TestDisk

From Wikipedia, the free encyclopedia
Jump to navigation Jump to search
TestDisk
TestDisk-logo.svg
Testdisk.png
Developer(s)Christophe Grenier
Stable release
7.1 / July 7, 2019 (2019-07-07)
Repository
Written inC
TypeData recovery
LicenseGPL
Websitewww.cgsecurity.org/wiki/TestDisk

TestDisk is a free and open-source data recovery utility that helps users recover lost partitions or repair corrupted filesystems.[1] TestDisk can collect detailed information about a corrupted drive, which can then be sent to a technician for further analysis. TestDisk supports DOS, Microsoft Windows (i.e. NT 4.0, 2000, XP, Server 2003, Server 2008, Vista, Windows 7, Windows 8.1, Windows 10), Linux, FreeBSD, NetBSD, OpenBSD, SunOS, and MacOS. TestDisk handles non-partitioned and partitioned media.[2] In particular, it recognizes the GUID Partition Table (GPT), Apple partition map, PC/Intel BIOS partition tables, Sun Solaris slice and Xbox fixed partitioning scheme. TestDisk uses a command line user interface. TestDisk can recover deleted files with 97% accuracy.[3]

Features[edit]

TestDisk can recover deleted partitions, rebuild partition tables or rewrite the master boot record (MBR).[4][3]

Partition recovery[edit]

TestDisk retrieves the LBA size and CHS geometry of attached data storage devices (i.e. hard disks, memory cards, USB flash drives, and virtual disk images) from the BIOS or the operating system. The geometry information is required for a successful recovery. TestDisk reads sectors on the storage device to determine if the partition table or filesystem on it requires repair. TestDisk can perform deeper checks to locate partitions that have been deleted from a storage device or disk image.[2] However, it is up to the user to look over the list of possible partitions found by TestDisk and to select those that they wish to recover.

Filesystem repair[edit]

TestDisk can deal with some specific logical filesystem corruption.[5]

File recovery[edit]

When a file is deleted, the list of disk clusters occupied by the file is erased, marking those sectors available for use by other files created or modified thereafter. TestDisk can recover deleted files especially if the file was not fragmented and the clusters have not been reused.

Digital forensics[edit]

TestDisk can be used in digital forensics to retrieve partitions that were deleted long ago.[3] It can mount various types of disk images including the Expert Witness File Format used by EnCase.[2][6] Binary disk images, such as those created with ddrescue can be read by TestDisk as though it were a storage device.[7] In TestDisk versions prior to version 7, this feature could be exploited to inject malicious code into a running TestDisk application on Windows.[7]

File system support[edit]

File system support for TestDisk is shown in the table:

Name[2] Partition Recovery Filesystem Recovery File Recovery
Partition undelete Rebuild Partition table MBR / GPT Rewrite Boot Sector Rewrite Boot Sector Restore Find filesystem Undelete[2] Extract files from image File carving
FAT16/32 Yes Yes[a] Yes[b] Yes[c] Yes
exFAT Yes ? Yes[b] ? Yes
NTFS Yes Yes[a] Yes[b] Yes[d] Yes
ext2, ext3, and ext4 Yes ? Yes[e] ? Yes
HFS+ Yes ? Yes[b] ? No
BeOS Yes No
BSD disklabel (FreeBSD/OpenBSD/NetBSD) Yes No
Cramfs Yes No
JFS Yes No
Linux RAID[f] Yes No
Linux Swap 1 and 2 Yes No
LVM and LVM2 Yes No
Novell Storage Services (NSS) Yes No
ReiserFS 3.5, 3.6 and 4 Yes No
Sun Solaris i386 disklabel Yes No
Unix File System UFS and UFS2 (Sun/BSD/…) Yes No
XFS, SGI’s Journaled File System Yes No
  1. ^ a b Find filesystem parameters to rewrite a valid boot sector
  2. ^ a b c d Restore the boot sector using its backup
  3. ^ Use the two copies of the FAT to rewrite a coherent version
  4. ^ Restore the Master File Table (MFT) from its backup
  5. ^ Find backup superblock location to assist fsck
  6. ^ RAID 1: mirroring, RAID 4: striped array with parity device, RAID 5: striped array with distributed parity information and RAID 6: striped array with distributed dual redundancy information

See also[edit]

References[edit]

  1. ^ Moggridge, J. (2017). "Security of patient data when decommissioning ultrasound systems". Ultrasound. Leeds, England. 25 (1): 16–24. doi:10.1177/1742271X16688043.
  2. ^ a b c d e Grenier, Christophe (2021-05-31), TestDisk Documentation (PDF), CG Security, archived from the original (PDF) on 2021-11-17
  3. ^ a b c kumar, Hany; Saharan, Ravi; Panda, Saroj Kumar (March 2020). "Identification of Potential Forensic Artifacts in Cloud Storage Application". 2020 International Conference on Computer Science, Engineering and Applications (ICCSEA): 1–5. doi:10.1109/ICCSEA49143.2020.9132869. ISBN 978-1-7281-5830-3. S2CID 220367251.
  4. ^ Debra Littlejohn Shinder, Michael Cross (2002). Scene of the cybercrime, page 328. Syngress. ISBN 978-1-931836-65-4.
  5. ^ Jack Wiles, Kevin Cardwell, Anthony Reyes (2007). The best damn cybercrime and digital forensics book period, page 373. Syngress. ISBN 978-1-59749-228-7.
  6. ^ Altheide, C., & Carvey, H. (2011). File System and Disk Analysis. In Digital Forensics with Open Source Tools. Elsevier. https://booksite.elsevier.com/samplechapters/9781597495868/Chapter_3.pdf
  7. ^ a b Németh, Z. L. (2015). "Modern binary attacks and defences in the windows environment—Fighting against microsoft EMET in seven rounds". 2015 IEEE 13th International Symposium on Intelligent Systems and Informatics (SISY). pp. 275–280. doi:10.1109/SISY.2015.7325394.

External links[edit]

Test Disk Team:
Main Contributor: Christophe Grenier. Location: Paris, France. URL: cgsecurity.org. He started the project in 1998 and is still the main developer. He is also responsible for the packaging of TestDisk & PhotoRec for DOS, Windows, Linux (generic version), MacOS X, and Fedora distribution.