Before I begin to say what my situation is here, please know i would be FOREVER GRATEFUL for anyone who can help me out with this mess. I have photos on here from years and years of painstaking work. I am a semi-pro photographer and my hard disk contains roughly 1.5 TB of data from photos. Plus 100GB of my entire music library, and all my dvd's I took time to tip on to my hard disk. But my photos are what I'm most concerned about, they are not replaceable.
Now here in short is what happened:
I have always had a backup of my data using backblaze, which is an online backup for windows. I decided about 3 months ago I wanted to get a server going for my files using plex and decided Ubuntu was the best way to go. So I was utilizing this backup method using something called "greyhole" and in the process of setting up (2) 2TB hard drives and (1) 1 TB harddrive on this greyhole backup program.
Then that is when I got a rootkit. This thing was nasty and I think after 2 months of trying everything, I had to reflash my bios and STILL had this virus. I had to reformat all my hard drives and backed everything up on to 1 hard drive filling it almost entirely (a 2 TB hard drive). I still did not get rid of this virus it was incredible. Eventually I caught it. It was embedded in my network ethernet card. Anyone reading this should take heed that anything embedded in there can and will infect your router, all your LAN, and stay on your computer even through reflashing of the bios itself!
Anyhow after I seemed to get rid of the thing I still had my files on my hard drive. I didn't want to reinfect my machines, so I tried to re-write the MBR using a utility called testdisk.
BIG MISTAKE
I didn't have a clue what I was doing. And now I can't read my information!
Here is the good news? After testdisk did it's thing (which consisted of me analysizing the drive, and using the WRITE command to do the damage, it only took 1 second for it to be done. Meaning – I didn't sit through a 5 hour process of writing 0's on the drive with "dd". It was a quick little thing I did. So for that reason I'm thinking the data still has to be on the drive.
Here is what I know:
- the drive is a data drive, no OS. I used ubuntu as the OS on another drive.
- formatted as ext3 or ext4
- size = 2 TB
- files = irreplaceable, my entire lifes work – no exageration.
Also – backblaze doesn't have my files anymore because it's been over 30 days. I have written over all my othre backups with 0's due to the rootkit. This hard drive was and is the only source of my files at the time when this happened. Coincidently this is the only time I've been without a backup for many years.
Here is a copy/paste of fdisk -l
Disk /dev/sda: 2000.4 GB, 2000398934016 bytes
255 heads, 63 sectors/track, 243201 cylinders, total 3907029168 sectors
Units = sectors of 1 * 512 = 512 bytes
Sector size (logical/physical): 512 bytes / 4096 bytes
I/O size (minimum/optimal): 4096 bytes / 4096 bytes
Disk identifier: 0x0006a14b
Device Boot Start End Blocks Id System
/dev/sda1 * 63 3907024064 1953512001 83 Linux
Partition 1 does not start on physical sector boundary.
And lshw
*-scsi:0
physical id: 2
logical name: scsi2
capabilities: emulated
*-cdrom
description: DVD writer
physical id: 0.0.0
bus info: scsi@2:0.0.0
logical name: /dev/cdrom
logical name: /dev/sr0
capabilities: audio cd-r cd-rw dvd dvd-r
configuration: signature=643a3365 status=ready
*-disk
description: ATA Disk
product: ST2000DM001-1CH1
vendor: Seagate
physical id: 0.1.0
bus info: scsi@2:0.1.0
logical name: /dev/sda
version: CC24
serial: W1E2L5K7
size: 1863GiB (2TB)
capabilities: partitioned partitioned:dos
configuration: ansiversion=5 sectorsize=4096 signature=0006a14b
*-volume
description: EXT3 volume
vendor: Linux
physical id: 1
bus info: scsi@2:0.1.0,1
logical name: /dev/sda1
version: 1.0
serial: 05ea2f85-06fd-446c-a885-30614d53630c
size: 1863GiB
capacity: 1863GiB
capabilities: primary bootable journaled extended_attributes large_files recover ext3 ext2 initialized
configuration: created=2013-03-27 07:57:02 filesystem=ext3 label=foo modified=2013-03-27 08:11:50 mounted=2013-03-27 08:11:50 state=clean
Please help what can I do? I'm scared of screwing it up again with testdisk. I just want to recover the files. I can't see how they are gone.
Thank you so much-
Best Answer
To recover data from an image on an external USB drive here are the steps needed:
Stop using the damaged drive.
Have an external drive(s) ready holding twice the data amount from your damaged drive 's size. Format with a filesytem able to hold such a large file as will be created from the original drive (e.g. ext4)
Boot Ubuntu from a live session ("Try Ubuntu") .
Mount your external drive using Nautilus.
Verify the mount point of your external drive.
e.g with Properties --> Location on right click menu.
Verify location of your damaged drive with any of these commands in a terminal
Create an image of your damaged drive
Replace
sdX
with your damaged drive (e.g.sda
) or partition (e.g.sda1
). Replace/mountpoint/DRIVENAME/
with the actual path where your USB drive was mounted.Only in case your damaged drive (
sdX
) is equal the size of your external drive (sdY
) you are able to clone the drive (sudo dd if=/dev/sdX of=/dev/sdY
) to perform data rescue on a cloned external drive. Still, working on an image as shown above is a much safer approach.Read the awesome and concise guide from the makers of TestDisk to recover.
In case your drive is huge, mount another drive/partition to hold the recovered data. Note this mountpoint for testdisk.
Run testdisk on the image of your drive:
Save recovered directories and files to your backup drive/partiton (give testdisk the mountpoint of this drive as storage location in case it's different to where the image is).
Verify your data are there.
Unmount all drives or shutdown the live session.
In case we had not succeeded to recover our files we may also run PhotoRec which was installed together with the TestDisk suite to recover individual files (but then filenames permissions, and directories will be lost).
Your damaged drive still is untouched. We can even let this drive be recovered by a professional service in case we failed with above steps.