I have rescued my 2gb usb stick in nearly two days onto an 100gb blank reiserfs partition with these two commands:
ddrescue -f -n /dev/sda /dev/sdb8 logfile
ddrescue -d -f -r3 /dev/sda /dev/sdb8 logfile
since I did not know what to do next, I tried mounting /dev/sdb8 to look what's inside. But mount: you must specify the filesystem type. Before that I was able to mount the blank reiserfs partition before ddrescue wrote on it. Is there a way to read the rescued data now?
Thanks.
Most USB sticks use the PC partitioning format, and have a single partition. That means the first sector (512 bytes) of the disk contains a partition table (and optionally a bootloader), and the rest of the disk contains the partition.
You could have rescued just the partition with
ddrescue -f -n /dev/sda1 /dev/sdb8 logfile
ddrescue -d -f -r3 /dev/sda1 /dev/sdb8 logfile
But now that you have the whole disk, you can get at its partition.
losetup -o 512 /dev/loop0 /dev/sdb8
mount -r /dev/loop0 /mnt
If /dev/loop0 is already in use, you may have to choose another number. The command losetup -f will return the number of a free loop device.
However, manipulating partitions on a live system is error-prone, so rather than do this, I recommend moving the data from the USB stick to an ordinary file. Either copy the whole disk, then use losetup on the disk image (16M × 130 is calculated to be larger than the size of the USB stick):
dd bs=16M count=130 </dev/sdb8 >/var/tmp/usb-stick.disk
Or copy just the partition, and mount the partition image directly:
tail -c +513 </dev/sdb8 | dd bs=16M count=130 >/var/tmp/usb-stick.partition
mount -o loop,ro /var/tmp/usb-stick.partition /mnt
And for future reference, you might as well have passed an output file, rather than an output partition, to ddrescue in the first place.
you copied a disk to a partition - this is why there is a difference
if you wanted to mount the partition by itself to mount normally you should have used /dev/sda1 as the input file
you need to carve the partition out of the disk-file or use offsets for mounting tutorial:
http://www.andremiller.net/content/mounting-hard-disk-image-including-partitions-using-linux
you should also be able to easily see the contents with autopsy/sleuthkit available via apt-get or as rpm from CERT.org
typically i copy a disk or partition to a file...it's just easier to work with that way. then if i copied a disk to a file a carve the partitions into individual files or mount them like in the previously stated tutorial. last i have partition files i can mount and cp -pR to new partitions.
