Ubuntu – need to recover data from a data hard disk that I used testdisk on in the attempt to repair mbr from a rootkit virus


Before I begin to say what my situation is here, please know i would be FOREVER GRATEFUL for anyone who can help me out with this mess. I have photos on here from years and years of painstaking work. I am a semi-pro photographer and my hard disk contains roughly 1.5 TB of data from photos. Plus 100GB of my entire music library, and all my dvd's I took time to tip on to my hard disk. But my photos are what I'm most concerned about, they are not replaceable.

Now here in short is what happened:
I have always had a backup of my data using backblaze, which is an online backup for windows. I decided about 3 months ago I wanted to get a server going for my files using plex and decided Ubuntu was the best way to go. So I was utilizing this backup method using something called "greyhole" and in the process of setting up (2) 2TB hard drives and (1) 1 TB harddrive on this greyhole backup program.

Then that is when I got a rootkit. This thing was nasty and I think after 2 months of trying everything, I had to reflash my bios and STILL had this virus. I had to reformat all my hard drives and backed everything up on to 1 hard drive filling it almost entirely (a 2 TB hard drive). I still did not get rid of this virus it was incredible. Eventually I caught it. It was embedded in my network ethernet card. Anyone reading this should take heed that anything embedded in there can and will infect your router, all your LAN, and stay on your computer even through reflashing of the bios itself!

Anyhow after I seemed to get rid of the thing I still had my files on my hard drive. I didn't want to reinfect my machines, so I tried to re-write the MBR using a utility called testdisk.


I didn't have a clue what I was doing. And now I can't read my information!

Here is the good news? After testdisk did it's thing (which consisted of me analysizing the drive, and using the WRITE command to do the damage, it only took 1 second for it to be done. Meaning – I didn't sit through a 5 hour process of writing 0's on the drive with "dd". It was a quick little thing I did. So for that reason I'm thinking the data still has to be on the drive.

Here is what I know:

  • the drive is a data drive, no OS. I used ubuntu as the OS on another drive.
  • formatted as ext3 or ext4
  • size = 2 TB
  • files = irreplaceable, my entire lifes work – no exageration.

Also – backblaze doesn't have my files anymore because it's been over 30 days. I have written over all my othre backups with 0's due to the rootkit. This hard drive was and is the only source of my files at the time when this happened. Coincidently this is the only time I've been without a backup for many years.

Here is a copy/paste of fdisk -l

Disk /dev/sda: 2000.4 GB, 2000398934016 bytes
255 heads, 63 sectors/track, 243201 cylinders, total 3907029168 sectors
Units = sectors of 1 * 512 = 512 bytes
Sector size (logical/physical): 512 bytes / 4096 bytes
I/O size (minimum/optimal): 4096 bytes / 4096 bytes
Disk identifier: 0x0006a14b

   Device Boot      Start         End      Blocks   Id  System
/dev/sda1   *          63  3907024064  1953512001   83  Linux
Partition 1 does not start on physical sector boundary.

And lshw

          physical id: 2
          logical name: scsi2
          capabilities: emulated
             description: DVD writer
             physical id: 0.0.0
             bus info: scsi@2:0.0.0
             logical name: /dev/cdrom
             logical name: /dev/sr0
             capabilities: audio cd-r cd-rw dvd dvd-r
             configuration: signature=643a3365 status=ready
             description: ATA Disk
             product: ST2000DM001-1CH1
             vendor: Seagate
             physical id: 0.1.0
             bus info: scsi@2:0.1.0
             logical name: /dev/sda
             version: CC24
             serial: W1E2L5K7
             size: 1863GiB (2TB)
             capabilities: partitioned partitioned:dos
             configuration: ansiversion=5 sectorsize=4096 signature=0006a14b
                description: EXT3 volume
                vendor: Linux
                physical id: 1
                bus info: scsi@2:0.1.0,1
                logical name: /dev/sda1
                version: 1.0
                serial: 05ea2f85-06fd-446c-a885-30614d53630c
                size: 1863GiB
                capacity: 1863GiB
                capabilities: primary bootable journaled extended_attributes large_files recover ext3 ext2 initialized
                configuration: created=2013-03-27 07:57:02 filesystem=ext3 label=foo modified=2013-03-27 08:11:50 mounted=2013-03-27 08:11:50 state=clean

Please help what can I do? I'm scared of screwing it up again with testdisk. I just want to recover the files. I can't see how they are gone.

Thank you so much-

Best Answer

To recover data from an image on an external USB drive here are the steps needed:

  1. Stop using the damaged drive.

  2. Have an external drive(s) ready holding twice the data amount from your damaged drive 's size. Format with a filesytem able to hold such a large file as will be created from the original drive (e.g. ext4)

  3. Boot Ubuntu from a live session ("Try Ubuntu") .

  4. Mount your external drive using Nautilus.

  5. Verify the mount point of your external drive.
    e.g with Properties --> Location on right click menu.

  6. Verify location of your damaged drive with any of these commands in a terminal

     sudo fdisk -l
     sudo blkid
  7. Create an image of your damaged drive

     sudo dd if=/dev/sdX of=/mountpoint/DRIVENAME/rescue.dd

Replace sdX with your damaged drive (e.g. sda) or partition (e.g. sda1). Replace /mountpoint/DRIVENAME/ with the actual path where your USB drive was mounted.

Only in case your damaged drive (sdX) is equal the size of your external drive (sdY) you are able to clone the drive (sudo dd if=/dev/sdX of=/dev/sdY) to perform data rescue on a cloned external drive. Still, working on an image as shown above is a much safer approach.

It is critical at this point to get the dd command correctly. If you gave the wrong entry to of= you may damage all data that had existed there.

  1. Install TestDisk on your live system as was further elaborated in my answer below:
  1. Read the awesome and concise guide from the makers of TestDisk to recover.

  2. In case your drive is huge, mount another drive/partition to hold the recovered data. Note this mountpoint for testdisk.

  3. Run testdisk on the image of your drive:

    cd /mountpoint/DRIVENAME/
    sudo testdisk rescue.dd
  4. Save recovered directories and files to your backup drive/partiton (give testdisk the mountpoint of this drive as storage location in case it's different to where the image is).

  5. Verify your data are there.

  6. Unmount all drives or shutdown the live session.

In case we had not succeeded to recover our files we may also run PhotoRec which was installed together with the TestDisk suite to recover individual files (but then filenames permissions, and directories will be lost).

Your damaged drive still is untouched. We can even let this drive be recovered by a professional service in case we failed with above steps.