View previous topic :: View next topic |
Author |
Message |
der bastler Apprentice
Joined: 13 Apr 2003 Posts: 257
|
Posted: Mon Aug 01, 2005 7:14 pm Post subject: Recovering files with "The Sleuth Kit" |
|
|
I don't like mondays!
This afternoon I wanted to back-up the files of my diploma thesis before walking home. So I plugged in my usb stick and erased the old "diplom" directory on it to get rid of old files. Fine, but while doing this I must have accidentally switched planes in gentoo, anyway afterwards the "diplom" directory on my hard drive was gone, too! Instead of copying my work to the usb stick, both disappeared. D'Oh!
First action: unmount usb stick.
Great, only one DVD+RW backup at home, two weeks old! What to do? Since I do my work on my notebook and since it was the first Gentoo installation its HDD only consists of one big ReiserFS partition (*). So I could not unmount /home/ and use reiserfsck for recovery.
So I returned home and used my desktop to do a recherche on FAT file recovery -- I came across The Sleuth Kit.
Remember the usb stick? To me it seemed easier to recover its files than trying to use reiserfsck with my notebook HDD. At least I would only be thrown back to last week...
My recovery procedure:
Step #1:
Become root, plug in usb stick, but don't mount it. Copy all of its blocks to a file:
Code: | dd if=/dev/sda1 of=/tmp/my-usb-image |
Step #2:
If not yet done: install the software.
step #3:
Exit root mode, create a project directory in your home, in my case /home/frank/projekte/defiant-recovery. Change into your project directory, copy the usb image to it and take a look at the contents of your usb image file with fls:
Code: | copy /tmp/my-usb-image ./
fls -f fat -d -p -r my-usb-image |
This will print a list of deleted (-d) files with full path (-p) while traversing recursively (-r) through the structure. Here are the first three lines of my usb image file structure:
Code: | d/d * 4: diplom
d/d * 518: diplom/c_prog
r/r * 647: diplom/c_prog/pointer_test.c |
First field denotes the file type, third field is the node number and last field is the actual file name.
step #4:
With these informations one would use icat to extract every found node to the appropriate file. Since we use Linux we can do this automatically. First print the fls output to a file:
Code: | fls -f fat -d -p -r my-usb-image > filelist.txt |
Second edit this file list and delete all the gibberish lines (there might be remnants of old data).
step #5:
After this little list file clean up, create the following script in your recovery project directory:
Code: | #!/bin/bash
# reconstruct.sh -- reconstruct lost but not overwritten FAT data
cat $1 |
while read line; do
filetype=`echo "$line" | awk {'print $1'}`
filenode=`echo "$line" | awk {'print $3'}`
filenode=${filenode%:}
filename=`echo "$line" | awk {'print $4'}`
echo "$filename"
if [ $filetype == "d/d" ]; then
mkdir $filename
else
icat -f fat -r -s my-usb-image "$filenode" > "$filename"
fi
done |
Call it with said file list as parameter:
Code: | ./reconstruct.sh edited-filelist.txt |
Et voilà, most of the deleted data is back. This script parses the lines of the list. If it encounteres a directory, it creates it, otherwise it extracts the contents of the node to the given file.
--
Apart from this makeshift recovery -- Are there any solutions to recover the deleted directory /home/frank/diplom on my ReiserFS partition? That would be very, very nice!
(*) My newer systems have partitions for /home/ and /usr/ and... _________________ Tempus fugit.
@frank@troet.cafe |
|
Back to top |
|
|
der bastler Apprentice
Joined: 13 Apr 2003 Posts: 257
|
Posted: Mon Aug 01, 2005 9:36 pm Post subject: |
|
|
I'm back in last week... and tomorrow I have to do it again: revise source, port from english to german comments, create command module, correct coord transformation, ... *sigh* Groundhog day anyone?
A last question: There is no way undeleting files in a given directory in a ReiserFS partition? Something like "There was a directory "bla" with subdirectories, please check your trees if you can find it?"
No, reiserfsck is no option because a) unmounting the partition needs a boot disk/cd and b) I don't have enough space to do a complete 40GB copy of the partition. _________________ Tempus fugit.
@frank@troet.cafe |
|
Back to top |
|
|
Gentree Watchman
Joined: 01 Jul 2003 Posts: 5350 Location: France, Old Europe
|
Posted: Sun Nov 27, 2005 10:36 am Post subject: |
|
|
der bastler wrote: | I'm back in last week... and tomorrow I have to do it again: revise source, port from english to german comments, create command module, correct coord transformation, ... *sigh* Groundhog day anyone?
A last question: There is no way undeleting files in a given directory in a ReiserFS partition? Something like "There was a directory "bla" with subdirectories, please check your trees if you can find it?"
No, reiserfsck is no option because a) unmounting the partition needs a boot disk/cd and b) I don't have enough space to do a complete 40GB copy of the partition. |
Firstly thanks for the info on sleuthkit. Looks like just what I need to repair a friends vfat.
For the rest , I dont know of a way to recover deleted files on reiserfs but if you think reiserfsck will help then get yourself a boot CD like the linux rescueCD or Knoppix or so, that hardly seems to be a problem.
You have probably also realised that huge partitions are not so good. Once you have recovered what you can I suggest splitting / into several smaller partitions. I like to keep mine under 8G unless there is a very good reason.
This makes swapping , backing-up, changing fs, etc. all a lot more practicable.
Sorry I cant help more on the deleted files.
_________________ Linux, because I'd rather own a free OS than steal one that's not worth paying for.
Gentoo because I'm a masochist
AthlonXP-M on A7N8X. Portage ~x86 |
|
Back to top |
|
|
bfkeats Apprentice
Joined: 20 Feb 2004 Posts: 268
|
Posted: Sat Feb 04, 2006 1:26 am Post subject: |
|
|
Small improvement to the script. This will handle spaces in the paths.
Code: |
#!/bin/bash
# reconstruct.sh -- reconstruct lost but not overwritten FAT data
cat $1 |
while read line; do
filetype=`echo "$line" | awk {'print $1'}`
filenode=`echo "$line" | awk {'print $3'}`
filenode=${filenode%:}
filename=`echo "$line" | cut -f 2`
echo "$filename"
if [ $filetype == "d/d" ]; then
mkdir -p "$filename"
else
icat -f fat -r -s fatImage "$filenode" > "$filename"
fi
done
|
|
|
Back to top |
|
|
wally.hall n00b
Joined: 26 Sep 2005 Posts: 55 Location: England
|
Posted: Mon Jul 07, 2008 10:11 am Post subject: Same problem, similar solution |
|
|
I had a similar problem, so I wrote a script using ffind, icat and ils to "reconstruct" the directory structure plus file contents. For 10GB of data on a seriously damaged drive, it took a little over 10 hours solid working, but it did the job.
http://matt.matzi.org.uk/2008/07/03/reconstructing-heavily-damaged-hard-drives/ _________________ I like Gentoo why?
Because it works how I want it to work. |
|
Back to top |
|
|
jexxie Tux's lil' helper
Joined: 12 Oct 2007 Posts: 82 Location: Vancouver, BC
|
Posted: Tue Jul 29, 2008 4:07 am Post subject: |
|
|
If you're going to script in bash, script in bash. This should work, I didn't test it.
Code: | #!/bin/bash
# reconstruct.sh -- reconstruct lost but not overwritten FAT data
if [[ $# -gt 1 ]]; then
echo "supply the path to the filesytem image please."
echo "ex: $0 /path/to/filesystem.img";
exit 1;
fi
while read line < $1; do
filetype=$(echo "$line" | awk {'print $1'})
filenode=$(echo "$line" | awk {'print $3'})
filenode=${filenode%:}
filename=$(echo "$line" | cut -f 2)
echo "$filename"
if [[ $filetype == "d/d" ]]; then
mkdir -p "$filename"
else
icat -f fat -r -s fatImage "$filenode" > "$filename"
fi
done |
_________________ Rambling sysadmin
My personal site and blog: Phil Dufault |
|
Back to top |
|
|
Master_Of_Disaster l33t
Joined: 28 Feb 2003 Posts: 610 Location: 15.05072° East, 48.13747° North (aka Mauer), Austria
|
|
Back to top |
|
|
|
|
You cannot post new topics in this forum You cannot reply to topics in this forum You cannot edit your posts in this forum You cannot delete your posts in this forum You cannot vote in polls in this forum
|
|