2017-10-27

Linux Data Recovery of a Factory Restored Android Device

Somehow, I managed to pocket-dial my way to a factory restore on my Android phone.  Yeah... no idea how.  Anyway, while I'm quite good at backing things up, I have lost about 10 days worth of journal entries, a few photos, and some GPS tracks.  Certainly not the end of the world, but annoying.

So, I figured this is a good time to see what is recoverable from internal storage on an Android device after a format.  I'm no expert here, and I'm writing this as a way of taking notes.  This isn't intended to be a how-to guide for everyone that's made a foolish mistake.  It's not intended to be a complete reference for experts either. It's just what I did while learning how to do it.  I write notes as I go, and I figured I might as well share.  If you find this useful, then buy me a cup of coffee.

So, surprise, surprise... I've got 24GB of free space in my internal storage.  Nice shiny new unconfigured interface, factory default everything except the scratches.  Dang!

As I write this, I'm copying said 24GB to an image file on my desktop system.  I'll run some recovery tools on that when it's done.  Here's how I got to this point:

For some reason, my phone has the option to mount internal storage as an SDcard via USB, but nothing shows up on my Linux desktop.  Switching to MTP shows the file system, but that's pretty much useless for me as there's nothing there but what comes stock.  By design, the raw storage is not available.

So, I installed the Android Development Toolkit:
 sudo apt-get install android-tools-adb

That would show a connection via:
 adb devices
but said "insufficient permissions for device"

So, I rooted the device.  I wasn't keen on that as any writes to the device risk wiping the data I want to recover, but whatever.  I chose KingRoot.  Whatever works for your device.  That made no difference.  Sigh...

I found out that I should restart the ADB service via sudo:
 adb kill-server
 sudo adb start-server
That worked, I can now run ADB commands against the device.

Next up, I needed to figure out what partition to copy.   I used:
 adb shell su -c "cat /proc/emmc"
and then:
 adb shell su -c "cat /proc/partitions"
to cross-reference the partition for "userdata".  In my case, it was /dev/block/mmcblk0p22

Then, I copied the entire partition to my desktop via:
 adb shell su -c "dd if=/dev/block/mmcblk0p22" > ~/backup22.image

Anyway, that command is half-way finished now.  Considering this will be a 24GB file, from here on in, the commands I run are going to take their sweet time.  I'll update this as I go... maybe I'll actually get that 2KB of journal text file recovered, maybe the 20MB of photos, and a few other MB of map tracks.  Maybe I won't.  At least I've learned a few things already.

Hope this helps...

Update 1:

The first try at capturing the image stopped at 10.1GB.  The next ran to 27GB(?).  Neither Testdisk nor Photorec managed to get anything useful off either.  As well, after having decided to get it over with and factory-reset my phone to get rid of KingRoot, which seems rather invasive, I discovered that pocket-dialling my way to a factory-reset is near impossible.  The system is designed to avoid this.  Thus, something else must have happened.  Maybe, it crashed and scrambled the partitions enough that the phone decided to rebuild the file system?  Just guessing at this point.  In any event, I've decided to grab everything I can off the phone before doing the reset.  Thus:
 adb shell su -c "dd if=/dev/block/mmcblk0" > ~/backupAll.image
I'll let that run tonight and see what I can get off it later.

Update 2:

A factory-restore does not remove KingRoot.  Apparently, using its own uninstall does.  At least it appears to be gone.  Note that the above adb shell su ... commands no longer work, so my phone does not come rooted and does require this for access.  Still not having any luck with testdisk on the latest dd image.