Hard Disk Data Recovery
When a file is deleted on a hard drive, its location on the disk isn’t immediately cleared. Instead, the operating system marks the space as free and makes it available for new files to be written. This process can take some time, depending on various factors like the type of storage device and the amount of data being written. As a result, deleted files can sometimes still be recovered using specialised tools.
dc3dd and foremost
DCFLDD is a fork of DD designed for digital forensics. A more up to date fork called dc3dd is included in Kali Linux. This tool can be used to create a bit-for-bit disk image.
Be careful when using dd, dcfldd, and dc3dd. Check the source (
if=) and destination (of=) are correct, since these tools will irreversibly overwrite entire disks if pointed at the wrong one.
To create an image of the block device /dev/sdb1 in the location /root/Desktop/image.dd:
dc3dd if=/dev/sdb1 of=/root/Desktop/image.ddYou can scan and recover various file types in the given image file with foremost:
foremost -t ode,png,jpg,pdf -i image.dd