TestDisk
Developer(s) | Christophe Grenier |
---|---|
Stable release | 7.0 / April 18, 2015 |
Development status | Active |
Written in | C |
Platform | Cross-platform |
Type | Data recovery |
License | GPL (free software) |
Website | www.cgsecurity.org/wiki/TestDisk |
TestDisk is a free and open-source data recovery utility. It is primarily designed to help recover lost data storage partitions and/or make non-booting disks bootable again when these symptoms are caused by faulty software, certain types of viruses or human error (such as accidentally erasing a partition table). TestDisk can be used to collect detailed information about a corrupted drive, which can then be sent to a technician for further analysis.
Supported operating systems
TestDisk supports these operating systems:
- DOS: real or in a Windows 9x DOS box
- Microsoft Windows: NT4, 2000, XP, 2003, 2008, Vista, Windows 7
- GNU/Linux
- FreeBSD, NetBSD, OpenBSD
- SunOS
- Mac OS X
Supported partition table type
TestDisk recognizes the following disk partitioning:
- Apple partition map
- GUID Partition Table
- PC/Intel Partition Table (master boot record)
- Sun Solaris slice
- Xbox fixed partitioning scheme
It also handles non-partitioned media.
Partition recovery
TestDisk queries the BIOS or the operating system in order to find the data storage devices (hard disks, memory cards, …) and their characteristics (LBA size and CHS geometry). TestDisk can[1]
- Recover deleted partition
- Rebuild partition table
- Rewrite the Master boot record (MBR)
TestDisk does a quick check of the disk's structure and compares it with the partition table for entry errors. Next, it searches for lost partitions[2][3] of these file systems:
- Be File System (BeOS)
- BSD disklabel (FreeBSD/OpenBSD/NetBSD)
- Cramfs, Compressed File System
- DOS/Windows FAT12, FAT16, and FAT32
- Windows exFAT
- HFS, HFS+ and HFSX, Hierarchical File System
- JFS, IBM's Journaled File System
- Linux ext2, ext3 and ext4
- Linux RAID
- RAID 1: mirroring
- RAID 4: striped array with parity device
- RAID 5: striped array with distributed parity information
- RAID 6: striped array with distributed dual redundancy information
- Linux Swap (versions 1 and 2)
- LVM and LVM2, Linux Logical Volume Manager
- Novell Storage Services (NSS)
- NTFS (Windows NT/2000/XP/2003/Vista/2008/7)
- ReiserFS 3.5, 3.6 and 4
- Sun Solaris i386 disklabel
- Unix File System UFS and UFS2 (Sun/BSD/…)
- XFS, SGI’s Journaled File System
However, it is up to the user to look over the list of possible partitions found by TestDisk and to select those that were being used just before the drive failed to boot or the partition(s) were lost. In some cases, especially after initiating a detailed search for lost partitions, TestDisk may show remnants of partitions that had been deleted and overwritten long ago.
A step-by-step guide[4] explains how to use this software. TestDisk can be used in computer forensics procedure,[5] it supports the EWF file format used by EnCase.
Filesystem repair
TestDisk can deal with some specific logical filesystem corruption:[6]
- File Allocation Table, FAT[7]
- FAT12 and FAT16
- Find filesystem parameters to rewrite a valid boot sector
- Use the two copies of the FAT to rewrite a coherent version
- FAT32
- Find filesystem parameters to rewrite a valid boot sector
- Restore the boot sector using its backup
- Use the two copies of the FAT to rewrite a coherent version
- FAT12 and FAT16
- exFAT
- Restore the boot sector using its backup
- NTFS[8]
- Find filesystem parameters to rewrite a valid boot sector
- Restore the boot sector using its backup
- Restore the Master File Table (MFT) from its backup
- Extended file systems, ext2, ext3 and ext4
- HFS+
- Restore the boot sector using its backup
File recovery
When a file is deleted, the list of disk clusters occupied by the file is erased, marking those sectors available for use by other files created or modified thereafter. If the file wasn't fragmented and the clusters haven't been reused, TestDisk can recover the deleted file:
Popularity
TestDisk and PhotoRec (by the same author) have been downloaded more than 150,000 times in July 2008 from the primary website. In fact these utilities are even more popular as they can be found on various Linux Live CDs:
- antiX
- BootMed Plus
- GParted Live CD
- Grml Debian-based live CD
- Iloog
- Knoppix
- Parted Magic
- PLD Live CD and PLD RescueCD, based on PLD Linux Distribution
- Slax-LFI, a Slax-derived distribution
- SystemRescueCD
- Trinity Rescue Kit
- Ubuntu Rescue Remix, GUI-less Ubuntu derivation
They are also packaged for numerous Linux distributions:
- ALT Linux[13]
- ArchLinux Extra Repository[14]
- Debian contrib[15]
- Fedora Extras[16]
- Red Hat Epel[17]
- FreeBSD ports[18]
- Gentoo[19] and Gentoo Portage[20]
- Mandriva contrib
- PLD Linux Distribution
- Slackware Linux SBo[21]
- Source Mage GNU/Linux[22]
- Ubuntu[23]
See also
References
- ↑ Debra Littlejohn Shinder, Michael Cross (2002). Scene of the cybercrime, page 328. Syngress. ISBN 978-1-931836-65-4.
- ↑ Ido Perelmutter - Debian Administration, Recovering from file system corruption using TestDisk
- ↑ Ionut Ilascu, Softpedia, Your HDD Is Missing a Slice? Try TestDisk for a change
- ↑ TestDisk Step by Step
- ↑ Presentation of TestDisk in The Sleuth Kit Informer
- ↑ Jack Wiles, Kevin Cardwell, Anthony Reyes (2007). The best damn cybercrime and digital forensics book period, page 373. Syngress. ISBN 978-1-59749-228-7.
- ↑ Advanced FAT Repair
- ↑ NTFS boot sector and MFT repair
- ↑ Locate ext2/ext3/ext4 backup superblock
- ↑ FAT file undelete
- ↑ NTFS file undelete
- ↑ ext2 file undelete
- ↑ TestDisk on ALT Linux
- ↑ ArchLinux Extra Repository
- ↑ TestDisk on Debian
- ↑ TestDisk in Fedora
- ↑ "RepoView: "Fedora EPEL 6 - x86_64"". Retrieved 27 July 2013.
- ↑ TestDisk in FreeBSD ports
- ↑ TestDisk in Gentoo
- ↑ TestDisk in Gentoo Portage
- ↑
- ↑ TestDisk in Source Mage
- ↑ TestDisk in Ubuntu
External links
- TestDisk Wiki
- List of news articles about TestDisk and PhotoRec
- Falko Timme, Data Recovery With TestDisk HowTo
- Digital Forensics using Linux and Open Source Tools