Is it possible to recover deleted data from a clonezilla image?

2

1

Since foremost/sleuthkit seem to require a disk image, I created one using clonezilla. However, I realized afterwards that it "saves and restores only used blocks in the harddisk".

Does that mean it won't save any blocks were files used to be, but have been deleted? Or will it still copy all sectors with some sort of data on them? i.e. should I still be able to find any deleted files on the clonezilla image or not?

(related questions: How else can I create a full disk image for deleted file recovery? Can I use Sleuthkit/Foremost directly on a physical disk?)

KIAaze

Posted 2013-04-22T10:22:38.397

Reputation: 259

2I think the best way to make an as-is image would be using dd. – slhck – 2013-04-22T10:27:36.983

If I use dd, any specific blocksize and other stuff I should specify? Or can I just run dd if=/dev/sda of=/extHD/sda.img? I would like to reduce the time as much as possible, since the disk is about 220GB big. – KIAaze – 2013-04-22T10:35:44.297

Answers

2

Nope. Clonezilla won't save tge blocks that used to exist. It will backup all the present data only.

Karan Raj Baruah

Posted 2013-04-22T10:22:38.397

Reputation: 894

Ok, a whole evening creating the image wasted then. :( Thanks. – KIAaze – 2013-04-22T10:33:10.897

Asked: 2013-04-22T10:22:38.397

Viewed: 1 519 times

Active: 2013-04-22T10:29:13.890