Data recovery from a SSD drive

ssd

I'm nowhere near an hacker or security guy. I'm just a dad of two young kids who loves to travel. I don't know if it's ok to ask here, but what you guys talk about is way over my head but I thought you might have an idea.

A few months ago, my 2010 macbook air was really slow so I decided to make a safety copy of my system using Time Machine and a Time Capsule and I formatted my mac SSD drive to do a fresh (re)install of Mac OS X. I didn't use my backup from Time Machine to start again because I wanted everything to be fresh and new. But what I didn't know at that time is Time Machine would continue to create a backup of my system with the same name. So all my kids/travel photos, videos, documents of my previous system were gone. I kept on using my macbook air for a few months before I realized everything was gone on my time capsule. Now, I have a new macbook pro so I took my old SSD drive from my old macbook air off and I bought an Envoy case so I could use it as an external drive to try to recover my files. I have no idea if there was a fire vault actived on this drive neither do I know about TRIM. All I know is I can browse my old system files using this setup. When I use any of the data recovery software I can find on the internet, all I find are the files that were "created" after I formatted and (re)started my system but nothing prior to that.

Is there a way a non-phd or masterrussianhacker could recover those files?

Thank you very much!

Jonathan

Best Answer

Your best chance for recovery is through a professional disk recovery service. If the data can be retrieved, they are the ones to do it. Of course, these services are very expensive (don't be surprised by a four figure quote because the task is labor intensive,) but if the files are worth it to you, and you have the resources, consider it.

If you want to play around yourself, the first thing to do is purchase a hardware USB Write Blocker, perhaps something like this one if it works with your SSD, to make sure you don't accidentally or intentionally overwrite any of the data on your SSD as you start your explorations.

Next, check out The Sleuth Kit (TSK) and Autopsy. The Sleuth Kit is a free forensic analysis toolkit that includes disk analysis tools, including the ability to recover deleted files. Autopsy is a graphical front end to TSK and other tools, and includes modules to perform tasks like viewing images.

The trick to using Autopsy is to understand the language of its steps. Always keep in mind the tool is intended for use by law enforcement investigators, who are looking for evidence of criminal activity, such as child porn, drugs, lists of contacts, old emails, recently edited files, hacking tools, etc., and they speak their own language. None of that will apply to you, of course, but it helps to view the steps through their eyes.

Read the documentation, but the first thing you'll need is to create a case. That's just a file to track all the stuff you do. The case will then need a "data source" - all you do is pick "local drive", then your write-blocked SSD.

You then tell Autopsy to "ingest" the data source, which is where it runs a bunch of tools on the disk to figure out what's on it. Most of the law enforcement stuff won't apply to you, so when you ingest the data source, turn off the ingest modules for things that obviously won't apply, things like "hashes", "virtual machines", "email parsers", etc.

Autopsy will then start processing the disk. It runs in the background and can take a very long time; the larger the disk, the longer it takes. You can look at files as soon as it starts showing them to you, but once you confirm it's working, you may as well step back and let it finish.

You'll probably be most interested in using the manual tool called the Image Gallery Module. This is a fast viewer that will let you zip through all the images it finds. As you find files you want to save, you can right click on them and export them as local files.

Keep in mind that the tool is intended to find files that have been hidden or deleted. If you may have images on the drive (perhaps in your browser history) you wouldn't be willing to share with other members of your family, perform the drive recovery in private!

Good luck!

Related Solutions

Linux – Why is this SSD returning inconsistent data, why doesn’t the backup image file match the checksum

Right after posting this question, I found my mistake. I used Fedora XFCE as live system, which has automatically enabled the swap partition that just happens to be on the SSD in question. And of course, while the live system was actively using the swap partition on the SSD, it was thereby changing the contents of the SSD.

[root@localhost mnt]# swapon --show
NAME      TYPE      SIZE   USED PRIO
/dev/sda3 partition   8G 103.3M   -2

That's a bit awkward now that I've already posted the question. But I'll leave it there, hoping it will be useful for someone else who might be doing the same mistake.

All I had to do was disable the swap partition that was previously automatically mounted:

[root@localhost mnt]# swapoff -a

I'd like to point out that the swap partition was mounted automatically when I booted the live system. I didn't want that swap partition to be mounted. I wonder what happens if there was a hibernate image on that swap partition.

After disabling the unwanted swap partition, everything worked as expected. Using the commands shown above, the image file's checksum now matches the checksum of the SSD. In other words, this SSD isn't bad.

Best Answer

Related Solutions

Linux – Why is this SSD returning inconsistent data, why doesn’t the backup image file match the checksum

Related Question