Shulou(Shulou.com)05/31 Report--

This article mainly introduces the relevant knowledge of "what is the method of data recovery in linux system". The editor shows you the operation process through an actual case. The operation method is simple, fast and practical. I hope this article "what is the method of data recovery in linux system" can help you solve the problem.

Tools: hexedit, fdisk

The following operations are done in the root environment.

Hexedit:

On linux, hexedit is often used to modify the hexadecimal code of a program. Fdisk will not be introduced here.

Now let's go into the world of the disk and see what it does to the data.

First, use root permissions under the terminal to run the following command:

Command: fdisk-l

/ dev/sdb1 is the protagonist of today. We can see some relevant data clearly from the picture, such as size of disk, sector, Imax O size, and so on.

The disk format is ext4, not the vfat32 and NTFS formats on MS, and the FAT32 picture is posted at the end of the article.

* step:

Run fdisk, using expert mode, to back up Partition table.

The partition table of ext4 is very simple, and the backup partition table is ext4.img. The purpose of backup is to avoid being corrupted during data recovery.

Step 2:

First of all, execute the cut command operation on the target sdb1, move the files on the sdb1 to the computer hard disk, and after the execution is finished, use hexedit to open the sdb1.

Name of the file that was cut: usb.png

Command: hexedit-s / dev/sdb1

You can see the file name and the sector where it is located in the picture. Did you find that the device of the picture is sdc1? The dev changes due to the automatic mounting of the disk, and the data does not change with the dev change of the disk. Now that you've found the file name, you need to find the file header.

How do I find the header? You can use hexedit for hex search, and if you want to ASCII, you can press TAB to switch to the ASCII area.

The size of the file determines the number of sector occupied by the file on disk, 1 sector==512 bytes. In the figure, the files header offset and sector are shown.

Extract the hexe value and write it to the file.

Restored image:

It looks very simple, it is just a single file cutting operation and data recovery. Here to remind you: the data saved in the disk can not be recovered after deletion, but the data that has been cut out can be recovered as well.

Let's take a look at how to do this after deleting data from disk.

Execute the delete command on disk to delete a file named 1.gif, as follows:

You can see the sector changes from the file header to the file end, header sector: 264056, end sector: 264057, the file size is 1K, the picture is very small.

Create a new file, and then perform the delete operation to see how the disk data changes.

Files header sector: 264056, end sector: 264061, * delete files header sector: 264056, end sector: 264057, so you can see that the data deleted for * * times is overwritten, while the second deleted data is retained.

The operation here is to demonstrate the data recovery of a single file on disk and the data changes in its disk. Next, let's take a look at the operation of double files.

There are two different types of files on disk.

File name: partition.zip

File name: cab.ico

Header secotor:264056,end sector:264058 of * files

The second file, header sector:264064,end sector:264076. It is found that there is a difference of multiple sector between the end sector of * files and the header sector of the second file, so what is the difference between them?

You can see that the difference in the middle is all filled with 00. Let's summarize the practical operation on linux this time:

Ext4 file system

Perform clipping

File name: usb.png sector 67120

File header: sector 264064 file end: sector 264076

Perform deletion

File name: 1.gif sector 67112 (override)

File header: start: sector 264056 end: sector 264057 (overlay)

File name: 56.jpg sector 67112

File header:start: sector 264056 end: sector 264061

When a single file is executed, the last deleted data is overwritten when the deletion is performed.

Save file

(1) file name: partition.zip sector 67112

File header: start sector 264056 end sector 264058

(2) file name: cab.ico sector 67112

File header: start sector 264064 end sector: 264068

Shear area: sector 264064

Delete area: sector 264056

Storage area: coexisting with deletion area

Storage area: when a single file, the file overwrites the deleted area data.

Data recovery: when multiple files are deleted, the deleted area retains the data hex. If new file data is created, the deleted data hex will be overwritten.

Attached picture:

FAT32 disk format chart:

This is the end of the content about "what is the method of data recovery in linux system". Thank you for your reading. If you want to know more about the industry, you can follow the industry information channel. The editor will update different knowledge points for you every day.

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.