Zip Disk Data Recovery
I'm new on computer forensics, I always wanted to learn about it and now, because I had a problem with a Zip Disk I have the oportunity of do some real practice 🙂
The problem is, I can't recover the data from the zip disk and so, I can't start with the examination. That is more a data recovery problem, but, the thing is the owner of the disk doesn't know what was on it exactly, so, it will need some examination…
Can anyone tell me where I can find information about recovering this data?
My last try was
dd noerror < /dev/sda1 > zipError.dump
Then I wanted to mount the file as a loop device and work with it, but "dd noerror …." didn't work, or it didn't seem to work, the result file has length 0 and I was getting a lot or reading errors.
Welcome to Forensic Focus.
Are you sure your dd syntax is correct? I normally use "if=" and "of=" to specify source and destination files. Does "noerror" not need to be specified as "conv=noerror"?
I'm not an expert on dd usage, though, so perhaps the above is old hat. If so, what do the read errors say?
Hi all, probably telling u guys how to suck eggs, but the syntax for imaging using dd on a linux machine would be:
dd if=/dev/drive conv=noerror of=/disk to write to (e.g /mnt/writabledrive/file.dd)
Sorry if im stating the obvious, but the syntax can be confusing on first use.
Nothing wrong with stating the obvious (it's usually not obvious to someone) and welcome to Forensic Focus!
While I'm here I'll take the opportunity to post the following link which contains some great information from Brian Carrier on the use of dd:
Try this: -
Open a shell, and as root.
fdisk â€“l /dev/sda (to find out what drives your Linux box can see)
You will probably find the zip drive is seen as a SCSI device = sda* (*zips mostly as sda4). If itâ€™s a Linux formatted ZIP disk its /dev/sda1 and if a DOS (FAT) formatted ZIP disk is /dev/sda4.
I like to mount it next - read only (you should already have a reciprocal folder in mnt .i.e /mnt/zip), just to make sure its accessible (not really necessary but my quirk).
mount â€“t auto â€“o ro /dev/sda* /mnt/zip
Then take an MD5 hash of the device.
Md5sum /dev/sda* > /home/andy/forensic/cases/latest-case-md5hash.txt
(obviously choose your own preferred path)
Then dd it: -
dd if=/dev/sda* of=/home/andy/forensic/cases/dd/myref-file.img conv=noerror,sync (again choose your own dump location).
The â€˜conv=noerrorâ€™ option instructs dd to attempt to read past the
Any errors. The sync option will â€œpadâ€ the dd output wherever errors are
found and ensure that the output will be â€œsynchronizedâ€ with the original
After acquisition, md5 the dd file (they should match).
Then you can mount with loop.