TestDisk

Last updated
TestDisk
Developer(s) Christophe Grenier
Stable release
7.1 / July 7, 2019 (2019-07-07)
Repository
Written in C
Type Data recovery
License GPL
Website www.cgsecurity.org/wiki/TestDisk

TestDisk is a free and open-source data recovery utility that helps users recover lost partitions or repair corrupted filesystems. [1] TestDisk can collect detailed information about a corrupted drive, which can then be sent to a technician for further analysis. TestDisk supports DOS, Microsoft Windows (i.e. NT 4.0, 2000, XP, Server 2003, Server 2008, Vista, Windows 7, Windows 8.1, Windows 10), Linux, FreeBSD, NetBSD, OpenBSD, SunOS, and MacOS. TestDisk handles non-partitioned and partitioned media. [2] In particular, it recognizes the GUID Partition Table (GPT), Apple partition map, PC/Intel BIOS partition tables, Sun Solaris slice and Xbox fixed partitioning scheme. TestDisk uses a command line user interface. TestDisk can recover deleted files with 97% accuracy. [3]

Contents

Features

TestDisk can recover deleted partitions, rebuild partition tables or rewrite the master boot record (MBR). [4] [3]

Partition recovery

TestDisk retrieves the LBA size and CHS geometry of attached data storage devices (i.e. hard disks, memory cards, USB flash drives, and virtual disk images) from the BIOS or the operating system. The geometry information is required for a successful recovery. TestDisk reads sectors on the storage device to determine if the partition table or filesystem on it requires repair. TestDisk can perform deeper checks to locate partitions that have been deleted from a storage device or disk image. [2] However, it is up to the user to look over the list of possible partitions found by TestDisk and to select those that they wish to recover.

Filesystem repair

TestDisk can deal with some specific logical filesystem corruption. [5]

File recovery

When a file is deleted, the list of disk clusters occupied by the file is erased, marking those sectors available for use by other files created or modified thereafter. TestDisk can recover deleted files especially if the file was not fragmented and the clusters have not been reused.

Digital forensics

TestDisk can be used in digital forensics to retrieve partitions that were deleted long ago. [3] It can mount various types of disk images including the Expert Witness File Format used by EnCase. [2] [6] Binary disk images, such as those created with ddrescue can be read by TestDisk as though it were a storage device. [7] In TestDisk versions prior to version 7, this feature could be exploited to inject malicious code into a running TestDisk application on Windows. [7]

File system support

File system support for TestDisk is shown in the table:

Name [2] Partition RecoveryFilesystem RecoveryFile Recovery
Partition undeleteRebuild Partition tableMBR / GPT RewriteBoot Sector RewriteBoot Sector RestoreFind filesystemUndelete [2] Extract files from imageFile carving
FAT16/32 YesYes [lower-alpha 1] Yes [lower-alpha 2] Yes [lower-alpha 3] Yes
exFAT Yes?Yes [lower-alpha 2] ?Yes
NTFS YesYes [lower-alpha 1] Yes [lower-alpha 2] Yes [lower-alpha 4] Yes
ext2, ext3, and ext4 Yes?Yes [lower-alpha 5] ?Yes
HFS+ Yes?Yes [lower-alpha 2] ?No
BeOS YesNo
BSD disklabel (FreeBSD/OpenBSD/NetBSD)YesNo
Cramfs YesNo
JFS YesNo
Linux RAID [lower-alpha 6] YesNo
Linux Swap 1 and 2YesNo
LVM and LVM2 YesNo
Novell Storage Services (NSS)YesNo
ReiserFS 3.5, 3.6 and 4YesNo
Sun Solaris i386 disklabelYesNo
Unix File System UFS and UFS2 (Sun/BSD/…)YesNo
XFS, SGI’s Journaled File SystemYesNo
  1. 1 2 Find filesystem parameters to rewrite a valid boot sector
  2. 1 2 3 4 Restore the boot sector using its backup
  3. Use the two copies of the FAT to rewrite a coherent version
  4. Restore the Master File Table (MFT) from its backup
  5. Find backup superblock location to assist fsck
  6. RAID 1: mirroring, RAID 4: striped array with parity device, RAID 5: striped array with distributed parity information and RAID 6: striped array with distributed dual redundancy information

See also

Related Research Articles

New Technology File System (NTFS) is a proprietary journaling file system developed by Microsoft. Starting with Windows NT 3.1, it is the default file system of the Windows NT family. It superseded File Allocation Table (FAT) as the preferred filesystem on Windows and is supported in Linux and BSD as well. NTFS reading and writing support is provided using a free and open-source kernel implementation known as NTFS3 in Linux and the NTFS-3G driver in BSD. By using the convert command, Windows can convert FAT32/16/12 into NTFS without the need to rewrite all files. NTFS uses several files typically hidden from the user to store metadata about other files stored on the drive which can help improve speed and performance when reading data. Unlike FAT and High Performance File System (HPFS), NTFS supports access control lists (ACLs), filesystem encryption, transparent compression, sparse files and file system journaling. NTFS also supports shadow copy to allow backups of a system while it is running, but the functionality of the shadow copies varies between different versions of Windows.

Universal Disk Format (UDF) is an open, vendor-neutral file system for computer data storage for a broad range of media. In practice, it has been most widely used for DVDs and newer optical disc formats, supplanting ISO 9660. Due to its design, it is very well suited to incremental updates on both recordable and (re)writable optical media. UDF was developed and maintained by the Optical Storage Technology Association (OSTA).

RAID is a data storage virtualization technology that combines multiple physical disk drive components into one or more logical units for the purposes of data redundancy, performance improvement, or both. This is in contrast to the previous concept of highly reliable mainframe disk drives referred to as "single large expensive disk" (SLED).

<span class="mw-page-title-main">Disk partitioning</span> Creation of separate accessible storage areas on a secondary computer storage device

Disk partitioning or disk slicing is the creation of one or more regions on secondary storage, so that each region can be managed separately. These regions are called partitions. It is typically the first step of preparing a newly installed disk, before any file system is created. The disk stores the information about the partitions' locations and sizes in an area known as the partition table that the operating system reads before any other part of the disk. Each partition then appears to the operating system as a distinct "logical" disk that uses part of the actual disk. System administrators use a program called a partition editor to create, resize, delete, and manipulate the partitions. Partitioning allows the use of different filesystems to be installed for different kinds of files. Separating user data from system data can prevent the system partition from becoming full and rendering the system unusable. Partitioning can also make backing up easier. A disadvantage is that it can be difficult to properly size partitions, resulting in having one partition with too much free space and another nearly totally allocated.

A disk image, in computing, is a computer file containing the contents and structure of a disk volume or of an entire data storage device, such as a hard disk drive, tape drive, floppy disk, optical disc, or USB flash drive. A disk image is usually made by creating a sector-by-sector copy of the source medium, thereby perfectly replicating the structure and contents of a storage device independent of the file system. Depending on the disk image format, a disk image may span one or more computer files.

<span class="mw-page-title-main">Live CD</span> Complete, bootable computer installation that runs directly from a CD-ROM

A live CD is a complete bootable computer installation including operating system which runs directly from a CD-ROM or similar storage device into a computer's memory, rather than loading from a hard disk drive. A live CD allows users to run an operating system for any purpose without installing it or making any changes to the computer's configuration. Live CDs can run on a computer without secondary storage, such as a hard disk drive, or with a corrupted hard disk drive or file system, allowing data recovery.

<span class="mw-page-title-main">Defragmentation</span> Rearrangement of sectors on a hard disk into contiguous units

In the maintenance of file systems, defragmentation is a process that reduces the degree of fragmentation. It does this by physically organizing the contents of the mass storage device used to store files into the smallest number of contiguous regions. It also attempts to create larger regions of free space using compaction to impede the return of fragmentation. Some defragmentation utilities try to keep smaller files within a single directory together, as they are often accessed in sequence.

<span class="mw-page-title-main">Multi-booting</span> Act of installing multiple operating systems on a single computer

Multi-booting is the act of installing multiple operating systems on a single computer, and being able to choose which one to boot. The term dual-booting refers to the common configuration of specifically two operating systems. Multi-booting may require a custom boot loader.

In information technology, a backup, or data backup is a copy of computer data taken and stored elsewhere so that it may be used to restore the original after a data loss event. The verb form, referring to the process of doing so, is "back up", whereas the noun and adjective form is "backup". Backups can be used to recover data after its loss from data deletion or corruption, or to recover data from an earlier time. Backups provide a simple form of disaster recovery; however not all backup systems are able to reconstitute a computer system or other complex configuration such as a computer cluster, active directory server, or database server.

Disk cloning is the process of creating a 1-to-1 copy of a hard disk drive (HDD) or solid-state drive (SSD), not just its files. Disk cloning may be used for upgrading a disk or replacing an aging disk with a fresh one. In this case, the clone can replace the original disk in its host computer. Disk cloning may also be used for disaster recovery or forensics. In the context of backup software, disk cloning is very similar to disk imaging; in case of the latter, a 1-to-1 copy of a disk is created inside a disk image file.

<span class="mw-page-title-main">Disk editor</span> Computer software

A disk editor is a computer program that allows its user to read, edit, and write raw data on disk drives ; as such, they are sometimes called sector editors, since the read/write routines built into the electronics of most disk drives require to read/write data in chunks of sectors. Many disk editors can also be used to edit the contents of a running computer's memory or a disk image.

<span class="mw-page-title-main">File system</span> Format or program for storing files and directories

In computing, file system or filesystem is a method and data structure that the operating system uses to control how data is stored and retrieved. Without a file system, data placed in a storage medium would be one large body of data with no way to tell where one piece of data stopped and the next began, or where any piece of data was located when it was time to retrieve it. By separating the data into pieces and giving each piece a name, the data are easily isolated and identified. Taking its name from the way a paper-based data management system is named, each group of data is called a "file". The structure and logic rules used to manage the groups of data and their names is called a "file system."

In computing, data recovery is a process of salvaging deleted, inaccessible, lost, corrupted, damaged, or formatted data from secondary storage, removable media or files, when the data stored in them cannot be accessed in a usual way. The data is most often salvaged from storage media such as internal or external hard disk drives (HDDs), solid-state drives (SSDs), USB flash drives, magnetic tapes, CDs, DVDs, RAID subsystems, and other electronic devices. Recovery may be required due to physical damage to the storage devices or logical damage to the file system that prevents it from being mounted by the host operating system (OS).

<span class="mw-page-title-main">GUID Partition Table</span> Computer disk partitioning standard

The GUID Partition Table (GPT) is a standard for the layout of partition tables of a physical computer storage device, such as a hard disk drive or solid-state drive, using universally unique identifiers, which are also known as globally unique identifiers (GUIDs). Forming a part of the Unified Extensible Firmware Interface (UEFI) standard, it is nevertheless also used for some BIOS systems, because of the limitations of master boot record (MBR) partition tables, which use 32 bits for logical block addressing (LBA) of traditional 512-byte disk sectors.

The Logical Disk Manager (LDM) is an implementation of a logical volume manager for Microsoft Windows NT, developed by Microsoft and Veritas Software. It was introduced with the Windows 2000 operating system, and is supported in Windows XP, Windows Server 2003, Windows Vista, Windows 7, Windows 8, Windows 10 and Windows 11. The MMC-based Disk Management snap-in hosts the Logical Disk Manager. On Windows 8 and Windows Server 2012, Microsoft deprecated LDM in favor of Storage Spaces.

<span class="mw-page-title-main">PhotoRec</span> Open source data recovery software

PhotoRec is a free and open-source utility software for data recovery with text-based user interface using data carving techniques, designed to recover lost files from various digital camera memory, hard disk and CD-ROM. It can recover the files with more than 480 file extensions . It is also possible to add custom file signature to detect less known files.

mdadm is a Linux utility used to manage and monitor software RAID devices. It is used in modern Linux distributions in place of older software RAID utilities such as raidtools2 or raidtools.

GEOM is the main storage framework for the FreeBSD operating system. It is available in FreeBSD 5.0 and later releases, and provides a standardized way to access storage layers. GEOM is modular and allows for geom modules to connect to the framework. For example, the geom_mirror module provides RAID1 or mirroring functionality to the system. A number of modules are provided as part of FreeBSD and others have been developed independently and are distributed via (e.g.) GitHub.

gpart is a software utility which scans a storage device, examining the data in order to detect partitions which may exist but are absent from the disk's partition tables. Gpart was written by Michail Brzitwa of Germany. The release on the author's website is now older than the releases some distributions are using. It appears that Michail Brzitwa does not actively maintain the code, instead the various distributions appear to maintain their own versions.

The BIOS boot partition is a partition on a data storage device that GNU GRUB uses on legacy BIOS-based personal computers in order to boot an operating system, when the actual boot device contains a GUID Partition Table (GPT). Such a layout is sometimes referred to as BIOS/GPT boot.

References

  1. Moggridge, J. (2017). "Security of patient data when decommissioning ultrasound systems". Ultrasound. Leeds, England. 25 (1): 16–24. doi:10.1177/1742271X16688043. PMC   5308389 . PMID   28228821.
  2. 1 2 3 4 5 Grenier, Christophe (2021-05-31), TestDisk Documentation (PDF), CG Security, archived from the original (PDF) on 2021-11-17
  3. 1 2 3 kumar, Hany; Saharan, Ravi; Panda, Saroj Kumar (March 2020). "Identification of Potential Forensic Artifacts in Cloud Storage Application". 2020 International Conference on Computer Science, Engineering and Applications (ICCSEA): 1–5. doi:10.1109/ICCSEA49143.2020.9132869. ISBN   978-1-7281-5830-3. S2CID   220367251.
  4. Debra Littlejohn Shinder, Michael Cross (2002). Scene of the cybercrime, page 328. Syngress. ISBN   978-1-931836-65-4.
  5. Jack Wiles, Kevin Cardwell, Anthony Reyes (2007). The best damn cybercrime and digital forensics book period, page 373. Syngress. ISBN   978-1-59749-228-7.
  6. Altheide, C., & Carvey, H. (2011). File System and Disk Analysis. In Digital Forensics with Open Source Tools. Elsevier. https://booksite.elsevier.com/samplechapters/9781597495868/Chapter_3.pdf
  7. 1 2 Németh, Z. L. (2015). "Modern binary attacks and defences in the windows environment—Fighting against microsoft EMET in seven rounds". 2015 IEEE 13th International Symposium on Intelligent Systems and Informatics (SISY): 275–280. doi:10.1109/SISY.2015.7325394. ISBN   978-1-4673-9388-1. S2CID   18914754.

Test Disk Team:
Main Contributor: Christophe Grenier. Location: Paris, France. URL: cgsecurity.org. He started the project in 1998 and is still the main developer. He is also responsible for the packaging of TestDisk & PhotoRec for DOS, Windows, Linux (generic version), MacOS X, and Fedora distribution.

This page is based on this Wikipedia article
Text is available under the CC BY-SA 4.0 license; additional terms may apply.
Images, videos and audio are available under their respective licenses.