Show Disks
- Show all currently attached disks, find the /dev/
you want to format
fdisk -l
How to Format and Mount a Disk
- Format disk 'sdc', choose option 'n' for new, then select 'p' for primary partition and keep partion number set to '1' and keep first sector and last sector set to default values if you want to use the whole drive. After all of the setting are how you want them, select 'w' to write the table.
fdisk /dev/sdb
# Example output of the above command
Command (m for help): n
Partition type:
p primary (0 primary, 0 extended, 4 free)
e extended
Select (default p): p
Partition number (1-4, default 1):
First sector (2048-3907029167, default 2048):
Using default value 2048
Last sector, +sectors or +size{K,M,G} (2048-3907029167, default 3907029167):
Using default value 3907029167
Partition 1 of type Linux and of size 1.8 TiB is set
Command (m for help): w
The partition table has been altered!
Calling ioctl() to re-read partition table.
Syncing disks.
- After the drive is formated write the file system, in this case ext4 which is pretty standard for linux nowadays, select 'y' to format the whole disk.
mkfs.ext4 /dev/sdc
- Mount the newly formatted disk to a directory, in this case I created a /disks/nas directory for my backup, if you reboot this mount will be lost, see the next line to mount this drive at boot.
mount /dev/sdb /disks/nas
- Add the following to the end of fstab to make the drive mount on boot, otherwise you will have to remount it manually.
vim /etc/fstab
/dev/sdb /disks/nas ext4 defaults 0 0
- Use
lsblkcommand to show the disk is mounted to the nas directory, now the drive is useable. Example output:
sdb 8:32 0 1.8T 0 disk /disks/nas
Create Bootable Flash
- Create a bootable USB flash drive using an ISO, 'if' is input file, 'of' is the output file, 'sync' flushes the output buffers.
dd bs=4M if=/home/user/Documents/vyos-1.1.6-amd64.iso of=/dev/sde && sync
Mount and Unmount Drives (fstab)
- Mount all drives in located in /etc/fstab config
mount -a
- Unmount all drives in located in /etc/fstab config
umount -a
File Recovery
- If you deleted a file that contains text strings inside of the file, you can locate it
- -a find text in a binary file, -b search binary data, '/dev/sdd3/' partition to search
- This command will output a block number, also, this command can output quite a bit of gibberish, look for number then colon, see below
grep -a -b "syscontact Robsan" /dev/sdd3
# Example output of the above command '22733033610' is the block number
22733033610:syscontact Robsan
- We'll determine the size of the file in blocks so we can recover it, this is hit or miss and might take some manual tweaking of the blocks
- Echo the output starting at "22733033610", 512 is the block size for partition /dev/sdd3, count=10, 10 blocks@512 bytes
dd if=/dev/sdd3 count=10 skip=$(expr 22733033610 / 512)
- Save the above output to a file
dd if=/dev/sdd3 count=10 skip=$(expr 22733033610 / 512) > output.txt
Use Scalpel to find files or text
- Example scalpel.conf, 'NONE' means look for files without extensions, 'y' for upper and lower case matching.
- '35000:50000' is the number of characters for the file search, in this case it's a range from 35000 to 50000. For the below scalpel config file, the number of characters must be between 35000 and 50000 for a file that starts and ends with '/# Config/' and '/# End of config/'. If you remove the 35000, and set the number of characters to one number, 50000, then any size between 1 and 50000 could be possible matches.
- You don't have to match the beginning and end of a file, it could be any section of the file.
- '/# Config/' and '/# End of config/' are the file header and footer strings to match, or beginning and end of file strings.
NONE y 35000:50000 /# Config/ /# End of config/
- Run the scalpel program, -c use the /etc/scalpel.conf config file, "/dev/sdd3" search this disk, -o output the matching files to "/home/robsan/recovery/" directory
scalpel -c /etc/scalpel.conf "/dev/sdd3" -o "/home/robsan/recovery/"
- Description needs expansion...Output file header and footer of file in hex format for scalpel, add these to the /etc/scalpel.conf
xxd -l 0x04 commands.bak; xxd -s -0x04 commands.bak
- Needs more info.
strings < ramdump | grep "503"