Thread: [sleuthkit-users] Lost a folder on my hard drive somehow can I recover?
Brought to you by:
carrier
Menu
▾
▴
sleuthkit-users
|
From: Kaya S. <Sam...@ne...> - 2010-05-04 14:12:37
|
Hi, I've got an external eSATA 200GB hard drive formatted to ext3 of which I was using till now via USB2.0 connection. I recently hooked the drive up to my FreeBSD 8.0 32bit based server in ReadOnly mode upon mount in order to stream the information across my network so that I wouldn't have cables flying around the place. Anyhow, yesterday I attached the hard drive and started watching my downloaded TV show. I noticed something went out of whack after I clicked incremental files and the video shown was not linear. - What I'm trying to say is that the file name didn't match the file played back!! This originally was fine but somehow got messed up. Anyhow, I unmounted the drive and ran e2fsck -p on it which the check claimed the disk was 'clean'. I mounted the drive again and the folder has totally disappeared now and instead shows a file: -rw-r--r-- 1 kaya kaya 2046682574 2009-09-13 07:06 Battlestar.Galactica.Season.1.720p.x264 Using the df command it shows that the usage is back to normal as it managed to drop down to 50% yesterday: /dev/sdb1 184G 137G 38G 79% /mnt/eSATAI I haven't written or deleted anything to the drive at all since the error..... It could be that the FreeBSD ext2fs did something although I made sure the drive was in ReadOnly mode or it could be the fact that I was using the USB2.0 interface which I've always found to be dodgy when used in conjunction with the ext3 file system. The files are all mkv format and the average size is roughly 4.8GB. I tried using GPart, Foremost, and MagicRescue but eventually fell short each time although I think Foremost detects the files but in the wrong format as WMV. Can anyone help me recover what ever has happened to this drive??? The Sleuth Kit is install along with Autopsy, and I attempted to use it but fell into a trap on the add disk image section. Do I need to create an image or can I work from the raw drive? I am pretty sure the data is still there and rescueable as the drive is pretty new, less then a year old I believe. Many thanks and best regards, Kaya |
|
From: Kaya S. <Sam...@ne...> - 2010-05-07 10:04:23
|
Hi guys, just wanted to bump my posting as no one responded! I hope it's not because because the overall thought is that I failed to research or simply "ha ha ha ha ha get a life".... I am merely asking for advice or knowledge from experienced members just to ensure that it's worth me spending the time and effort to go ahead with this; so that if it was a lost cause I could look at checking the integrity of the data already there or reformatting the drive and starting clean. Many thanks, Kaya On 05/04/2010 05:12 PM, Kaya Saman wrote: > Hi, > > I've got an external eSATA 200GB hard drive formatted to ext3 of which > I was using till now via USB2.0 connection. > > I recently hooked the drive up to my FreeBSD 8.0 32bit based server in > ReadOnly mode upon mount in order to stream the information across my > network so that I wouldn't have cables flying around the place. > > Anyhow, yesterday I attached the hard drive and started watching my > downloaded TV show. I noticed something went out of whack after I > clicked incremental files and the video shown was not linear. - What > I'm trying to say is that the file name didn't match the file played > back!! > > This originally was fine but somehow got messed up. > > Anyhow, I unmounted the drive and ran e2fsck -p on it which the check > claimed the disk was 'clean'. > > I mounted the drive again and the folder has totally disappeared now > and instead shows a file: > > -rw-r--r-- 1 kaya kaya 2046682574 2009-09-13 07:06 > Battlestar.Galactica.Season.1.720p.x264 > > Using the df command it shows that the usage is back to normal as it > managed to drop down to 50% yesterday: > > /dev/sdb1 184G 137G 38G 79% /mnt/eSATAI > > I haven't written or deleted anything to the drive at all since the > error..... > > > It could be that the FreeBSD ext2fs did something although I made sure > the drive was in ReadOnly mode or it could be the fact that I was > using the USB2.0 interface which I've always found to be dodgy when > used in conjunction with the ext3 file system. > > The files are all mkv format and the average size is roughly 4.8GB. > > I tried using GPart, Foremost, and MagicRescue but eventually fell > short each time although I think Foremost detects the files but in the > wrong format as WMV. > > Can anyone help me recover what ever has happened to this drive??? > > The Sleuth Kit is install along with Autopsy, and I attempted to use > it but fell into a trap on the add disk image section. Do I need to > create an image or can I work from the raw drive? > > I am pretty sure the data is still there and rescueable as the drive > is pretty new, less then a year old I believe. > > Many thanks and best regards, > > Kaya > > > ------------------------------------------------------------------------------ > > > > _______________________________________________ > sleuthkit-users mailing list > https://lists.sourceforge.net/lists/listinfo/sleuthkit-users > http://www.sleuthkit.org > |
|
From: Joseph R. M. <jr....@gm...> - 2010-05-07 17:34:25
|
You can try using testdisk, but you might want to grab a full disk image backup before trying it. It helped me out in a similar situation. http://www.cgsecurity.org/wiki/TestDisk On a separate note, don't be surprised if a mailing list doesn't help you retrieve your pirated media collection. Just saying. On Fri, May 7, 2010 at 6:04 AM, Kaya Saman <Sam...@ne...> wrote: > Hi guys, > > just wanted to bump my posting as no one responded! > > I hope it's not because because the overall thought is that I failed to > research or simply "ha ha ha ha ha get a life".... > > I am merely asking for advice or knowledge from experienced members just to > ensure that it's worth me spending the time and effort to go ahead with > this; so that if it was a lost cause I could look at checking the integrity > of the data already there or reformatting the drive and starting clean. > > Many thanks, > > Kaya > > > > > On 05/04/2010 05:12 PM, Kaya Saman wrote: > > Hi, > > I've got an external eSATA 200GB hard drive formatted to ext3 of which I > was using till now via USB2.0 connection. > > I recently hooked the drive up to my FreeBSD 8.0 32bit based server in > ReadOnly mode upon mount in order to stream the information across my > network so that I wouldn't have cables flying around the place. > > Anyhow, yesterday I attached the hard drive and started watching my > downloaded TV show. I noticed something went out of whack after I clicked > incremental files and the video shown was not linear. - What I'm trying to > say is that the file name didn't match the file played back!! > > This originally was fine but somehow got messed up. > > Anyhow, I unmounted the drive and ran e2fsck -p on it which the check > claimed the disk was 'clean'. > > I mounted the drive again and the folder has totally disappeared now and > instead shows a file: > > -rw-r--r-- 1 kaya kaya 2046682574 2009-09-13 07:06 > Battlestar.Galactica.Season.1.720p.x264 > > Using the df command it shows that the usage is back to normal as it > managed to drop down to 50% yesterday: > > /dev/sdb1 184G 137G 38G 79% /mnt/eSATAI > > I haven't written or deleted anything to the drive at all since the > error..... > > > It could be that the FreeBSD ext2fs did something although I made sure the > drive was in ReadOnly mode or it could be the fact that I was using the > USB2.0 interface which I've always found to be dodgy when used in > conjunction with the ext3 file system. > > The files are all mkv format and the average size is roughly 4.8GB. > > I tried using GPart, Foremost, and MagicRescue but eventually fell short > each time although I think Foremost detects the files but in the wrong > format as WMV. > > Can anyone help me recover what ever has happened to this drive??? > > The Sleuth Kit is install along with Autopsy, and I attempted to use it but > fell into a trap on the add disk image section. Do I need to create an image > or can I work from the raw drive? > > I am pretty sure the data is still there and rescueable as the drive is > pretty new, less then a year old I believe. > > Many thanks and best regards, > > Kaya > > > ------------------------------------------------------------------------------ > > > > _______________________________________________ > sleuthkit-users mailing listhttps://lists.sourceforge.net/lists/listinfo/sleuthkit-usershttp://www.sleuthkit.org > > > > > ------------------------------------------------------------------------------ > > > _______________________________________________ > sleuthkit-users mailing list > https://lists.sourceforge.net/lists/listinfo/sleuthkit-users > http://www.sleuthkit.org > > |
|
From: Kaya S. <Sam...@ne...> - 2010-05-07 17:47:04
|
Thanks for the reply Joseph! :-) It's much appreciated..... Just to quote: "On a separate note, don't be surprised if a mailing list doesn't help you retrieve your pirated media collection. Just saying." I would have to debate this as most of the stuff I have is recorded from the TV not ripped from dvd. I know this is a separate debate but in my view this falls under non-pirated media as it's similar to recording on VHS, DVD, or BlueRay directly from the set top box. Anyhow I don't want to get into a discussion about this as it always ends up in a fight and I am not trying to make enemies but the exact reciprocal :-) How do I create images?? Using dd tool?? Meaning that I need about a 250GB+ HD to store the image on and work from it. Something like this: dd if=/dev/sdc bs=4096 of=usb4gb.dd which was for a USB drive..... Regards, Kaya On 05/07/2010 08:34 PM, Joseph R. Murray wrote: > You can try using testdisk, but you might want to grab a full disk > image backup before trying it. It helped me out in a similar situation. > > http://www.cgsecurity.org/wiki/TestDisk > > On a separate note, don't be surprised if a mailing list doesn't help > you retrieve your pirated media collection. Just saying. > > On Fri, May 7, 2010 at 6:04 AM, Kaya Saman <Sam...@ne... > <mailto:Sam...@ne...>> wrote: > > Hi guys, > > just wanted to bump my posting as no one responded! > > I hope it's not because because the overall thought is that I > failed to research or simply "ha ha ha ha ha get a life".... > > I am merely asking for advice or knowledge from experienced > members just to ensure that it's worth me spending the time and > effort to go ahead with this; so that if it was a lost cause I > could look at checking the integrity of the data already there or > reformatting the drive and starting clean. > > Many thanks, > > Kaya > > > > > On 05/04/2010 05:12 PM, Kaya Saman wrote: >> Hi, >> >> I've got an external eSATA 200GB hard drive formatted to ext3 of >> which I was using till now via USB2.0 connection. >> >> I recently hooked the drive up to my FreeBSD 8.0 32bit based >> server in ReadOnly mode upon mount in order to stream the >> information across my network so that I wouldn't have cables >> flying around the place. >> >> Anyhow, yesterday I attached the hard drive and started watching >> my downloaded TV show. I noticed something went out of whack >> after I clicked incremental files and the video shown was not >> linear. - What I'm trying to say is that the file name didn't >> match the file played back!! >> >> This originally was fine but somehow got messed up. >> >> Anyhow, I unmounted the drive and ran e2fsck -p on it which the >> check claimed the disk was 'clean'. >> >> I mounted the drive again and the folder has totally disappeared >> now and instead shows a file: >> >> -rw-r--r-- 1 kaya kaya 2046682574 2009-09-13 07:06 >> Battlestar.Galactica.Season.1.720p.x264 >> >> Using the df command it shows that the usage is back to normal as >> it managed to drop down to 50% yesterday: >> >> /dev/sdb1 184G 137G 38G 79% /mnt/eSATAI >> >> I haven't written or deleted anything to the drive at all since >> the error..... >> >> >> It could be that the FreeBSD ext2fs did something although I made >> sure the drive was in ReadOnly mode or it could be the fact that >> I was using the USB2.0 interface which I've always found to be >> dodgy when used in conjunction with the ext3 file system. >> >> The files are all mkv format and the average size is roughly 4.8GB. >> >> I tried using GPart, Foremost, and MagicRescue but eventually >> fell short each time although I think Foremost detects the files >> but in the wrong format as WMV. >> >> Can anyone help me recover what ever has happened to this drive??? >> >> The Sleuth Kit is install along with Autopsy, and I attempted to >> use it but fell into a trap on the add disk image section. Do I >> need to create an image or can I work from the raw drive? >> >> I am pretty sure the data is still there and rescueable as the >> drive is pretty new, less then a year old I believe. >> >> Many thanks and best regards, >> >> Kaya >> >> >> ------------------------------------------------------------------------------ >> >> >> >> _______________________________________________ >> sleuthkit-users mailing list >> https://lists.sourceforge.net/lists/listinfo/sleuthkit-users >> http://www.sleuthkit.org >> > > > ------------------------------------------------------------------------------ > > > _______________________________________________ > sleuthkit-users mailing list > https://lists.sourceforge.net/lists/listinfo/sleuthkit-users > http://www.sleuthkit.org > > |
|
From: Jeff L. <j...@jl...> - 2010-05-07 18:44:37
|
I would also make sure that /etc/foremost.conf has the file header for an .mkv file. You can find the header definition here: http://www.garykessler.net/library/file_sigs.html I don't know how the file is terminated, but you can always grab up to, say 4GB and then edit if needed. The basic use of dd is dd if=/full/path/of/input/file of=/full/path/of/output/file On Fri, May 7, 2010 at 1:46 PM, Kaya Saman <Sam...@ne...> wrote: > Thanks for the reply Joseph! :-) > > It's much appreciated..... > > Just to quote: > |
|
From: Gary F. <ga...@in...> - 2010-05-08 03:46:24
|
On 05/07/10 13:04:07, Kaya Saman wrote: > On 05/04/2010 05:12 PM, Kaya Saman wrote: > I've got an external eSATA 200GB hard drive formatted to ext3 of which I > was using till now via USB2.0 connection. > > I recently hooked the drive up to my FreeBSD 8.0 32bit based server in > ReadOnly mode upon mount in order to stream the information across my > network so that I wouldn't have cables flying around the place. > > Anyhow, yesterday I attached the hard drive and started watching my > downloaded TV show. I noticed something went out of whack after I > clicked incremental files and the video shown was not linear. - What I'm > trying to say is that the file name didn't match the file played back!! [...] I'd start with the hardware. Does it improve/stay the same when you hook it back up via e-SATA? If it is not possible to do that with your current hardware, then consider removing the drive and direct connecting it. The suggestions by the other posters to make a drive image is a good one. You will have both a backup and you'll be able to run various recovery tools on that image. You can even try mounting that image in read-only loop back mode, and see whether you're still experiencing problems. If everything works fine, then it suggests that the hardware isn't working. Of course, if you are able to image the drive completely that suggests the drive is working at some level, and the failure you're seeing becomes more difficult to explain. That's why I'd recommend direct-connecting it, and trying to make an image, pronto. We have seen USB/eSATA enclosures fail in some rather unpredictable ways. One common failure is the small fan that is present on some enclosures quits spinning and either the controller electronics, or drive overheat ... leading to erratic results. Power supplies (wall warts) often seem to be the weakest link. And those self-powered USB drives, even with the two USB connectors can run into problems at the margin. Using the supplied PSU usually fixes that problem. Finally, we've seen problems with Firewire/USB add on PCI cards - they worked fine for a year/two and then just quit working, or had glitches. |
|
From: Kaya S. <Sam...@ne...> - 2010-05-08 09:13:41
|
Many thanks to all the suggestions! My setup is as follows: Hp Notebook with 320GB Drive running in Triple Boot configuration and many VBox based VM Images Hotway 2.5" SATA HDD enclosure with eSATA Seagate 200GB drive I guess what I'm gona have to do since I have a PIV FreeBSD 8.0 based server with a 40GB drive; is go get a SATA controller for it with a 250 or 300GB HD - if a controller exists for PCI. Then use the Gentoo based Recovery CD to format the new drive and create the disk image. It's so hard not having enough disk space to play with really.... :-( I always seem to have this problem of data loss with USB and IDE/UDMA disks, meaning that I need to find a viable H/W based backup solution of round 12 terrabytes. Again thanks for everything guys and will start working out what and how to do this physically now!! Best regards to all, Kaya On 05/08/2010 06:46 AM, Gary Funck wrote: > On 05/07/10 13:04:07, Kaya Saman wrote: > >> On 05/04/2010 05:12 PM, Kaya Saman wrote: >> I've got an external eSATA 200GB hard drive formatted to ext3 of which I >> was using till now via USB2.0 connection. >> >> I recently hooked the drive up to my FreeBSD 8.0 32bit based server in >> ReadOnly mode upon mount in order to stream the information across my >> network so that I wouldn't have cables flying around the place. >> >> Anyhow, yesterday I attached the hard drive and started watching my >> downloaded TV show. I noticed something went out of whack after I >> clicked incremental files and the video shown was not linear. - What I'm >> trying to say is that the file name didn't match the file played back!! >> > [...] > > I'd start with the hardware. Does it improve/stay the same > when you hook it back up via e-SATA? If it is not possible to > do that with your current hardware, then consider removing > the drive and direct connecting it. > > The suggestions by the other posters to make a drive image > is a good one. You will have both a backup and you'll > be able to run various recovery tools on that image. > You can even try mounting that image in read-only > loop back mode, and see whether you're still experiencing > problems. If everything works fine, then it suggests > that the hardware isn't working. Of course, if you > are able to image the drive completely that suggests > the drive is working at some level, and the failure > you're seeing becomes more difficult to explain. > That's why I'd recommend direct-connecting it, > and trying to make an image, pronto. > > We have seen USB/eSATA enclosures fail in some > rather unpredictable ways. One common failure > is the small fan that is present on some enclosures > quits spinning and either the controller electronics, > or drive overheat ... leading to erratic > results. Power supplies (wall warts) often > seem to be the weakest link. And those self-powered > USB drives, even with the two USB connectors > can run into problems at the margin. Using the > supplied PSU usually fixes that problem. Finally, > we've seen problems with Firewire/USB add on PCI > cards - they worked fine for a year/two and then > just quit working, or had glitches. > > > |
×
Want the latest updates on software, tech news, and AI?
Get latest updates about software, tech news, and AI from SourceForge directly in your inbox once a month.
Thanks for helping keep SourceForge clean.
X