Recovering GPT partition table

Hello all= Recently my home server was hacked. a wd MY BOOK LIVE DUO,
WD has reached out for support. n\my question in the hack involved a factory reset.
that involves “erasing” the HDD’s it just scrambles the partition information.
I have read one HDD, it is Linux format with GPT partitioning. I am not that versed with Linux to rebuild the GPT table. any help? WD has offered to all affected a DRS for free and a discounted replacement MY CLOUD server. I laughed at the discount, they should Replace the affected unit. I’m basically getting $60 off a $500+ unit. Ok I digress, so any layman terms for rebuilding the GPT would help… The secondary GPT is intact, so the system says. plus I have done a data search/recovery in test mode. it’s all still there. just missing a lot of file names… ok can I go AAAARRGHHHH now? 7years of backups and past computers systems-- gone… there is over 17 years of data on there…

Thank you all for the help

Tom K.

I understand your pain :frowning:
Can you get that drive out of that device? (I hope so…)
The very very first thing I would do is dd that disk to another, as a whole.
Or at least to an image file, if you have a much larger disk to hold the data.
So, if anything you do during recovery attempts would make things worse, you can return to where you started, just dd the (image/ another disk) back.
Even better if you can have a spare disk with the exact same model, size (sectors x cyls x head) - then dd your disk to the spare and do the attempts on the spare…
Don’t do anything until you have an exact sector by sector copy of your drive, that hopefully still stores your valuable data.
After that I think I’d take testdisk, and give it a go.

Edit:

This may be in help for you as well. It starts with the same step I warmly recommended too.
" (Optional, but strongly recommended.) Do a low-level backup of the damaged disk."

For such important data, you should use different hard drives, in different locations, to generate enough redundancy.

It should be noted that these products were initially released in 2011 and software updates stopped in 2015, so they were no longer being supported at the time of this problem arising.

From: https://screenrant.com/wd-my-book-live-vulnerability-data-loss-issue-explained/

Additionally, if a hard drive is used very heavily for more than 5 years, you should regularly check it for failure and not rely too much on it, especially if there is important data on it.

There are some updates on the topic regarding data recovery from WD:

Further information on the topic:

This is the link that explained the issue in best detail, as possible. All other articles I have skimmed, remained extremely vague about how it was possible for the drive to be exploited in such a way.


Now, they very very first thing I would do is to immediately unplug the device, then set up an environment, which ensures, that nothing is written to the HDD, in any way possible. If data is written to such a device, it can delete files that are already on it, but not “visible”.
An environment perfect for such situations is the following:

https://www.caine-live.net/

It’s a live distribution dedicated to computer forensics. ALL devices attached to it, are by default mounted in read-only mode. So your HDD is safe from being written to.

Then follow the advice @kovacslt has given:

Then you can knock yourself out with trying out TestDisk or if that does not work, PhotoRec.

Which means, you should have a 16TB device or something like that. Though, I doubt the one you actually own has that much space, when it was produced around 2011, so perhaps you have 8TB in total? Those cost about 110-130 bucks nowadays. So, it’s not a $500+ unit.

Either way, if you have several TB at your hands, you should prepare for 2 months of data recovery.
If it ever appears, that recovery has stopped, do not interrupt it – just let it finish.

One thing @kovacslt mentioned, but which I would strongly recommend against is the use of plain dd.

Use ddrescue in this situation. It’s a thousand times better than the stone-old dd utility:

1 Like

Why? Is it a dying disc with weak and/or bad sectors?
If not, the stone-old thousand times used reliable mature dd will do the job simpler.
I would recommend ddrescue only if the source disk is suspected to be failing.

The article you linked uses the stone-old dd too for restoring the image (Part 2 restoring), so what’s the problem with dd?

I agree with Akito.
I bought a 2TB drive specifically to copy all my old information from around 1998 on
(9 old drives worth of pictures, video’s, and various information, nothing close to OS of any type)
It only gets added to when I’m offline and computer has been checked for ‘problems’ plus I have something new to save. The rest of the time it isn’t in or connected to computer and sits in it’s anti-static packing. It’s an old type ‘spinny’ disc as they don’t need internal battery to keep data

If data integrity is not an issue, because the hard drive is not “faulty” (I don’t understand how you can know that), then why do this:

Don’t take an image, just use the hard drive as the source.
The image thing is for additional security. Since data recovery is usually read-only anyway, you would not need this extra security, when using the logic from your last post.

I’m pretty sure the article I linked states, that when an operation with dd fails for whatever reason, you have to start the whole process again.
So, if you waited 30 days for the image to be created, but dd stops at 7TB of 8TB for whatever stupid reason, you have to start cloning the entire disk again, if you want to be extra sure, you are not missing data.
With ddrescue it’s a different story.
That alone is already reason enough for me to recommend against dd, when one can use the far superior ddrescue utility, instead.
Even then, it’s not the only thing ddrescue is better at, than dd.
It’s not only for disks with “weak or bad sectors”.

I would recommend it to anyone doing anything with hard disks, no matter if faulty or not.

I linked the article, not because I believe in the authority behind the article (I do not even know the authority behind it), but simply because it’s the best ddrescue article I have ever read. Its usage is explained very well. I don’t care, if the same article shows how to use dd, as well. They might as well use TikTok as a third option, and I still wouldn’t care.

Right, that’s really an advantage.

Not exactly in this case.
The goal would be to re-create missing partition entry (implies write operation!), possibly also messing with damaged filesystem (also means writing!!), to make it work to a level, so he can copy data off from that drive.

You got me wrong, or my english played havoc with me again…