5

The message below comes from another post and I tried it the way that they stated to. First, I mounted the USB drive:

sudo mount -o ro,noexec /dev/sdb1 /media

I mounted it as read-only to prevent any damage or changes to the USB while copying it, especially if I mixed up if and of. In the message below, I'm not sure if they wanted to me to use sdb or sdb# for if.

Before trying any recovery I would save the current state by backing up the whole device block by block: dd if=/dev/sdb bs=16M of=/somelargedisk/rawusbdrive where /dev/sdb is your USB drive (check which one by using lsblk) and /somelargedisk/rawusbdrive is a path and filename you choose on a disk/partition with lots of space. Then, if a recovery tool that writes to the disk makes more damage than repairing, you can go back (exchange if and of fields)."

Peter Mortensen
  • 1,025
hddfsck777
  • 99
  • If you're dd-ing the drive, why do you mount it at all? sdb1 is a partition, sdb is the whole disk. – Kusalananda Aug 13 '19 at 09:39
  • @Kusalananda Simply, since the image is coming from a flash drive, I thought it had to be mounted like all usb's usually are. Thx. – hddfsck777 Aug 13 '19 at 09:47
  • @Kusalananda Since the usb 'was' mounted for the original dd, do you think that I made the usb less likely to be able to retrieve the deleted, stolen files from it? Thx. – hddfsck777 Aug 13 '19 at 09:59
  • 1
    Ned64 addressed this in a comment (to a degree). Please don't ask follow-up questions in comments. This is not a discussion forum. Your question should be answerable with finality. Additional questions should be new questions. – Kusalananda Aug 13 '19 at 10:03
  • @Kusalananda ok, good to know. – hddfsck777 Aug 13 '19 at 12:08

2 Answers2

4

/dev/sdb is the entire USB disk, and /dev/sdb1 is a partition on the disk. If you want to image the entire disk, you want /dev/sdb.

That said, mounting as read-only isn't going to help you any in this case. You're bypassing the filesystem (which is where the read-only effect is) and working directly with the block device. So if you mix up i and o, you'll trash the disk anyway.

There isn't much benefit to dd here, you might just as well use cat:

sudo cat /dev/sdb > /somelargedisk/rawusbdrive

(Or pv for a nice progress display.)

muru
  • 72,889
  • what happens if cat dies with an i/o error? you keep both pieces? try again to read the damaged blicks –  Aug 13 '19 at 12:57
  • 1
    Both cat and dd will fail from an Input / Output error. ddrescure was made for the purpose of continuing on after errors if that's what's happening. – Alex Cannon Aug 13 '19 at 22:13
4

The best way to back up a whole drive is via dd because you can control buffer size for block devices better than with cat. While the USB drive is not mounted, please run, as root:

  dd if=/dev/sdb bs=16M of=/somelargedisk/rawusbdrive

where /dev/sdb is your USB drive (check which one by using lsblk) and /somelargedisk/rawusbdrive is a path and filename you choose on a disk/partition with lots of space.

You can restore that backup by exchanging if and of arguments to dd.

Please note: dd can easily overwrite all your data beyond repair (with reasonable effort) if you get the parameters wrong!

This was first mentioned in my comment to your other question Best linux recovery tool for deleted files from USB flash drive?

Ned64
  • 8,726
  • Yes, as my question directly comes from your reply, thanks. I am very comfortable with dd now, the 'if' starts with where the files are now (ie: usb), and the 'of' is the destination for the image. And I check my 'dd' command 100 times to be sure before hitting enter! Originally, I don't think we spoke about mounting or not mounting, if I recall correctly. I can redo it. Thanks. – hddfsck777 Aug 13 '19 at 09:49
  • Any way to check the authenticity of the (new) image created, to make sure it is not corrupted? Thx. – hddfsck777 Aug 13 '19 at 09:56
  • @hddfsck777 The data is usually copied without error. If you are unsure you could copy the data again, to a second file, and run sha256sum on both, then compare the hashes (or run diff -qs /somelargedisk/rawusbdrive /somelargedisk/rawusbdrive2). The files may differ if you have mounted the disk in between. – Ned64 Aug 13 '19 at 10:01
  • Probably faster with cat /dev/sdb >/somelargedisk/rawusbdrive though. And easier to remember than dd. – Chris Davies Aug 13 '19 at 10:11
  • @roaima I do not think that cat would be faster as it would probably buffer with 512 Bytes as opposed to 16MiB specified by dd here. Many drives read and write faster with medium buffer sizes. – Ned64 Aug 13 '19 at 10:15
  • @Ned64 I'll leave you to try it and be surprised :-) – Chris Davies Aug 13 '19 at 10:16
  • @roaima I will but do not have access to USB in the next few days (broken IOMMU). – Ned64 Aug 13 '19 at 10:18
  • @Ned64 dd is useful if you have the time to measure performance properly across various block sizes and pick the best one, and if putting all that time and effort is worthwhile. https://unix.stackexchange.com/a/9492/70524 – muru Aug 13 '19 at 10:29
  • @muru Thanks for the reference. My guess is that this differs a lot with the device used (e.g. non-buffered USB flash drive vs HDD with internal cache (shouldn't exceed this when writing, I guess) vs SSD). But yes, it may not make a difference in practise and perhaps I am just old-fashioned :-) – Ned64 Aug 13 '19 at 11:02
  • @Ned64, on my glibc/Linux system, cat from GNU coreutils uses a block size of 128 kB. And stdio seems to use reads of 8192 bytes. I don't think anything really uses 512 bytes, ...except for dd by default. Now, I'm not saying that any of that is faster than a block size of 16 MB, but I doubt there's much use in multi-megabyte blocks (on quick test on a spinning disk, 16 kB and 1 MB blocks take exactly the same time). – ilkkachu Aug 13 '19 at 17:56
  • Also, why do people keep saying that dd is dangerous and can wipe people's data?! cat is exactly as dangerous if you point it at something like /dev/sdx. – ilkkachu Aug 13 '19 at 17:58
  • @ilkkachu You may be right but please do not test with HDD or SDD; USB in my experience behaves differently. However, as I wrote I cannot try it it these days. – Ned64 Aug 13 '19 at 17:58
  • @ilkkachu cats are very dangerous - ask mice :-) – Ned64 Aug 13 '19 at 17:59
  • It doesn't help that for if and of, "i" and "o" are right next to each other on the keyboard. – qwr Aug 13 '19 at 19:40