User Tools

Site Tools


data_recovery

If you want to send us your comments, please do so. Thanks
More on comments


Data recovery

There are a Linux ditributions for data recovery and single programs. Most programs work on image files. So first an image has to be made with a tool like dd

Kali Linux is the Linux distributions to use
If Kali Linux asks for a login the username is “kali” and the password “kali”

NameFunctionRemark
ddconvert and copy a file
ddrescue
EWF ToolsExpert Witness Files tools
extundeleteUtility to undelete files from an ext3 or ext4 partitionThe e-mail address in the manpage does not exist anymore. There is a maillinglist but it needs the Google pictures captcha. For us that is a no go. When using the program we got an error
extundelete --restore-all --restore-directory \
  /home/user/recovered \
  --after 1558515720 /dev/sda6
yielded:
Only show and process deleted entries 
  if they are deleted on or
  after 1558515720 and before 2147483647. 
NOTICE: Extended attributes are not restored.
Loading filesystem metadata ... 209 groups loaded.
Loading journal descriptors ... 24802 descriptors loaded.
*** Error in `extundelete': double free 
  or corruption (!prev):0x0127e2f0 ***
Aborted
Fenrir
foremostRecover files using their headers, footers, and data structuresNeeds an image file like one made with dd
guymagerForensic imager for media acquisition
photorec
sleuthkitmmls Display the partition layout of a volume system (partition tables). ifind Find the meta-data structure that has allocated a given disk unit or file name
stringsprint the strings of printable characters in filesPart of GNU binutils
testdisk

Examples

For dd see dd

extundelete --restore-all --restore-directory /mnt/thepartition/output/ -B 512 some_file.dd
foremost -v -w -i some_file.dd -o /mnt/thepartition/output2/

photorec

Open a terminal and become root

Use photorec on a disk or partition:

  • Unmount the disk or partition
  • photorec and follow the instructions. Choose an other location than the disk or partition to store the output in.

Use photorec on a file (made from a disk or partition) (say file.dd)

  • Allocate a partition for the task
  • mkdir /mnt/thepartition if it does not exist
  • mount /dev/sdpn /mnt/thepartition (p is the letter of the drive, n of the partition)
  • Copy all files and directories you want to keep from it to some other place
  • cd /mnt/thepartition
  • shred --iterations=0 --zero --verbose --remove * (--iterations=0 zero because the --zero pass does not count as an iteration)
  • umount /mnt/thepartition
  • zerofree -v /dev/sdpn (p is the letter of the drive, n of the partition)
  • mount /dev/sdpn /mnt/thepartition
  • cp file.dd /mnt/thepartition
  • photorec and follow the instructions. Choose an other location than /mnt/thepartition to store the output in.

Filter out some files with extensions which will probably yield nothing usefull and show which extensions are left

ls -1R recup_dir* | grep -v txt | grep -v ini | grep -v java | grep -v html | grep -v ".h" | grep -v xml | sort -t . -k 2 --uniq | grep -v recup.dir | less

strings

First look with a hexeditor like hexeditor if there are many the same characters like 0x00 and 0xFF in the file. Remove them with

cat file.txt | tr -d '\000' | tr -d '\377' > fileNO00FF.txt
CommandExplanation
strings --all --bytes=8 file.txt > filestrings8.txtSearches for strings of at least 8 bytes spaces and tabs included. “hello hello” will be found since it is a string of 11 characters. “hello\nhello” will yield nothing because of the new line character. strings sees two strings of 5 characters.

Recover partitions

An overview of recovery programs can be found on


Main subjects on this wiki: Linux, Debian, HTML, Microcontrollers, Privacy

RSS
Disclaimer
Privacy statement
Bugs statement
Cookies
Copyright © : 2014 - 2024 Webevaluation.nl and the authors
Changes reserved.

This website uses cookies. By using the website, you agree with storing cookies on your computer. Also you acknowledge that you have read and understand our Privacy Policy. If you do not agree leave the website.More information about cookies
data_recovery.txt · Last modified: 13-10-2023 08:52 by wim