notes/disk_recovery.txt at master · ThePacketBender/notes · GitHub

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
Physical Storage (HDD/SSD) Recovery
	-Most software-based solutions also relevant to recovering virtualized disks (VHD/VMDK/whatever, largely format-agnostic in this context)

RECOVERY DISKS
GParted
	-"GNU Parted"
	--bootable recovery optical disk image (.iso)
	--best option for the heavy lifting
		--convenient to mount disk on eSATA/USB device and directly connect it to a virtual machine
			--VMWare significantly preferable for this specific use case
	--(see section "LINUX" (below))


LINUX
fsck
	--standard utility
ddrescue
	https://www.gnu.org/software/ddrescue/
	apt-get install ddrescue ddrescueview ddrutility gddrescue
	ddrescue-GUI
		https://www.hamishmb.com/html/downloads.php?program_name=ddrescue-gui
gpart
	--scans drives and attempt re-create partition table of specified device based on "guesses"
	gpart /dev/sda


Windows
cmd.exe
	"hard disk corrupt or unreadable"
chkdsk
	-checkdisk
	--attempts to repair file system errors, locate bad sectors, and recover readable information from those bad sectors
	chkdsk e: /r
		-run chkdsk on an entire volue
		-/r -locate bad sectors and recover information from them
			--assumes /f flag
		-/f -fix errors
		--if chkdsk cannot lock the disk, will prompt to run the command the next time you restart Windows
	chkdsk c:\Users\yourname\path\to\corrupted.file
		--run chkdsk on only a corrupted file
	chkdsk /spotfix
	chkdsk /scan
sfc
	-system file checker
		--scan and fix windows system files
	sfc /scannow
		-perform an immediate scan of system and replace files as necessary
		--if errors found, reboot likely required for internal (boot) disks
	sfc /verifyfile=c:\windows\system32\kernel32.dll
	sfc /scanfile=d:\windows\system32\kernel32.dll /OFFBOOTDIR=d:\ /OFFWINDIR=d:\windows /OFFLOGFILE=c:\log.txt
	sfc /scanonce
		-schedule to perform scan next time system is restarted
	sfc /scanboot
		-schedules a scan to be performed on every system boot
	sfc Revert
		-return System File Checker to its default settings
fsutil/fsutils
	fsutil fsinfo drives
	fsutil fsinfo drivetype c:
	fsutil fsinfo volumeinfo c:
	fsutil fsinfo ntfsinfo c:
	fsutil fsinfo statistics c:
	fsutil volume diskfree c:
	fsutil repair enumerate c:
		--enumerate the entries of a volume’s corruption log
	fsutil repair initiate c: 1
		--initiate NTFS volume self-healing
	fsutil repair state c:
		--query the corruption state of the volume
	fsutil repair set c: 1
		--set the self healing state of the volume
	fsutil dirty query C:
		--display the status of dirty attribute on drive
	fsutil dirty set C:
		--set the dirty attribute for volume C:
			--At the next reboot, the system will automatically perform a disk check using the chkdsk utility
DISM
	-Deployment Image Servicing and Management tool
	--DISM enumerates, installs, uninstalls, configures, and updates features and packages in Windows images. The commands that are available depend on the image being serviced and whether the image is offline or running.
DISM /Online /Cleanup-Image /RestoreHealth
	"Boot Issues"
bootrec.exe /fixboot
bootrec.exe /fixmbr
	"Other"
cipher
	cipher /W:path
		-/W -removes data on unused portions of a volume
			--removes artifacts of deleted files

Powershell
	Repair-Volume
	    [-DriveLetter] <Char[]>
		[-OfflineScanAndFix]
		[-SpotFix]
		[-Scan]
		[-CimSession <CimSession[]>]
		[-ThrottleLimit <Int32>]
		[-AsJob]
		[-WhatIf]
		[-Confirm]
		[<CommonParameters>]
	Repair-Volume
      -ObjectId <String[]>
      [-OfflineScanAndFix]
      [-SpotFix]
      [-Scan]
      [-CimSession <CimSession[]>]
      [-ThrottleLimit <Int32>]
      [-AsJob]
      [-WhatIf]
      [-Confirm]
      [<CommonParameters>]
	Repair-Volume
      -Path <String[]>
      [-OfflineScanAndFix]
      [-SpotFix]
      [-Scan]
      [-CimSession <CimSession[]>]
      [-ThrottleLimit <Int32>]
      [-AsJob]
      [-WhatIf]
      [-Confirm]
      [<CommonParameters>]
	Repair-Volume
		-FileSystemLabel <String[]>
		[-OfflineScanAndFix]
		[-SpotFix]
		[-Scan]
		[-CimSession <CimSession[]>]
		[-ThrottleLimit <Int32>]
		[-AsJob]
		[-WhatIf]
		[-Confirm]
		[<CommonParameters>]
	Repair-Volume
		-InputObject <CimInstance[]>
		[-OfflineScanAndFix]
		[-SpotFix]
		[-Scan]
		[-CimSession <CimSession[]>]
		[-ThrottleLimit <Int32>]
		[-AsJob]
		[-WhatIf]
		[-Confirm]
		[<CommonParameters>]


Forensic
	Testdisk/Photorec
https://www.cgsecurity.org/wiki/TestDisk_Download
https://www.cgsecurity.org/Download_and_donate.php/testdisk-7.2-WIP.win64.zip


Mapping Disk drives in Windows
	--if the problem seems like it should not exist, you're probably overthinking enough to be making them yourself
	Device Manager
		>Disk Drive
			>Volumes
				>Populate
	Disk Management
		Dmgnotification.exe
			--if "File System" displays as format RAW for "damaged" disk analyze with testdisk to recovery with proper disk geometry
				--you're probably going to want to defragment if you're not performing forensic analysis


Appendix 1 (Physical Disk Drive Device Connection Types)
	[ASC: oldest to most recent]
IDE
SCSI
SATA
NVMe