OS Notes

From CGSecurity

Jump to: navigation, search

Precompiled binary executables are available for DOS, Win32, Linux and MacOS X from the download page.

Contents

DOS

DOS version of TestDisk can used under

  • MSDOS/FreeDOS
  • Windows 95
  • Windows 98

Hard disk must be detected by the computer's BIOS.

Note: In some rare cases, you may need to connect your hard drive directly to one of the motherboard's IDE connectors, as some IDE 'add-on cards' are broken; they do not follow the same standard specs used by TestDisk to find your drive.

Windows 95

You need to use the DOS version. Hard disks and other media that are larger than 32 Gigabytes (GB) in size are not supported under any version of Windows 95. http://support.microsoft.com/?id=246818


Windows 98

You need to use the DOS version. Windows 98 (with the correct patches) can handle hard disks larger than 32 GB; see: http://support.microsoft.com/?id=243450 for any info that might pertain to your version of Windows 98.

To handle hard disks larger than 137 GB, support for 48-bit Logical Block Addressing (LBA) must be available.

Windows

The 'Windows' version of TestDisk refers to NT 4/2000/XP/2003 only; for Win 9x see DOS version of TestDisk.

Disk naming

Windows versions of TestDisk use /dev/sdX as the disk name (where 'X' would be a, b, c... etc. for your first, second, etc. drive location) rather than 'hdX' (the usual IDE designation). 'sdX' is the linux device name for SCSI hard disks, but TestDisk doesn't know if it's an IDE, SCSI or USB disk, because this name comes from the cygwin compiler used to make the Windows version of TestDisk. That compiler has internal mappings to Windows drives that use only the names sdX.

Missing disk

If a digital camera or smart card isn't detected by TestDisk or PhotoRec, plug the memory card in a USB card reader.

Windows 2000 and 48-bit LBA

Windows 2000 SP3 added support for 48-bit Logical Block Addressing (LBA), which allows the OS to access hard disks larger than 137 GB. But, 48-bit LBA support must be 'enabled' in Windows 2000 SP3 or above! To do so, the EnableBigLba value must be defined and set properly in the Windows Registry by performing the following steps:

  1. Start a Registry editor (e.g., regedit.exe). In Windows, click on Start -> Run, and enter regedit.
  2. Navigate to the HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\atapi\Parameters Registry subkey.
  3. From the Edit menu, select New, DWORD Value.
  4. Type the name EnableBigLba, then press ENTER.
  5. Double-click on the new value, set it to 1, then click OK.
  6. Close the Registry editor.
  7. You must restart the machine for the change to take effect.

If you are not familiar with Regedit, you may wish to try this tool instead: http://www.48bitlba.com/enablebiglbatool.htm

Windows XP and 48-bit LBA

Windows XP Service Pack 1 (SP1) adds support for 48-bit Logical Block Addressing (LBA), which allows you to access hard disks larger than 137 GB. http://support.microsoft.com/?id=303013

Linux

Linux and 48-bit LBA

Linux kernels since at least 2.4.19 have been able to access Large disks (drives over 137 GB using 48-bit LBA); and some earlier kernels, such as Red Hat 7.3's 2.4.18-x, were patched, so check the specific features of your install to know for sure. Linux kernels 2.2.x and older are limited to only 65,535 cylinders.

Precompiled binaries

The following instructions download the archive and run TestDisk or PhotoRec.

wget http://www.cgsecurity.org/testdisk-6.4.linuxstatic.tar.bz2
tar xjf testdisk-6.4.linuxstatic.tar.bz2
cd testdisk-6.4/linux

TestDisk and PhotoRec must be run as root:

  • Using sudo: sudo ./testdisk_static, sudo ./photorec_static
  • Using su: su -c ./testdisk_static, su -c ./photorec_static

The TestDisk and PhotoRec programs are compressed with UPX, which will decompress and run in the /tmp directory. Free space must be available and execution of binaries on the mounted file system must be allowed (if necessary, enter: mount -o remount,exec /tmp ).

Disk Geometry

You may have to use the Geometry menu to enter the correct disk geometry.

FreeBSD

Under FreeBSD 5.2-RC1 and possibly other versions, you may have to use the Geometry menu to enter the correct disk geometry.

MacOS (PowerPC)

Starting TestDisk or PhotoRec

  1. Open the Terminal program, found in the /Applications/Utilities folder.
  2. Using terminal commands such as cd (change directory), navigate to the folder where you downloaded or installed TestDisk.
    • The only sure-fire way of doing this is typing cd(space) and then dragging the folder containing TestDisk into the Terminal window. This will copy the location of the TestDisk directory after the current command on the terminal command line.
    • If you have the TestDisk folder on your desktop, the command would look something like: cd ~/Desktop/testdisk-6.4
  3. Move into the folder inside the TestDisk folder, where the binary executables are stored (in darwin/ on MacOS ports). The command for this would look something like: cd darwin.
  4. Now it's time to run TestDisk (or PhotoRec). To do this, type sudo ./testdisk (or sudo ./photorec). The sudo command tells your system to run testdisk as root ("administrator", or superuser). You will be required to enter your password (no echo of the characters will be apparent on the screen), press the enter key to validate .

Using TestDisk

  • Upon startup, the following will appear. Highlight the disk of interest and hit return/enter to select it.
Select a media (use Arrow keys, then press Enter):
Disk /dev/disk0 - 80 GB / 74 GiB - CHS 156301488 1 1 (RO), sector size=512
Disk /dev/disk1 - 250 GB / 232 GiB - CHS 488397168 1 1, sector size=512
Disk /dev/rdisk0 - 80 GB / 74 GiB - CHS 156301488 1 1 (RO), sector size=512
Disk /dev/rdisk1 - 250 GB / 232 GiB - CHS 488397168 1 1, sector size=512

  • Once the disk of interest is selected, you must tell TestDisk what type of partition table to expect. For MacOS users, this is probably the [Mac ] option.
Disk /dev/rdisk1 - 250 GB / 232 GiB - CHS 488397168 1 1
Please select the partition table type, press Enter when done.
[Intel  ]  Intel/PC partition
[Mac    ]  Apple partition map
[None   ]  Non partioned media
[Sun    ]  Sun Solaris partition
[XBox   ]  XBox partition
[Return ]  Return to disk selection

  • At this point, you should analyze the disk to see if TestDisk can determine the partion map to replace the possibly-corrupted version on the drive. Select [ Analyse ] from the menu and hit return/enter.
Disk /dev/rdisk1 - 250 GB / 232 GiB - CHS 488397168 1 1
[ Analyse  ]  Analyse current partition structure and search for lost partition
[ Advanced ]  Filesystem Utils
[ Geometry ]  Change disk geometry
[ Options  ]  Modify options
[ Quit     ]  Return to disk selection

  • The following screen will appear, allowing you to tell TestDisk if the partitions are "Primary" or "Deleted" partitions. I'm not sure if it's critical to mark any as "D" -- I believe they default to "P". Select proceed, and hit return/enter.
Current partition structure:
 1 P partition_map                  1         63         63
 2 P Free                          64     262207     262144
 3 P HFS                       262208  162267199  162004992
 4 P Free                   162267200  162529343     262144
 5 P HFS                    162529344  324534335  162004992
 6 P Free                   324534336  324796479     262144
 7 P HFS                    324796480  488397151  163600672

     P=Primary  D=Deleted

[Proceed ] [  Save  ]

  • After analyzing, a screen will appear, informing you of the partitions that were found (the partitions will be colored green). Hit return/enter to return to the display of all the partions found, which looks something like the screen below. You will need to copy/print this information for later, as it will be required for rewriting the partion table using pdisk. Copying to a text file is recommended, as partitioning your drive incorrectly could cause further problems. Once copied, select [ Quit ] and exit TestDisk.
Current partition structure:
     Partition                  Start        End    Size in sectors
 1 P partition_map                  1         63         63
 2 P Free                          64     262207     262144
 3 P HFS                       262208  162267199  162004992
 4 P Free                   162267200  162529343     262144
 5 P HFS                    162529344  324534335  162004992
 6 P Free                   324534336  324796479     262144
 7 P HFS                    324796480  488397151  163600672

[  Quit  ] [ Write  ]

Now you can use this information with pdisk to rewrite your drive partition map.

Repairing/Rewriting Your Drive's Partition Map

To rewrite the partition map given by TestDisk, use the command pdisk. If pdisk reports, "No partition map exists," it may be necessary to initialize the disk. Once the disk is initialized, the numeric entries defining the partition may completed and a name may be assigned to the partition ("rec_part" in the example below). Given the following information from TestDisk,

Disk /dev/rdisk1 - 160 GB / 149 GiB - CHS 312581808 1 1                                                                                       
     Partition               Start        End    Size in sectors                                                                              
P HFS                       262208  312581791  312319584    

the required pdisk commands are:
pdisk: No valid block 1 on '/dev/rdisk1'
Edit /dev/rdisk1 -
Command (? for help): c
No partition map exists
Command (? for help): i
Command (? for help): c
First block: 262208
Length in blocks: 312319584
Name of partition: rec_part
Command (? for help): w
Command (? for help): q

Note: pdisk is for Mac PowerPC partition table, not for Mac Intel partition table.

PhotoRec: Changing files ownership

As PhotoRec is runned as root, files recovered by PhotoRec are also owned by the root user. Use the id command to get your username and groupname. To change the files and directories ownership, use sudo chown -R username:groupname recup_dir.*

Return to TestDisk

Data Recovery