# Lab: Disk Image Recovery **Goal:** Recover deleted files from a corrupted disk image and upload them to the lab server. The image `disk.img` contains three partitions with a corrupted GPT partition table. Nine files were deleted across the three filesystems — your job is to get them back. --- ## What You Are Working With | Partition | Filesystem | Size | Deleted files (to find) | |-----------|------------|-------|-------------------------| | p1 | FAT16 | ~32MB | `contract.txt`, `bestiary.txt`, `gletter.txt` | | p2 | NTFS | ~33MB | `nif_intel.txt`, `yen_diary.txt`, `ciri_loc.txt` | | p3 | ext4 | ~33MB | `spell.sh`, `.lodge`, `bounty.txt` | The partition table is damaged — tools that rely on it (like `mount` directly) will fail. You need to repair it first, then recover the deleted files from each filesystem. --- ## Step 1 — Verify the Damage Confirm that the partition table is broken: ```bash fdisk -l disk.img ``` Both the primary and backup GPT headers are corrupted — `fdisk` will not show any partitions, only a protective MBR entry. `parted` will report an unknown disk label. Also check with `parted`: ```bash parted disk.img print ``` --- ## Step 2 — Repair the Partition Table with TestDisk `testdisk` can locate partitions by filesystem signatures and reconstruct the GPT. ```bash testdisk disk.img ``` Navigate the menu: 1. Select `disk.img` → **Proceed** 2. Partition table type: **EFI GPT** → confirm 3. Choose **Analyse** → **Quick Search** 4. TestDisk will list the three partitions. If they look correct (FAT16 / NTFS / Linux), press `P` to list files as a sanity check, then `Enter` to go back. 5. Choose **Write** → confirm → **Quit** Verify the repair: ```bash fdisk -l disk.img parted disk.img print ``` All three partitions should now be visible without errors. --- ## Step 3 — Recover Files from FAT16 (Partition 1) TestDisk has a built-in file undelete for FAT partitions. ```bash testdisk disk.img ``` 1. **Proceed** → **EFI GPT** → **Analyse** → **Quick Search** 2. Select partition 1 (FAT16) and press `P` to list files. 3. Deleted files appear with a `:` prefix instead of a filename. Navigate to them and press `C` to copy, then choose a destination directory. Alternatively, use **PhotoRec** (same package as testdisk) for signature-based recovery: ```bash photorec disk.img ``` 1. Select `disk.img` → **Proceed** 2. Choose partition 1 → **File Opt** to select only text files if desired → **Search** 3. Choose an output directory (e.g. `./recovered_fat/`) --- ## Step 4 — Recover Files from NTFS (Partition 2) `ntfsundelete` operates on a partition device, not a raw disk image with an offset. First attach the repaired image as a loop device to get partition devices: ```bash sudo losetup --find --show --partscan disk.img # → e.g. /dev/loop0 (partitions will be /dev/loop0p1, /dev/loop0p2, /dev/loop0p3) ``` Scan for recoverable files on partition 2 and note the inode numbers listed: ```bash sudo ntfsundelete /dev/loop0p2 --scan ``` The scan will list deleted files with an inode number and a recovery percentage. Recover each file by its inode number (replace 29 30 31 with what you see): ```bash mkdir -p recovered_ntfs sudo ntfsundelete /dev/loop0p2 --undelete --inode 29 --destination recovered_ntfs/ sudo ntfsundelete /dev/loop0p2 --undelete --inode 30 --destination recovered_ntfs/ sudo ntfsundelete /dev/loop0p2 --undelete --inode 31 --destination recovered_ntfs/ ``` Recovered files will be named `unknownXX` — rename them to the original names after verifying the content with `cat` or `strings`. Detach the loop device when done: ```bash sudo losetup -d /dev/loop0 ``` --- ## Step 5 — Recover Files from ext4 (Partition 3) On modern Linux kernels, ext4 clears inode block pointers on deletion, so inode-based recovery tools (extundelete, debugfs dump) will produce empty files. Use **PhotoRec** instead — it scans raw blocks by file content, not by inode metadata. Make sure the loop device is still attached (or re-attach): ```bash sudo losetup --find --show --partscan disk.img # → e.g. /dev/loop0 ``` Run PhotoRec on the ext4 partition: ```bash photorec /dev/loop0p3 ``` In the PhotoRec menu: 1. Select `[Search]` 2. Choose filesystem type: `ext2/ext3/ext4` 3. Choose scope: `[Whole]` (scan the whole partition) 4. Choose output directory, e.g. `./recovered_ext4/` PhotoRec will recover files by content signature. Shell scripts (`.sh`) are recovered directly. Plain text files are recovered if the `txt` file type is enabled — press `[File Opt]` before searching and make sure `txt` is enabled. Detach the loop device when done: ```bash sudo losetup -d /dev/loop0 ``` --- ## Step 6 — Upload Results to the Lab Server Connect to the lab server: ```bash ssh oos2026@oos.wimic.agh.edu.pl # password: $oos2026$ ``` Create a directory named **firstname.lastname** (use your own name, lowercase, real dot): ```bash mkdir firstname.lastname ``` Log out: ```bash exit ``` Copy your recovered files to the server using `scp`: ```bash scp recovered_fat/* recovered_ntfs/* recovered_ext4/* \ oos2026@oos.wimic.agh.edu.pl:firstname.lastname/ ``` Or use a single archive if you prefer: ```bash tar czf recovered_files.tar.gz recovered_fat/ recovered_ntfs/ recovered_ext4/ scp recovered_files.tar.gz oos2026@oos.wimic.agh.edu.pl:firstname.lastname/ ``` --- ## Verification Checklist Before submitting, confirm you have recovered all nine files: - [ ] `contract.txt` - [ ] `bestiary.txt` - [ ] `gletter.txt` - [ ] `nif_intel.txt` - [ ] `yen_diary.txt` - [ ] `ciri_loc.txt` - [ ] `spell.sh` - [ ] `.lodge` - [ ] `bounty.txt` --- ## Tool Reference | Tool | Purpose | Install | |----------------|----------------------------------------------|----------------------| | `testdisk` | GPT/partition table repair, FAT file listing | `testdisk` package | | `photorec` | Signature-based recovery (all filesystems) | included with testdisk | | `ntfsundelete` | NTFS deleted file recovery by inode | `ntfs-3g` package | | `fdisk` | Partition table inspection | `util-linux` | | `parted` | Partition table inspection / repair | `parted` package |