need to recover data from a data hard disk that I used testdisk on in my attempt to repair mbr from a rootkit virus

To recover data from an image on an external USB drive here are the steps needed:

1. Stop using the damaged drive.

2. Have an external drive(s) ready holding twice the data amount from your damaged drive 's size. Format with a filesytem able to hold such a large file as will be created from the original drive (e.g. ext4)

3. Boot Ubuntu from a live session ("Try Ubuntu") .

4. Mount your external drive using Nautilus.

5. Verify the mount point of your external drive.
   e.g with Properties --> Location on right click menu.

6. Verify location of your damaged drive with any of these commands in a terminal

    sudo fdisk -l
    sudo blkid
   

7. Create an image of your damaged drive

    sudo dd if=/dev/sdX of=/mountpoint/DRIVENAME/rescue.dd
   

Replace sdX with your damaged drive (e.g. sda) or partition (e.g. sda1). Replace /mountpoint/DRIVENAME/ with the actual path where your USB drive was mounted.

_{Only in case your damaged drive (sdX) is equal the size of your external drive (sdY) you are able to clone the drive (sudo dd if=/dev/sdX of=/dev/sdY) to perform data rescue on a cloned external drive. Still, working on an image as shown above is a much safer approach.}

It is critical at this point to get the dd command correctly. If you gave the wrong entry to of= you may damage all data that had existed there.

8. Install TestDisk on your live system as was further elaborated in my answer below:

• How do I recover my accidentally lost Windows partitions after installing Ubuntu?

9. Read the awesome and concise guide from the makers of TestDisk to recover.

10. In case your drive is huge, mount another drive/partition to hold the recovered data. Note this mountpoint for testdisk.

11. Run testdisk on the image of your drive:

    cd /mountpoint/DRIVENAME/
    sudo testdisk rescue.dd
    

12. Save recovered directories and files to your backup drive/partiton (give testdisk the mountpoint of this drive as storage location in case it's different to where the image is).

13. Verify your data are there.

14. Unmount all drives or shutdown the live session.

In case we had not succeeded to recover our files we may also run PhotoRec which was installed together with the TestDisk suite to recover individual files (but then filenames permissions, and directories will be lost).

Your damaged drive still is untouched. We can even let this drive be recovered by a professional service in case we failed with above steps.

I believe, amongst other things, testdisk should work as a tool to recover your data. However, first and foremost - before you do anything else, you need to guard your last copy of the data. Firstly, only mount it read-only from here on. (You can remount it with the option ro, see man mount)

I suggest getting yourself a large (>2TB) disk and copying a complete image of your current disk over: dd if=/dev/sda of=disk-image.dd where /dev/sda is your read-only mounted all important disk and disk-image.dd is a file on the new disk, make sure there are 2TB free.

testdisk will work on an image as well and should be able to sort the partition table out. Get back with questions and comments and we can take it from here...

A good place to start reading is here: http://epyxforensics.com/node/36 In it's walk through it starts by making a dd copy as I suggested above and continues to work on the copy.

Have you got yourself an examination computer with testdisk, gparted and maybe hexedit installed?