Forensics: Recovering data from heavily damaged / scratched DVD, CD

How many time have you lend your CD or DVD collections for movies, pictures or application to your friends and when you got them back, you discovered that they are badly damaged and beyond readable.

CD and DVD are fragile media. A few scratches here and there and they can easily become unreadable. This blog post present some of the tool that can allow recovering data from those spoilt CD/DVD’s.

Recoverdm Toolkit - (recoverdm)

This program will help you recover disks with bad sectors. In case if finds sectors which simply cannot be recovered, it writes an empty sector to the output file and continues. If you're recovering a CD or a DVD and the program cannot read the sector in "normal mode", then the program will try to read the sector in "RAW mode", meaning without error-checking etc. 

This toolkit also has a utility called 'mergebad': mergebad merges multiple images into one. This can be useful when you have, for example, multiple CD's with the same data that are all damaged. In such case, you can then first use recoverdm to retrieve the data from the damaged CD's into an ISO image-files and then combine them into one image with mergebad.

ISO Image

An ISO image is an archive file (disk image) of an optical disc using a conventional ISO (International Organization for Standardization) format. The name “ISO” is taken from the ISO 9660 file system used with CD-ROM media, but an ISO image can also contain UDF file system.

Data carving 

According to Wikipedia "Carving, is the practice of searching an input for files or other kinds of objects based on content, rather than on metadata. File carving is a powerful tool for recovering files and fragments of files when directory entries are corrupt or missing, as may be the case with old files that have been deleted or when performing an analysis on damaged media. 

Most file carvers operate by looking for file headers and/or footers, and then "carving out" the blocks between these two boundaries." In order to retrieve the files stored on our damaged media, we need a tool able to handle the ISO-9660 and/or UDF file system. At the time of writing of this blog post there is only few file carvers handling this file format. Dares is one of them.

Dares - (Windows - Linux)

Dares scans a CD/DVD image or a CD/DVD and tries to find files. It does not depend on file system information, but instead uses the Magic library to identify files. Doing it this way Dares can recover files even when the file system (ISO-9660 or UDF) on the disc is damaged and cannot be mounted anymore.

Case of study

In our case we have a heavily damaged DVD. This DVD is supposed to be a backup of pictures but it can't be read anymore. Let's see what we can restore.

Step 1 - Dumping the data

recoverdm -t 30 -i /dev/sr0 -o backupdvd.iso -s 1 -l badsectors.lst-r 1

Step 2 - Carving

dares –i backupdvd.iso –s outputdir

Step 3 - Renaming the files

Since we are looking for JPEG files we can rename all extracted file within the following command:

ls -d *.bin | sed 's/\(.*\).bin$/mv "&" "\1.jpg"/' | sh