Ddrescue

From ITGwiki
Jump to: navigation, search
ddrescue

ddrescue is a raw disk imaging tool that "copies data from one file or block device to another, trying hard to rescue data in case of read errors." The application is developed as part of the GNU project and has written with UNIX/Linux in mind.

Installing ddrescue

Mac OS X

Download and compile the source, use MacPorts.

When using ddrescue on a Mac you can use 'rdisk' in the place of 'disk', as in '/dev/disk1' to access the device in raw mode with a significant speed increase.

Ubuntu Linux

Enable the universe repository. Ensure that repository lines containing the word "universe" are not commented (do not start with a #) in your /etc/apt/sources.list file. Here are the lines that I uncommented in my Intrepid Ibex installation (Just replace "mirrors.xmission.com" with your mirror and "intrepid" with your Ubuntu version.):

deb http://mirrors.xmission.com/ubuntu/ intrepid universe
deb http://mirrors.xmission.com/ubuntu/ intrepid-updates universe

Update your package cache and install ddrescue:

sudo apt-get update && sudo apt-get install -y gddrescue

Usage examples

Kernel 2.6.3+ & ddrescue 1.4+

'ddrescue --direct' will open the input with the O_DIRECT option for uncached reads. 'raw devices' are not needed on newer kernels. For older kernels see below.

First you copy as much data as possible, without retrying or splitting sectors:

ddrescue --no-split /dev/hda1 imagefile logfile

Now let it retry previous errors 3 times, using uncached reads:

ddrescue --direct --max-retries=3 /dev/hda1 imagefile logfile

If that fails you can try again but retrimmed, so it tries to reread full sectors:

ddrescue --direct --retrim  --max-retries=3 /dev/hda1 imagefile logfile

You can now use ddrescue (or normal dd) to copy the imagefile to a new partition on a new disk. Use the appropriate filesystem checkers (fsck, CHKDSK) to try to fix errors caused by the bad blocks. Be sure to keep the imagefile around. Just in case the filesystem is severely broken, and datacarving tools like testdisk need to to be used on the original image.

Sample Bash script

You can use this simple Bash script by adjusting the prt variable to reflect your partition (it's sde1 in this example). This will create the image and log files in the current directory. Remember to use sudo.

#!/bin/sh

prt=sde1
src=/dev/$prt
dst=$prt.img
log=$dst.log

time ddrescue --no-split $src $dst $log
time ddrescue --direct --max-retries=3 $src $dst $log
time ddrescue --direct --retrim --max-retries=3 $src $dst $log

Check an entire disk for errors

ddrescue /dev/sda /dev/null sdaerrors.log

Rescue an ext2 partition

/dev/hda2 is the source partition and /dev/hdb2 is the target. http://www.forensicswiki.org/wiki/Mounting_Disk_Images#kpartx

ddrescue -r3 /dev/hda2 /dev/hdb2 ext2rescue.log
e2fsck -v -f /dev/hdb2
mount -t ext2 -o ro /dev/hdb2 /mnt

Rescue a CD-ROM

This does not work for audio CDs, which use a different format. For audio CDs, try cdrdao.

ddrescue -b 2048 /dev/cdrom cdimage.iso cdromrescue.log

Notes

As of release 1.4-rc1, it can be compiled directly in Cygwin out of the box. This makes it usable natively on Windows systems.

Finding files occupying bad blocks (NTFS)

This script allows you to parse a ddrescue logfile and print a list of files which occupy some of the bad-sectors. This allows you to easily identify which areas cause problems, and you can also modify the log manually (nice description is available here), so that ddrescue can concentrate on a specific area.


#!/bin/bash
#########################################################
# Author:        Raphael Hoegger
# Source:        http://pfuender.net/?p=80
# License:       This file is licensed under the GPL v2.
# Latest change: 2010.06.24 17:40:32 CEST
# Version:       1.1
#########################################################

FSoffset=32256 # this is equal to the value used in 'losetup' as the offset
DEVICE=/dev/loop1
LOGFILE=log.txt ## the one from ddrescue
OUTPUT=results.txt ## where you want your results stored

for failingSector in $(grep - $LOGFILE | awk ' { print $1 } ') ; do
NTFSsector=$(( ($failingSector-$FSoffset)/4096 ))
echo "Sector $NTFSsector:" >>$OUTPUT
ntfscluster -f -c $NTFSsector $DEVICE 2>/dev/null >>$OUTPUT
done

Map partitions with kpartx

Mounting raw images with multiple partitions is easy with kpartx. Type aptitude install kpartx as root to install kpartx under Debian. kpartx is creating device-mappings for each partition. If the raw image looks like this:

       Device        Boot      Start       End      Blocks Id  System
    rawimage.dd1               1           1        8001   83  Linux
    rawimage.dd2               2           2        8032+   5  Extended
    rawimage.dd5               2           2        8001   83  Linux

The command

#   kpartx -v -a rawimage.dd

creates these mappings

   /dev/mapper/loop0p1
   /dev/mapper/loop0p2
   /dev/mapper/loop0p5

The partitions can be mounted with these commands:

# mount /dev/mapper/loop0p1 /media/suspectHD_01/ -o ro
# mount /dev/mapper/loop0p5 /media/suspectHD_02/ -o ro

Don't forget the switch -o ro !

When you're done, you can delete the maps and free up the loop devices with the following:

#    kpartx -v -d rawimage.dd

References