TestDisk

Last updated
Developer(s) Christophe Grenier
Stable release
7.2 / February 22, 2024 (2024-02-22)
Repository
Written in C
Type Data recovery
License GPL
Website www.cgsecurity.org/wiki/TestDisk

TestDisk is a free and open-source data recovery utility that helps users recover lost partitions or repair corrupted filesystems. [1] TestDisk can collect detailed information about a corrupted drive, which can then be sent to a technician for further analysis. TestDisk supports DOS, Microsoft Windows (i.e. NT 4.0, 2000, XP, Server 2003, Server 2008, Vista, Windows 7, Windows 8.1, Windows 10), Linux, FreeBSD, NetBSD, OpenBSD, SunOS, and MacOS. TestDisk handles non-partitioned and partitioned media. [2] In particular, it recognizes the GUID Partition Table (GPT), Apple partition map, PC/Intel BIOS partition tables, Sun Solaris slice and Xbox fixed partitioning scheme. TestDisk uses a command line user interface. TestDisk can recover deleted files with 97% accuracy. [3]

Contents

Features

TestDisk can recover deleted partitions, rebuild partition tables or rewrite the master boot record (MBR). [4] [3]

Partition recovery

TestDisk retrieves the LBA size and CHS geometry of attached data storage devices (i.e. hard disks, memory cards, USB flash drives, and virtual disk images) from the BIOS or the operating system. The geometry information is required for a successful recovery. TestDisk reads sectors on the storage device to determine if the partition table or filesystem on it requires repair (see next section).

TestDisk is able to recognize the following partition table formats: [2]

TestDisk can perform deeper checks to locate partitions that have been deleted from the partition table. [2] However, it is up to the user to look over the list of possible partitions found by TestDisk and to select those that they wish to recover.

After partitions are located, TestDisk can rebuild the partition table and rewrite the MBR. [2]

Filesystem repair

TestDisk can deal with some specific logical filesystem corruption. [5]

File recovery

When a file is deleted, the list of disk clusters occupied by the file is erased, marking those sectors available for use by other files created or modified thereafter. TestDisk can recover deleted files especially if the file was not fragmented and the clusters have not been reused.

There are two file recovery mechanisms in the TestDisk package: [2]

Digital forensics

TestDisk can be used in digital forensics to retrieve partitions that were deleted long ago. [3] It can mount various types of disk images including the Expert Witness File Format used by EnCase. [2] [6] Binary disk images, such as those created with ddrescue, can be read by TestDisk as though they were storage devices. [7]

In TestDisk versions prior to version 7, a malformed disk or its image can be used to inject malicious code into a running TestDisk application on Cygwin. [7]

File system support

File system support for TestDisk is shown in the table:

Name [2] Partition RecoveryFilesystem RecoveryFile Recovery
Find filesystemBoot sector/
superblock Restore		File table repairUndelete [2]
FAT12/16/32 YesYes [lower-alpha 1] [lower-alpha 2] Yes [lower-alpha 3] Yes
exFAT YesYes [lower-alpha 2] Use fsck Yes
NTFS YesYes [lower-alpha 1] [lower-alpha 2] Yes [lower-alpha 4] Yes
ext2, ext3, and ext4 YesYes [lower-alpha 5] Use fsck Yes
HFS, HFS+, HFSXYesYes [lower-alpha 2] Use fsck No
BeOS YesNoNo
BSD disklabel (FreeBSD/OpenBSD/NetBSD)YesNo
Cramfs YesNo
IBM JFS2 YesNo
Linux RAID (mdadm) [lower-alpha 6] YesNo
Linux Swap 1 and 2YesNo
LVM and LVM2 YesNo
Novell Storage Services (NSS)YesNo
ReiserFS 3.5, 3.6 and 4YesNo
Sun Solaris i386 disklabelYesNo
UFS and UFS2 (Sun/BSD/…)YesNo
XFS from SGIYesNo

Some features, such as partition table editing and PhotoRec "carving", do not depend on the file system at all.

  1. 1 2 Find filesystem parameters to rewrite a valid BIOS parameter block (analogous to "superblocks" in Unix file systems)
  2. 1 2 3 4 Restore the BPB using its backup (NTFS, FAT32, exFAT)
  3. Use the two copies of the FAT to rewrite a coherent version
  4. Restore the Master File Table (MFT) from its backup
  5. Find backup superblock location to assist fsck
  6. RAID 1: mirroring, RAID 4: striped array with parity device, RAID 5: striped array with distributed parity information and RAID 6: striped array with distributed dual redundancy information

See also

Related Research Articles

New Technology File System (NTFS) is a proprietary journaling file system developed by Microsoft. Starting with Windows NT 3.1, it is the default file system of the Windows NT family. It superseded File Allocation Table (FAT) as the preferred filesystem on Windows and is supported in Linux and BSD as well. NTFS reading and writing support is provided using a free and open-source kernel implementation known as NTFS3 in Linux and the NTFS-3G driver in BSD. By using the convert command, Windows can convert FAT32/16/12 into NTFS without the need to rewrite all files. NTFS uses several files typically hidden from the user to store metadata about other files stored on the drive which can help improve speed and performance when reading data. Unlike FAT and High Performance File System (HPFS), NTFS supports access control lists (ACLs), filesystem encryption, transparent compression, sparse files and file system journaling. NTFS also supports shadow copy to allow backups of a system while it is running, but the functionality of the shadow copies varies between different versions of Windows.

ext2, or second extended file system, is a file system for the Linux kernel. It was initially designed by French software developer Rémy Card as a replacement for the extended file system (ext). Having been designed according to the same principles as the Berkeley Fast File System from BSD, it was the first commercial-grade filesystem for Linux.

ext3, or third extended filesystem, is a journaled file system that is commonly used by the Linux kernel. It used to be the default file system for many popular Linux distributions. Stephen Tweedie first revealed that he was working on extending ext2 in Journaling the Linux ext2fs Filesystem in a 1998 paper, and later in a February 1999 kernel mailing list posting. The filesystem was merged with the mainline Linux kernel in November 2001 from 2.4.15 onward. Its main advantage over ext2 is journaling, which improves reliability and eliminates the need to check the file system after an unclean shutdown. Its successor is ext4.

Universal Disk Format (UDF) is an open, vendor-neutral file system for computer data storage for a broad range of media. In practice, it has been most widely used for DVDs and newer optical disc formats, supplanting ISO 9660. Due to its design, it is very well suited to incremental updates on both write-once and re-writable optical media. UDF was developed and maintained by the Optical Storage Technology Association (OSTA).

<span class="mw-page-title-main">Disk partitioning</span> Creation of separate accessible storage areas on a secondary computer storage device

Disk partitioning or disk slicing is the creation of one or more regions on secondary storage, so that each region can be managed separately. These regions are called partitions. It is typically the first step of preparing a newly installed disk, before any file system is created. The disk stores the information about the partitions' locations and sizes in an area known as the partition table that the operating system reads before any other part of the disk. Each partition then appears to the operating system as a distinct "logical" disk that uses part of the actual disk. System administrators use a program called a partition editor to create, resize, delete, and manipulate the partitions. Partitioning allows the use of different filesystems to be installed for different kinds of files. Separating user data from system data can prevent the system partition from becoming full and rendering the system unusable. Partitioning can also make backing up easier. A disadvantage is that it can be difficult to properly size partitions, resulting in having one partition with too much free space and another nearly totally allocated.

<span class="mw-page-title-main">Defragmentation</span> Rearrangement of sectors on a hard disk into contiguous units

In the maintenance of file systems, defragmentation is a process that reduces the degree of fragmentation. It does this by physically organizing the contents of the mass storage device used to store files into the smallest number of contiguous regions. It also attempts to create larger regions of free space using compaction to impede the return of fragmentation. Some defragmentation utilities try to keep smaller files within a single directory together, as they are often accessed in sequence.

In computer storage, logical volume management or LVM provides a method of allocating space on mass-storage devices that is more flexible than conventional partitioning schemes to store volumes. In particular, a volume manager can concatenate, stripe together or otherwise combine partitions into larger virtual partitions that administrators can re-size or move, potentially without interrupting system use.

<span class="mw-page-title-main">Multi-booting</span> Act of installing multiple operating systems on a single computer

Multi-booting is the act of installing multiple operating systems on a single computer, and being able to choose which one to boot. The term dual-booting refers to the common configuration of specifically two operating systems. Multi-booting may require a custom boot loader.

<span class="mw-page-title-main">Disk editor</span> Computer software

A disk editor is a computer program that allows its user to read, edit, and write raw data on disk drives ; as such, they are sometimes called sector editors, since the read/write routines built into the electronics of most disk drives require to read/write data in chunks of sectors. Many disk editors can also be used to edit the contents of a running computer's memory or a disk image.

<span class="mw-page-title-main">File system</span> Computer filing system

In computing, a file system or filesystem governs file organization and access. A local file system is a capability of an operating system that services the applications running on the same computer. A distributed file system is a protocol that provides file access between networked computers.

In computing, data recovery is a process of retrieving deleted, inaccessible, lost, corrupted, damaged, or formatted data from secondary storage, removable media or files, when the data stored in them cannot be accessed in a usual way. The data is most often salvaged from storage media such as internal or external hard disk drives (HDDs), solid-state drives (SSDs), USB flash drives, magnetic tapes, CDs, DVDs, RAID subsystems, and other electronic devices. Recovery may be required due to physical damage to the storage devices or logical damage to the file system that prevents it from being mounted by the host operating system (OS).

NILFS or NILFS2 is a log-structured file system implementation for the Linux kernel. It was developed by Nippon Telegraph and Telephone Corporation (NTT) CyberSpace Laboratories and a community from all over the world. NILFS was released under the terms of the GNU General Public License (GPL).

<span class="mw-page-title-main">PhotoRec</span> Open source data recovery software

PhotoRec is a free and open-source utility software for data recovery with text-based user interface using data carving techniques, designed to recover lost files from various digital camera memory, hard disk and CD-ROM. It can recover the files with more than 480 file extensions . It is also possible to add custom file signature to detect less known files.

GEOM is the main storage framework for the FreeBSD operating system. It is available in FreeBSD 5.0 and later releases, and provides a standardized way to access storage layers. GEOM is modular and allows for geom modules to connect to the framework. For example, the geom_mirror module provides RAID1 or mirroring functionality to the system. A number of modules are provided as part of FreeBSD and others have been developed independently and are distributed via (e.g.) GitHub.

gpart is a software utility which scans a storage device, examining the data in order to detect partitions which may exist but are absent from the disk's partition tables. Gpart was written by Michail Brzitwa of Germany. The release on the author's website is now older than the releases some distributions are using. It appears that Michail Brzitwa does not actively maintain the code, instead the various distributions appear to maintain their own versions.

The BIOS boot partition is a partition on a data storage device that GNU GRUB uses on legacy BIOS-based personal computers in order to boot an operating system, when the actual boot device contains a GUID Partition Table (GPT). Such a layout is sometimes referred to as BIOS/GPT boot.

A trim command allows an operating system to inform a solid-state drive (SSD) which blocks of data are no longer considered to be "in use" and therefore can be erased internally.

File carving is the process of reassembling computer files from fragments in the absence of filesystem metadata.

Resilient File System (ReFS), codenamed "Protogon", is a Microsoft proprietary file system introduced with Windows Server 2012 with the intent of becoming the "next generation" file system after NTFS.

References

  1. Moggridge, J. (2017). "Security of patient data when decommissioning ultrasound systems". Ultrasound. 25 (1). Leeds, England: 16–24. doi:10.1177/1742271X16688043. PMC   5308389 . PMID   28228821.
  2. 1 2 3 4 5 6 7 8 Grenier, Christophe (2021-05-31), TestDisk Documentation, CG Security (PDF)
  3. 1 2 3 kumar, Hany; Saharan, Ravi; Panda, Saroj Kumar (March 2020). "Identification of Potential Forensic Artifacts in Cloud Storage Application". 2020 International Conference on Computer Science, Engineering and Applications (ICCSEA). pp. 1–5. doi:10.1109/ICCSEA49143.2020.9132869. ISBN   978-1-7281-5830-3. S2CID   220367251.
  4. Debra Littlejohn Shinder, Michael Cross (2002). Scene of the cybercrime, page 328. Syngress. ISBN   978-1-931836-65-4.
  5. Jack Wiles, Kevin Cardwell, Anthony Reyes (2007). The best damn cybercrime and digital forensics book period, page 373. Syngress. ISBN   978-1-59749-228-7.
  6. Altheide, C., & Carvey, H. (2011). File System and Disk Analysis. In Digital Forensics with Open Source Tools. Elsevier. https://booksite.elsevier.com/samplechapters/9781597495868/Chapter_3.pdf
  7. 1 2 Németh, Z. L. (2015). "Modern binary attacks and defences in the windows environment Fighting against microsoft EMET in seven rounds". 2015 IEEE 13th International Symposium on Intelligent Systems and Informatics (SISY). pp. 275–280. doi:10.1109/SISY.2015.7325394. ISBN   978-1-4673-9388-1. S2CID   18914754.

Test Disk Team:
Main Contributor: Christophe Grenier. Location: Paris, France. URL: cgsecurity.org. He started the project in 1998 and is still the main developer. He is also responsible for the packaging of TestDisk & PhotoRec for DOS, Windows, Linux (generic version), MacOS X, and Fedora distribution.

This page is based on this Wikipedia article
Text is available under the CC BY-SA 4.0 license; additional terms may apply.
Images, videos and audio are available under their respective licenses.