Shulou(Shulou.com)06/01 Report--

How to use the Linux file recovery tool, I believe that many inexperienced people do not know what to do, so this article summarizes the causes of the problem and solutions, through this article I hope you can solve this problem.

There is a rule in the Linux system administrator's rule: "use the rm-rf command carefully unless you know the consequences of this command." however, deleting a file under Linux does not actually delete the file in the disk partition, but clears the sector pointer in the file's inode node and releases the corresponding data blocks. When the released data blocks are redistributed by the system, the deleted data will be overwritten. So after you delete the data by mistake, you should uninstall the partition where the file is located immediately. Then use the relevant tools for recovery. Taking Ubuntu 12.04 platform as an example, this paper introduces the use of four commonly used Linux delete file recovery tools (foremost, extundelete, testdisk and phtorec).

The principle of Linux File recovery

Inode and block

Let's start with a brief introduction to the most basic unit of the Linux file system: inode. Inode is translated into Chinese as an index node. After each storage device (such as a hard disk) or partition of a storage device is formatted as a file system, there should be two parts, one is inode, the other is block,block is used to store data. Inode, on the other hand, is the information used to store these data, including file size, ownership, user group, read and write permissions, and so on. Inode indexes the information for each file, so you have the value of inode. Under the linux operating system, you can use the ls-id command to view the inode value of a file or directory. Generally, the inode value of the "root" directory is 2. When a partition is mounted to a directory, the inode value of this "root" directory is 2.

# mount / dev/sdb2 / tmp # ls-id / tmp 2 / tmp

The principle of file recovery

The command to be introduced in this article is to get file system information through the file system's inode value (usually 2). In ext3 and ext4 file systems, each file describes the specific location of its data storage through inode. When the file is deleted, the data pointer of inode is cleared, and the file directory area does not change much. The reading and writing of the file is realized through inode. When the inode data pointer is cleared, even if the file content is still there, there is no way to combine the file content. When the metadata metadata in the ext3 and ext4 file systems changes, the corresponding metadata metadata has a copy in the log file. For example, if a file is deleted, a copy of its inode information will be saved in the log file, and then the inode-related information of the file to be deleted will be cleared. This log file is recycled, and when there are too many operations, the inode log records of the deleted files will be replaced with new data, which completely loses the opportunity to retrieve data according to inode. If it is the deletion of a large number of files, the log file will be recycled many times, leaving only those files deleted by * * to recover.

Use the command line tool to restore files

Introduction to foremost and extundelete

Formost is a command-line tool for restoring files based on header and tail information as well as the built-in data structure of the file. This process is often called data mining (data carvubg). Formost can analyze the image files generated by dd, Safeback, Encase, and so on, or directly analyze the drive. The header and tail of the file can be set through the configuration file, or you can use the formost built-in file type through the command line switch. Formost was originally developed by the Air Force Special investigation Room (Air Force Office of Special Investigations) and the Information Systems Security Research Center (The Center for Information Systems Security Studies and Research) and is now licensed by GPL. Foremost supports restoring the following formats: avi, bmp, dll, doc, exe, gif, htm, jar, jpg, mbd, mov, mpg, pdf, png, ppt, rar, rif, sdw, sx, sxc, sxi, sxw, vis, wav, wmv, xls, zip.

For the ext file system under Linux, the commonly used Linux file deletion and recovery workers include debugfs, ext3grep, extundelete and so on. Extundelete is an open source data recovery tool that supports ext3 and ext4 file systems. Its official site is located in http://extundelete.sourceforce.net/. The current stable version is 0.2.0.

Compared with the two command line tools described above, foremost and extundelete, foremost supports more file systems (including ext2, ext3, vfat, NTFS, ufs, jfs, etc.) and fewer file systems (ext3, ext4) supported by extundelete. However, foremost can only support restoring files in a specific format.

Use foremost

First install the software package:

# apt-get install foremost

Users of other Linux distributions can download the source code and compile and install it at http://foremost.sourceforge.net/. Let's take a look at how to use it.

Restore a single type of file

The author deletes a png file from a USB (/ dev/sdba1) memory and then uses formost to restore it.

# rm-f / dev/sdb1/photo1.png # foremost-t png-I / dev/sdb1

After the restore is complete, an output directory will be established in the current directory, and a png subdirectory will be established under the output directory, which will include all recoverable png files.

It should be noted that the name of the file in png format that will be included in the png subdirectory has changed, and the audit.txt file in the output directory is a list of recovery files.

Restore multiple types of files

# foremost-v-T-t doc,pdf,jpg,gif-I / dev/sda6-o / media/disk/Recover

After the restore completes, an output directory is created in the current directory, and four subdirectories (/ doc,/pdf,/jpg,/gif) are created under the output directory, each containing four types of files. In addition, the audit.txt file in the output directory is a list of recovery files.

Use extundelete

First install the software package:

# apt-get install extundelete

Users of other Linux distributions can download the source code and compile and install it at http://extundelete.sourceforce.net/. You need to install two packages, e2fsprogs and e2fslibs, before downloading and installing extundelete. Let's see how to use it.

Simulated data erroneous deletion environment

Here we use a partition / dev/sdd1 to hang on / backupdate, create a test directory / delete, and create a file: del1.txt.

# mkdir-p / backupdate/deldate # mkfs.ext4 / dev/sdd1 # mount / dev/sdd1 / backupdate # cd / backupdate/deldate # touch del1.txt # echo "test 1" > del1.txt

Get the file check code:

# md5sum del1.txt 66fb6627dbaa37721048e4549db3224d del1.txt

Delete the file:

# rm-fr / backupdate/*

Unmount the file system or mount it read-only:

# umount / backupdate

To query the recovery data information, note that the partition will be scanned here in inode 2:

# extundelete / dev/sdd1-inode 2. File name | Inode number | Deleted status Directory block 8657:. 2.. 2 lost+found 11 Deleted del1.txt 12 Deleted

Marked as Deleted is a file or directory that has been deleted.

Start restoring files

Restore to the RECOVERED_FILES directory under the current directory by default.

# extundelete / dev/sdd1-- restore-file del1.txt

If you restore a directory:

# extundelete / dev/sdd1-- restore-directory / backupdate/deldate

Restore all files:

# extundelete / dev/sdd1-- restore-all

Obtain the recovery file check code to check whether the recovery is successful:

# md5sum RECOVERED_FILES/del1.txt 66fb6627dbaa37721048e4549db3224d RECOVERED_FILES/del1.txt

Check to see if the check code is exactly the same as before.

Application summary: in the actual use process, the author found that extundelete still has a lot of incompleteness, the recovery function based on the whole disk is more powerful, and the recovery based on directories and files is not strong enough. The file was deleted by mistake under Linux. When it is found that the data is missing, do not take any action and keep the site. It is necessary to find a way to send the lost file system to another storage space as the original backup through the dd command or AIR (Automated Image Restore, http://cdnetworks-kr-2.dl.sourceforge.net/) tool, so that the data recovery experts can diagnose and restore it on the spot.

Use scalpel

The tools described above are mainly used in ext3 and ext4 file systems. If you are using old file systems that do not have a logging mechanism, you can use the scalpel tool. Scalpel is a fast file recovery tool that restores files by reading the database of the file system. It is independent of the file system.

Users can download the source code and compile and install it at http://www.digitalforensicssolutions.com/Scalpel/. Here's how to use it:

Before using the scalpel tool, you first need to modify the configuration file: / etc/scalpel/scalpel.conf.

For example, if a user wants to restore all deleted pdf files, remove the # before the two lines that include the pdf file format in / etc/scalpel/scalpel.conf.

[...] Pdf y 5000000 PDF% EOF\ x0d REVERSE pdf y 5000000% PDF% EOF\ x0a REVERSE [...]

Then save the file.

Here's how to use it:

# scalpel / dev/sdb1-o / RECOVERY/

Where / dev/sdb1 is the target drive and / RECOVERY/ is the recovery file storage directory. The audit.txt file in the directory is a list of recovery files.

Use the character terminal tools testdisk and phtorec

Introduction to testdisk

Testdisk is an open source free tool for partition table recovery, raid recovery, and partition recovery (testdisk supports the following file systems: FAT12/FAT16/FAT32/NTFS/ext2/ext3/ext4). Testdisk supports functions: repair partition table, restore deleted partitions, restore boot sector with FAT32 backup table, rebuild FAT12/FAT16/FAT32 boot sector, repair FAT table, rebuild NTFS boot sector, restore NTFS boot sector with backup table, repair mft table with mft image table (mft mirror), find superblock backed up by ext2/ext3, restore deleted files from FAT,NTFS and ext2 file system, copy files from deleted FAT,NTFS and ext2/ext3 partitions.

Usage

First install:

# apt-get install testdisk

Users of other Linux distributions can download the source code and compile and install it at http://www.cgsecurity.org/wiki/TestDisk_Download. Several packages libjpeg8, libncursesw5, libuuid1, zlib1g should be installed before downloading and installing testdisk. Let's take a look at how to use it.

Start testdisk:

# testdisk

The working interface after testdisk starts is to select the recording mode of the log file (testdisk.log) in the recovery operation as shown in figure 1.

Figure 1. Select how to record the log files in the restore operation

[Create] New [Append] append [No Log] does not record

After selecting the recording mode of the log file, the system displays the disk device in the connected state as shown in figure 2.

Figure 2. Disk devices in the connected stat

"from the disk devices listed, select the partition you want to restore, and then select the type of disk partition." For ext4 file system, select [None] Non partitioned media as shown in figure 3:

Figure 3. Select [None] Non partitioned media

Note: generally choose [Intel] Intel/PC partition (if it is a GPT partition, please select EFI GPT), for ext4 file system, select [Intel] Intel/PC partition can also be correctly identified, but the analysis of the hard disk is relatively slow.

Select [Analyse] in the following screen, and analyze the partition as shown in figure 4.

Figure 4. Analyze the partition

The status of the current partition is shown below. This is the result of the partitioning of the current partition table analyzed by the software, and we selected "Deep Search" for an in-depth inspection as shown in figure 5.

Figure 5. Select "Deep Search" for an in-depth test

The following is the test completion interface as shown in figure 6.

Figure 6. Check the completed interface

In this screen, press the P key to list the files on the hard drive as shown in figure 7.

Figure 7. The red file name is the file that has been deleted.

The red file name is the file that has been deleted. After selecting the file you want to restore, press c, it will ask you which directory you want to copy to. At this time, please select the destination you want to copy (destination).

Introduction to photorec

Photorec is a data recovery software used to recover lost videos, documents, compression packages and other files on hard drives and CDs, or to recover lost pictures from digital camera memory cards (hence the name photo recovery). Photorec ignores the file system and can recover data directly from the underlying media, so it can also recover data after the media's file system is severely damaged or reformatted. For security reasons, photorec has read-only access to the disk or storage card media on which you want to recover the data. Tip: once you find that a picture or file has been lost or accidentally deleted, do not continue to save the new file to the storage device or disk, otherwise you may overwrite the original data. This means that when you are using photorec, you should never write the recovered files to the same partition where the original data is stored.

Use photorec to recover files

Photorec is a companion program for testdisk. After installing testdisk, photorec can be used.

Start photorec

# photorec

The attached disk device is shown in figure 8. Select the file to be recovered on that device, and then select the Proceed button to proceed to the next step.

Figure 8. Connected disk device

Next, select the restored disk partition format. Select ext4 here as shown in figure 9.

Figure 9. Select the recovered disk partition format

The file types available for recovery in [File Opt] at the bottom of the screen are selected as shown in figure 10.

Figure 10. Types of files available for recovery

Description: if only root according to some file signatures to restore part of the file type, then press s to uncheck all, and then move the cursor to the file type to be restored, you can press the space to select the highlighted type.

The following sets the area of disk space to be analyzed, which can be searched through the entire partition or only free space (equivalent to unallocated clusters) as shown in figure 11.

Figure 11. Set the area of disk space to be analyzed

Next, select the type of file system used by the partition, and then set the exported file directory. Generally, enter Y and enter. Figure 12 is the recovery completion interface.

Figure 12. Recovery complete

After recovery, select Quit to exit PhtoRec. The recovered file is saved in the / recup_dir subdirectory of the current directory by several numerical subgroups of recup_dir.x.

Functional comparison

Table 1 is the Linux delete file recovery tool

Testdisk can be used for file recovery, that is, the partition on the hard disk (which has the original data record) has been corrupted. However, if the new partition is made again after the damage, the possibility of file recovery is relatively small and very difficult. Photorec not only aims at hard disk, USB device, CD-ROM, SD card, but also can be applied to other storage devices.

After reading the above, have you mastered how to use the Linux file recovery tool? If you want to learn more skills or want to know more about it, you are welcome to follow the industry information channel, thank you for reading!

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.