Recovering Data from a Live USB Version of Linux (by Accessing casper-rw)

If I Die Young

I'm sure The Band Perry was not referring to my Live USB version of Ubuntu 13.04 when they thought of the song with the same title as above; but, this is exactly what happened to me.

A few weeks ago, I created a Live USB version of my favorite linux distro. I'd previously explored partitioning my machine and decided against it since I liked the convenience that a Live USB option gave me. I could transition in and out of operating systems without too much hassle - and if something were to go caput on Linux (which had happened before), it would not affect my machine.

Things were going swimmingly until one day the Live USB version of Linux refused to boot. Long story short, I realized that there was no way that I was going to be able to fix this (without spending copious amounts of time on it). All I really needed from the pen drive were my precious files. I didn't care so much about the rest of it.

(Psst...Look for the song on Grooveshark in case you want to listen to it while reading the balance of this text.)

 

A Friendly Ghost

 

Even though my thumb drive had apparently died, I didn't realize that I would be dealing with a ghost just yet. I looked online for an answer to recover data from a Live USB version of Linux but noticed that most of the solutions were centered around using a Live USB version of Linux to recover data from (other) crashed systems - and not the pen drive itself. After some more searching I found this post by leet hacker. Unfortunately, the poor person seemed to bumping their head - and the post - to no avail. Luckily, the post by seventyeights pointed me in the right direction to the enthusiastic (and I daresay romantic) thread of tg3793 - which is the solution that I'd like to share with you in more detail. 

The idea in brief is to recover the data that's stored on the pen drive in a file called casper-rw by mounting it from another machine running Linux.

 

Double Vision

 

Before embarking on the exciting journey of recovering the files, please take a moment to plug in the pen drive that has the Live USB version of Linux you'd like to recover data from into a USB port on your machine and observe that, confusingly enough, there exists a folder named casper in the root folder.

Figure 1: The casper folder

Please note that this is not the entity that contains the precious files we're after. If you look down a little further in this list, notice that there exists an inconspicuous-looking file called casper-rw.

Figure 2: The casper-rw file

This is the file that contains our data.

 

Virtual Reality

 

After having a disastrous experience with Live USB, I decided to look for alternatives. Also, I hadn't access to another machine - which is what it looked like was required to perform the recovery. To this end, installing Ubuntu on a virtual machine seemed liked a great idea because this meant that I could transition between operating systems in a breeze and it gave me access to another "machine" to read the contents of casper-rw. Jackpot!

I spent a couple days checking out virtual machines. I initially went with what seemed like the more popular Oracle Virtual Box. However, trying to get it to work on my machine and running into all kinds of issues, I just decided to go with the basic version of VMware Player. Take some time to settle in on a virtual machine (VM) that works for you. Now that we have all the tools we need to recover the files, let's see in detail how to do this. 

 

Breathing Life Back into the Undead

 

 The first step is easy enough. Plug in the pen drive containing the Live USB version of Linux into your machine. Fire up the VM and make sure that it recognizes the plugged in pen drive. In Ubuntu 13.04 this indicated by a USB icon on the launcher.

Figure 3: Ubuntu launcher icon

I will add that I had some trouble getting the pen drive to be recognized on VMware player. But getting into the details of that is beyond the scope of this post. In brief, if the icon above appears in the launcher, the pen drive is recognized by VMware player - else it's not.

Now, fire up a terminal. Create a directory in /media called recoveredData that'll be used to obtain the files from casper-rw by inputting the following command

sudo mkdir /media/recoveredData

You may be prompted to enter your admin password as you used the sudo command.

Now, click on the USB icon on the launcher. It should open up a window displaying the contents of the folder. Look for and right-click on the word PENDRIVE. In the list that shows up, select Properties. This should pop up another window with the properties of the drive.

Figure 4: Pen drive properties

Take note of the location of the pen drive. Mine happened to be at

/media/user/PENDRIVE 

It's safe to assume that casper-rw still resides on the pen drive. So, let's mount casper-rw. Issue the following command

 sudo mount -o loop /media/user/PENDRIVE/casper-rw /media/recoveredData

making sure you replace the path to casper-rw you discovered in the previous step. 

After you do this, if you don't see a window displaying the files located in casper-rw, look for the following icon on the launcher and click on it.

Figure 5: Launcher icon when casper-rw is mounted

This should open up a window with all the files on casper-rw - indeed on your Live USB version of Linux that refused to boot. After you're done safely transferring the files, make sure you unmount casper-rw

sudo umount /media/recoveredData

bearing in mind that the command is umount and not unmount.

 

A Haunted Movie

Here's a video detailing the steps mentioned in the blog on recovering data from casper-rw. If a picture is worth a thousand words, then a video is worth at least a million!

 

 

Dropboxing It

After this fiasco, I decided to always back up my important files to Dropbox - rather than on the machine. I do this now on the VM. This way my data is synced and backed up safely should I run into issues that prevent access to it. Plus, it's available anywhere I have an internet connection. Neat.