Shulou(Shulou.com)06/01 Report--

How to recover deleted files in Linux, this article introduces the corresponding analysis and answer in detail, hoping to help more partners who want to solve this problem to find a more simple and easy way.

How does the recovery software work?

Most file systems (when deleting files) simply mark the space blank. Under these file systems, the recovery software looks at the file allocation table and then copies the deleted file to another storage unit. If the file is copied to another deleted storage unit that needs to be recovered, the user may lose the desired deleted file.

The file system rarely erases entries in the file allocation table. If the file system does this, the recovery software is restoring the files. The recovery software scans the file headers in the storage unit, and all files have a special encoding string, which is at the front of the file, also known as magic numbers. For example, the magic number of a compiled JAVA class file is "CAFEBABE" in hexadecimal. So, if you want to recover files of that type, the recovery software looks for "CAFEBABE" and copies the files to another storage unit. Some recovery software can look for a particular file type. If the user wants to recover a PDF file, the recovery software will look for the hexadecimal magic number "25504446", which is precisely the "% PDF" in the ASCII code. The recovery software will look for all magic numbers, and then the user can choose which deleted file to restore.

If part of a file is overwritten, the whole file will be corrupted. Usually this file can be recovered, but its contents may no longer be useful. For example, it would be pointless to recover a corrupted JPEG file because the picture viewer cannot generate a picture from the corrupted file. Therefore, even if the user owns this file, the file will be useless.

Location of the device:

Before we proceed, the following information will help guide the recovery software to the correct storage unit. All devices are mounted in the / dev/ directory. The name given to each device by the operating system (not the name given to each partition or device by the administrator) follows a certain naming rule.

The name of the second partition of the first SATA hard drive will be sda2. The first letter of the name indicates the storage type, which in this case means SATA, but the letter "s" may also refer to SCSI, FireWire (hot wire port), or USB. The second letter "d" refers to disk (hard drive). The third letter refers to the ordinal number of devices, that is, the letter "a" refers to the first SATA and "b" refers to the second. The final number represents the partition. Device names that do not have partition numbers represent all partitions for this setting. For the above example, the corresponding name is sda. The first letter of the name may also be "h", which corresponds to the PATA hard drive (IDE).

Here are some examples of naming rules. If a user has a SATA hard drive (sda), the device has four partitions-sda1, sda2, sda3 and sda4. The user deletes the third partition, but the fourth partition name sda4 remains until the fourth partition is formatted. Then the user inserts a usb memory card (sdb) with a partition-sdb1-, adds an IDE hard drive with a partition-hda1-, and then adds a SCSI hard drive-sdc1. The user then removes the USB memory card (sdb). For now, the name of the SCSI hard drive is still sdc, but if the SCSI is removed and then inserted, its name will become sdb. Although there are other storage devices, the name of that IDE hard drive will still have an "a" because it is the first IDE hard drive, and IDE device names should be counted separately from SCSI, SATA, FireWire, and USB devices.

Restore using TestDisk:

Each recovery software has different functions, features, and different file systems that are supported. Here are some guidelines for using TestDisk to recover files from various file systems.

FAT16, FAT32, exFAT (FAT64), NTFS, and ext2/3/4:

TestDisk is open source free software running on operating systems such as Linux, * BSD, SunOS, Mac OS X, DOS and Windows. TestDisk can be found in the following link: http://www.cgsecurity.org/wiki/TestDisk. TestDisk can also be installed by typing sudo apt-get install testdisk. TestDisk has many features, but this article will only focus on restoring files.

You can open TestDisk from a terminal with root privileges by typing the sudo testdisk command.

Now the TestDisk command line application will be executed. The display of the terminal will change. TestDisk asks the user whether it can keep the log, which is entirely up to the user. If a user is recovering files from system storage, it is not necessary to keep the log. The options you can choose are generate, append, and No Log. If the user wants to keep the log, the log will be kept in the user's home directory.

In the following screen, storage devices are listed in the form of / dev/*. For my system, the storage unit of the system is / dev/sda, which means that my storage unit is a SATA hard disk (sd) and it is the first hard disk (a). The capacity of each storage unit is shown in Gigabyte (gigabytes). Use the up and down keys to select a storage device and click enter.

The next screen displays a list of partition tables (also known as partition mapping tables). Just as a file has a file configuration table, a partition has a partition table. A partition is a segment on a storage device. For example, in almost all Linux systems, there are at least two partition types-EXT3/4 and Swap. Each partition table will be briefly described below. TestDisk does not support all types of partitioned tables, so this is not a complete list.

Intel-this type of partitioned table is common in Windows systems and many Linux systems, and is often referred to as MBR partitioned tables.

EFI GPT-this type of partitioned table is commonly used in Linux systems. For Linux systems, this kind of partitioning table is most recommended because the concept of logical partitioning or extended partitioning does not apply to GPT (GUID Partition Table) partitioned tables. This means that if there is one Linux system in each partition, a Linux user can boot multiple boots from multiple types of Linux systems. Of course, there are other advantages to using GPT partitioned tables, but those are beyond the scope of this article.

The Humax-Humax partition mapping table is suitable for the equipment produced by Humax, a Korean company.

The Mac-Apple partition mapping table (APM) applies to Apple devices.

None-some devices do not have a partition table. For example, many Subor game consoles do not use partition mapping tables. If a user tries to recover files from such devices with other partition table types, the user will wonder why TestDisk found any file systems or files.

The Sun-Sun partition table is suitable for Sun systems.

Xbox-Xbox is suitable for storage devices that use Xbox partition mapping tables.

If the user chooses "Xbox", although his system uses the GPT partition table, TestDisk will not be able to find any partitions or file systems. If TestDisk executes according to the user's choice, it may guess wrong. (the following picture shows the output when the partition table is of the wrong type.)

When users choose the correct option for their device, in the next screen, select the Advanced option.

The user will now see a list of all the file systems or partitions in the user's storage device. If the user chooses the wrong partition mapping table, the user will know in this step that they have made the wrong choice. If there are no errors, highlight the partition that contains the deleted file by moving the text cursor. Use the left and right keys to highlight the list at the bottom of the terminal. Next, press enter to confirm.

A new screen will present a list of files and directories. The white filenames are those that have not been deleted, while the red filenames are those that have been deleted. The rightmost column is the name of the file, the right to left column is the date the file was created, the left column is the size of the file (in byte/ bits), and the leftmost column with "-", "d", "r", "w" and "x" represents the permissions of the file. "d" indicates that the file is a directory, and other permission terms have little to do with this article. At the top of the list with "." One item represents the current directory, and the second line is marked with ".." Represents the parent directory of the current directory, so users can reach the directory by selecting the row of the directory.

For example, I want to go to the "Xaiml_Dataset" directory, which basically consists of deleted files. By pressing the "c" key on the keyboard, I will restore the file "computers.xaiml", and then I am asked to select a target directory, which, of course, I should place in another partition. Now, when I am in my home directory, I press the "c" key. (when selecting a target directory) it doesn't matter which directory is highlighted, the current directory is the target directory, and a "copy complete" message will be displayed at the top of the screen. In my home directory, there will be a directory called "Xaiml_Dataset" with a Xaiml file in it. If I press the "c" key on more deleted files, they will be placed in a new folder without having to ask me about the target directory.

When these steps are complete, press the "Q" key repeatedly until you see the normal terminal appearance. The directory "Xaiml_Dataset" can only be accessed by root users. To solve this problem, use root permissions to change the permissions of this directory and its subdirectories. When this is done, the files are restored and users can access them.

Special ReiserFS:

To restore a file from the ReiserFS file system, you first need to make a backup of all the files in the partition. Because if some errors occur, this method may cause files to be lost. Then execute the following command, where DEVICE refers to devices named in the form of sda2. Some files will be placed in the lost+found directory while others will be saved to the location where they were previously deleted.

The code is as follows:

Reiserfsck-rebuild-tree-scan-whole-partition / dev/DEVICE

Restore deleted files opened by a program:

Suppose the user accidentally deletes a file and the file is opened by a program. Although the file has been deleted on the hard drive, the program is using a copy of the file located in RAM. Fortunately, we have two simple solutions to restore the file.

If the software has a save function, such as a text editor, the user can re-save the file so that the text editor can write the file to the hard drive.

Assuming that there is a MP3 file in the music player and the music player cannot save the MP3 file, it will take more time than before to recover the file. Unfortunately, this approach is not guaranteed to be effective in all systems and applications. First, type the following command.

The code is as follows:

Lsof-c smplayer | grep mp3

The above command lists all the files used by smplayer, and this list is piped by the grep command to search for mp3. The input of the command is similar to the following:

The code is as follows:

Smplayer 10037 collier mp3 169r 8,1 676376 1704294 / usr/bin/smplayer

Now, type the following command to restore the file directly from RAM (on Linux systems, / proc/ is mapped to RAM), and copy the file to the selected folder. Where cp refers to the copy command, the number 10037 in the output comes from the number of processes, the number 169in the output refers to the file descriptor, "~ / Music/" is the target directory, and the final "music.mp3" is the name of the file that the user wants to recover.

The code is as follows:

Cp / proc/10037/fd/169 ~ / Music/music.mp3

Real deletion:

To ensure that a file cannot be recovered, you can use a command to "erase" the hard drive. Erasing the hard disk is actually writing meaningless data to the hard disk. For example, many erase programs write zeros, random letters, or random data to the hard disk. No space will be occupied or lost, and the erase program will just rewrite the space. If the storage unit is filled with files and there is no free space, all previously deleted files will disappear and cannot be recovered.

The purpose of erasing the hard drive is to ensure that private data is not seen by others. For example, a company may order some new computers, and the general manager decides to sell the old computers. however, the new computer owner may see some secrets or customer information such as credit card numbers and addresses. Fortunately, the company's computer technicians can erase the hard drives before selling them.

To install the erasure program secure-delete, type sudo apt-get install secure-delete, which will install an assembly of four programs to ensure that deleted files cannot be restored.

Srm-permanently delete a file. Usage: srm-f. / secret_file.txt

Sfill-erases blank space. Usage: sfill-f / mount/point/of/partition

Sswap-erases the swap space. Usage: sswap-f / dev/SWAP_DEVICE

If the computer actually removes those deleted files, it will take longer to perform the delete task. Marking some space as empty is fast and easy, but it takes time to make the file disappear forever. For example, it may take several hours (depending on disk capacity) to erase a storage unit. In short, the current system works fine, because even if users empty the dustbin, they still have another chance to change their original thoughts (or mistakes).

This is the answer to the question about how to restore deleted files in Linux. I hope the above content can be of some help to you. If you still have a lot of doubts to be solved, you can follow the industry information channel to learn more about it.

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.