Table of Contents
If you want to send us your comments, please do so. Thanks
More on comments
Data recovery
There are a Linux ditributions for data recovery and single programs. Most programs work on image files. So first an image has to be made with a tool like dd
Kali Linux is the Linux distributions to use
If Kali Linux asks for a login the username is “kali” and the password “kali”
Name | Function | Remark |
---|---|---|
dd | convert and copy a file | |
ddrescue | ||
EWF Tools | Expert Witness Files tools | |
extundelete | Utility to undelete files from an ext3 or ext4 partition | The e-mail address in the manpage does not exist anymore. There is a maillinglist but it needs the Google pictures captcha. For us that is a no go. When using the program we got an errorextundelete --restore-all --restore-directory \ /home/user/recovered \ --after 1558515720 /dev/sda6 yielded: Only show and process deleted entries if they are deleted on or after 1558515720 and before 2147483647. NOTICE: Extended attributes are not restored. Loading filesystem metadata ... 209 groups loaded. Loading journal descriptors ... 24802 descriptors loaded. *** Error in `extundelete': double free or corruption (!prev):0x0127e2f0 *** Aborted |
Fenrir | ||
foremost | Recover files using their headers, footers, and data structures | Needs an image file like one made with dd |
guymager | Forensic imager for media acquisition | |
photorec | ||
sleuthkit | mmls Display the partition layout of a volume system (partition tables). ifind Find the meta-data structure that has allocated a given disk unit or file name | |
strings | print the strings of printable characters in files | Part of GNU binutils |
testdisk |
Examples
For dd see dd
extundelete --restore-all --restore-directory /mnt/thepartition/output/ -B 512 some_file.dd foremost -v -w -i some_file.dd -o /mnt/thepartition/output2/
photorec
Open a terminal and become root
Use photorec on a disk or partition:
- Unmount the disk or partition
- photorec and follow the instructions. Choose an other location than the disk or partition to store the output in.
Use photorec on a file (made from a disk or partition) (say file.dd)
- Allocate a partition for the task
- mkdir /mnt/thepartition if it does not exist
- mount /dev/sdpn /mnt/thepartition (p is the letter of the drive, n of the partition)
- Copy all files and directories you want to keep from it to some other place
- cd /mnt/thepartition
- shred --iterations=0 --zero --verbose --remove * (--iterations=0 zero because the --zero pass does not count as an iteration)
- umount /mnt/thepartition
- zerofree -v /dev/sdpn (p is the letter of the drive, n of the partition)
- mount /dev/sdpn /mnt/thepartition
- cp file.dd /mnt/thepartition
- photorec and follow the instructions. Choose an other location than /mnt/thepartition to store the output in.
Filter out some files with extensions which will probably yield nothing usefull and show which extensions are left
ls -1R recup_dir* | grep -v txt | grep -v ini | grep -v java | grep -v html | grep -v ".h" | grep -v xml | sort -t . -k 2 --uniq | grep -v recup.dir | less
strings
First look with a hexeditor like hexeditor if there are many the same characters like 0x00 and 0xFF in the file. Remove them with
cat file.txt | tr -d '\000' | tr -d '\377' > fileNO00FF.txt
Command | Explanation |
---|---|
strings --all --bytes=8 file.txt > filestrings8.txt | Searches for strings of at least 8 bytes spaces and tabs included. “hello hello” will be found since it is a string of 11 characters. “hello\nhello” will yield nothing because of the new line character. strings sees two strings of 5 characters. |
Recover partitions
Useful links
An overview of recovery programs can be found on
- Top 15 Linux data recovery tools the professionals choice
- Get your data back with Linux based data recovery tools
Main subjects on this wiki: Linux, Debian, HTML, Microcontrollers, Privacy
RSS
Disclaimer
Privacy statement
Bugs statement
Cookies
Copyright © : 2014 - 2024 Webevaluation.nl and the authors
Changes reserved.