset, you just need the guts to run tcpdump
Reply With Quote
  #3   (View Single Post)  
Old 26th August 2008
TerryP's Avatar
TerryP TerryP is offline
Arp Constable
 
Join Date: May 2008
Location: USofA
Posts: 1,547
Default

No disrespect or offense meant LateNiteTV, but I do think this is the craziest question I've read in a long time....



If the disk has been reformatted numerous times and had several OSes installed on it after FreeBSD was 'overwritten', the only reliable method is via backups. One good thing about backups, you generally can be sure of what you will get back out of them, with suitable storage....
__________________
My Journal

Thou shalt check the array bounds of all strings (indeed, all arrays), for surely where thou typest ``foo'' someone someday shall type ``supercalifragilisticexpialidocious''.
Reply With Quote
  #4   (View Single Post)  
Old 26th August 2008
BSDfan666 BSDfan666 is offline
Real Name: N/A, this is the interweb.
Banned
 
Join Date: Apr 2008
Location: Ontario, Canada
Posts: 2,223
Default

Quote:
Originally Posted by LateNiteTV View Post
i have a harddrive that currently has freebsd 6.3 on it. ive used it for years and was wondering if there was any possible way i can recover files on it, even though it has been reformatted probably more than 20 times and have had probably 10 - 15 different operating systems on it. is this possible? if so, can someone point me in the right direction... thank you.
No.

http://www.daemonforums.org/showpost...97&postcount=4

Quote:
Originally Posted by J65nko View Post
If you want to recover only text, you could use dd(1) on the whole disk and strings(1) to see and store and all text to another computer or disk.

Other formats will be very difficult
That won't help if the data has been overwritten 10/20 times, heck, it won't help if its been overwritten a single time.
Reply With Quote
  #5   (View Single Post)  
Old 26th August 2008
LateNiteTV LateNiteTV is offline
Port Guard
 
Join Date: Jul 2008
Posts: 19
Default

lol gracias!!!
Reply With Quote
  #6   (View Single Post)  
Old 27th August 2008
robbak's Avatar
robbak robbak is offline
Real Name: Robert Backhaus
VPN Cryptographer
 
Join Date: May 2008
Location: North Queensland, Australia
Posts: 366
Default

The programs ddrescue, testdisk and photorec (part of the testdisk port) are the standard data recovery toolkit. If the data on the disk has not been overwritten, these should recover it for you. But none of these will work if the actual data has been overwritten.

If you have reformated and installed on the disk, you should consider the data overwritten. If you need to recover data from a disk that is in use, you should pull the plug from the system NOW (No, do not shut down cleanly!), connect the drive to another system, and use ddrescue to take an image of the drive to work on. That said, it is almost certainly too late.

However, if you are asking if a determined someone could recover data from that disk (say, for industrial espionage or evidence gathering), you should consider data to remain on the disk until it has been ground into tiny bits, degaussed for hours and mixed into the asphalt when repaving the parking lot. (Yes, actual practice in some highly sensitive establishments!)
__________________
The only dumb question is a question not asked.
The only dumb answer is an answer not given.
Reply With Quote
  #7   (View Single Post)  
Old 27th August 2008
BSDfan666 BSDfan666 is offline
Real Name: N/A, this is the interweb.
Banned
 
Join Date: Apr 2008
Location: Ontario, Canada
Posts: 2,223
Default

The last paragraph in robbak's post is a work of fiction, government agencies overwrite data multiple times because they're paranoid, absolute recovery is likely impossible.. determining the previous state of a single bit alone is theoretical, actually restoring enough of an original bit pattern would be improbable.

For example, the ksh shell on OpenBSD 4.3 is 324,992 bytes in length, 324,992*8 = 2,599,936 bits arranged in a unique pattern to form the executable.

I've yet to find any concrete evidence that recovery of data after being overwritten is possible..

Last edited by BSDfan666; 27th August 2008 at 01:12 AM.
Reply With Quote
  #8   (View Single Post)  
Old 27th August 2008
robbak's Avatar
robbak robbak is offline
Real Name: Robert Backhaus
VPN Cryptographer
 
Join Date: May 2008
Location: North Queensland, Australia
Posts: 366
Default

Quote:
Originally Posted by BSDfan666 View Post
The last paragraph in robbak's post is a work of fiction, government agencies overwrite data multiple times because they're paranoid, absolute recovery is likely impossible.. determining the previous state of a single bit alone is theoretical, actually restoring enough of an original bit pattern would be improbable.

For example, the ksh shell on OpenBSD 4.3 is 324,992 bytes in length, 324,992*8 = 2,599,936 bits arranged in a unique pattern to form the executable.

I've yet to find any concrete evidence that recovery of data after being overwritten is possible..
Thank you - again, it is a matter of repeating things I had heard, but you got me looking. I found this:
For the defence, I present http://www.usenix.org/publications/l...ann/index.html
And for the prosecution, http://www.nber.org/sys-admin/overwr...a-gutmann.html

Note that, with most text-based data, if you could get four bytes out of 5, you would have enough to recover the material. Bitwize, I'd back myself to read ascii with an average of one error bit in 16 any day.
__________________
The only dumb question is a question not asked.
The only dumb answer is an answer not given.
Reply With Quote
  #9   (View Single Post)  
Old 29th August 2008
LateNiteTV LateNiteTV is offline
Port Guard
 
Join Date: Jul 2008
Posts: 19
Default

good stuff, thanks guys.
Reply With Quote
Reply

Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off

Forum Jump

Similar Threads
Thread Thread Starter Forum Replies Last Post
Disaster recovery best practices RandomSF FreeBSD General 8 7th December 2010 06:41 AM
apache: data stuck in socket? goertzenator FreeBSD General 8 16th February 2009 04:01 PM
Mounting FreeBSD Data on Windows tuck Other OS 11 13th February 2009 10:19 AM
Data Structures in C JMJ_coder Programming 9 6th November 2008 02:22 AM
Apache data transfer limit cajunman4life General software and network 5 7th June 2008 05:13 PM


All times are GMT. The time now is 07:30 AM.


Powered by vBulletin® Version 3.8.4
Copyright ©2000 - 2024, Jelsoft Enterprises Ltd.
Content copyright © 2007-2010, the authors
Daemon image copyright ©1988, Marshall Kirk McKusick