File recovery
这篇文章列举了一系列的Arch Linux下恢复数据的选择.
特别提示[编辑 | 编辑源代码]
三思而后行[编辑 | 编辑源代码]
这篇文章主要的意图是教学. 如果你意外的删除或损坏了你的有价值且不可替代的数据并且毫无数据恢复的经验的话, 请立刻关闭你的电脑(只要长按电源键或直接拔插头即可; 不要使用系统的关机功能)然后寻求专业的帮助. 如果你在没有充分理解下述行为的情况下进行了任何一个操作都极有可能使你的情况更糟.
故障的磁盘[编辑 | 编辑源代码]
在数据恢复的领域里, 操作一个磁盘的镜像会比直接操作物理磁盘会更好些. 总体上来说, 一个坏掉的硬盘的情况会随着时间恶化. 我们的目标应当是首先尽快的抢救出尽可能多的数据并且抛弃故障的磁盘. ddrescue包 与 dd_rescue包 工具与 dd
不同, 他们会反复尝试从错误中恢复并且从头到尾从尾到头的读磁盘以抢救出数据. 他们不停的记录数据, 所以恢复过程中的暂停-恢复并不会损失进度.
参阅 Disk cloning.
由类如 ddrescue 这样的工具创建的镜像文件可以像物理设备一样被挂载并且安全的工作. 请务必做好原始镜像的备份以便在恢复工作黄掉的时候重新做人.
一种正确的久经考验的改进故障磁盘的读取工作的方法就是保持设备清凉. 在冰箱里放一会儿是个好主意, 不过在不要让冰冷的设备变热的太快, 因为这样会产生冷凝水. 如果能在进行恢复工作的时候把硬盘放在冰箱里并用线材连接电脑就再好不过了.
不要指望对故障磁盘的档案检查会管用, 这只会使情况变得更糟糕. 请务必把它挂载为只读.
备份闪存介质或者小分区[编辑 | 编辑源代码]
通常优先选择镜像去替代“活”的分区(已经挂载或者没有挂载),原因是有问题的文件系统通常不是很大并且你有足够大的硬盘空间来容纳它(映像文件)。比如说,U盘,数码相机,便携式音乐播放器,移动电话等快闪存储器装置在许多情况下可能是足够小的镜像。
请务必确信你已经阅读了下面列出工具的man手册,这的目的是要你验证这些工具是否能够处理映像文件。
你能够使用 dd
去制作一个镜像,如下所示:
# dd if=/dev/target_partition of=/home/user/partition.image
恢复数码相机[编辑 | 编辑源代码]
为了与下一节中的部分闪存相协调,有问题的设备需要作为一个块设备挂载到 /dev。使用 PTP(Picture Transfer Protocol) 模式的数码相机不会在这方面工作。PTP 相机是一种通过使用 libgphoto 或者 libptp 的传输处理。在这种情况下, "transparently" 意思是,PTP设备不能作为一个块设备挂载。 另一种为PTP模式,也就是USB大容量存储(UMS)模式,不支持所有的摄像机。一些相机有一个在两种模式间切换的选项:请参阅你相机的用户手册。如果你的相机不支持UMS模式并且它不能够作为块设备传输数据。我们唯一的选择是使用闪存介质读卡器和从相机中取出存储介质。
Foremost[编辑 | 编辑源代码]
Foremost is a console program to recover files based on their headers, footers, and internal data structures. This process is commonly referred to as data carving. Foremost can work on disk image files (such as those generated by dd, Safeback, Encase, etc.) or directly on a drive. The headers and footers can be specified by a configuration file or command line switches can be used to specify built-in file types. These built-in types look at the data structures of a given file format, allowing for more reliable and faster recovery.
See Foremost article.
Extundelete[编辑 | 编辑源代码]
Extundelete is a terminal-based utility designed to recover deleted files from ext3 and ext4 partitions. It can recover all the recently deleted files from a partition and/or a specific file(s) given by relative path or inode information. Note that it works only when the partition is unmounted. The recovered files are saved in the current directory under the folder named RECOVERED_FILES/
.
安装[编辑 | 编辑源代码]
能够通过official repositories安装extundeleteAUR .
Usage[编辑 | 编辑源代码]
Derived from the post on Linux Poison.
To recover data from a specific partition, the device name for the partition, which will be in the format /dev/sdXN
(X is a letter and N is a number.), must be known. The example used here is /dev/sda4
, but your system might use something different (For example, MMC card readers use /dev/mmcblkNpN
as their naming scheme.) depending on your filesystem and device configuration. If you are unsure, run df
, which prints currently mounted partitions.
Once which partition data is to be recovered from has been determined, simply run:
# extundelete /dev/sda4 --restore-file directory/file
Any subdirectories must be specified, and the command runs from the highest level of the partition, so, to recover a file in /home/SomeUserName/
, assuming /home
is on its own partition, run:
# extundelete /dev/sda4 restore-file SomeUserName/SomeFile
To speed up multi-file recovery, extundelete has a --restore-files
option as well.
To recover an entire directory, run:
# extundelete /dev/sda4 --restore-directory SomeUserName/SomeDirectory
For advanced users, to manually recover blocks or inodes with extundelete, debugfs can be used to find the inode to be recovered; then, run:
# extundelete --restore-inode inode
inode stands for any valid inode. Additional inodes to recover can be listed in an unspaced, comma-separated fashion.
Finally, to recover all deleted files from an entire partition, run:
# extundelete /dev/sda4 --restore-all
Testdisk and PhotoRec[编辑 | 编辑源代码]
TestDisk and Photorec are both open-source data recovery utilities licensed under the terms of the GNU Public License (GPL).
TestDisk is primarily designed to help recover lost partitions and/or make non-booting disks bootable again when these symptoms are caused by faulty software, certain types of viruses, or human error, such as the accidental deletion of partition tables.
PhotoRec is file recovery software designed to recover lost files including photographs (Hint: PhotographRecovery), videos, documents, archives from hard disks and CD-ROMs. PhotoRec ignores the filesystem and goes after the underlying data, so it will still work even with a re-formatted or severely damaged filesystems and/or partition tables.
Installation[编辑 | 编辑源代码]
testdisk包 from the official repositories provides both TestDisk and PhotoRec.
Files recovered by photorec[编辑 | 编辑源代码]
The photorec utility stores recovered files with a random names(for most of the files) under a numbered directories, e.g. ./recup_dir.1/f872690288.jpg
, ./recup_dir.1/f864563104_wmclockmon-0.1.0.tar.gz
.
See also[编辑 | 编辑源代码]
- Wiki (TestDisk): https://www.cgsecurity.org/wiki/TestDisk
- Wiki (Photorec): https://www.cgsecurity.org/wiki/PhotoRec
- Homepage: https://www.cgsecurity.org/
- Sort images by resolution
- Restore name of a tar.gz archive
- Post recovery tasks
e2fsck[编辑 | 编辑源代码]
e2fsck is the ext2/ext3 filesystem checker included in the base install of Arch. e2fsck relies on a valid superblock. A superblock is a description of the entire filesystem's parameters. Because this data is so important, several copies of the superblock are distributed throughout the partition. With the -b
option, e2fsck can take an alternate superblock argument; this is useful if the main, first superblock is damaged.
To determine where the superblocks are, run dumpe2fs -h
on the target, unmounted partition. Superblocks are spaced differently depending on the filesystem's blocksize, which is set when the filesystem is created.
An alternate method to determine the locations of superblocks is to use the -n option with mke2fs. Be sure to use the -n
flag, which, according to the mke2fs
manpage, "Causes mke2fs to not actually create a filesystem, but display what it would do if it were to create a filesystem. This can be used to determine the location of the backup superblocks for a particular filesystem, so long as the mke2fs parameters that were passed when the filesystem was originally created are used again. (With the -n option added, of course!)".
Installation[编辑 | 编辑源代码]
Both e2fsck
and dumpe2fs
are included in the base Arch install as part of e2fsprogs包.
See also[编辑 | 编辑源代码]
- e2fsck man page: http://phpunixman.sourceforge.net/index.php/man/e2fsck/8
- dumpe2fs man page: http://phpunixman.sourceforge.net/index.php?parameter=dumpe2fs&mode=man
Working with raw disk images[编辑 | 编辑源代码]
If you have backed up a drive using ddrescue or dd and you need to mount this image as a physical drive, see this section.
Mount the entire disk[编辑 | 编辑源代码]
To mount a complete disk image to the next free loop device, use the losetup
command:
# losetup -f -P /path/to/image
- The
-f
flag mounts the image to the next available loop device. - The
-P
flag creates additional devices for every partition.
Mounting partitions[编辑 | 编辑源代码]
In order to be able to mount a partiton of a whole disk image, follow the steps above.
Once the whole disk image is mounted, a normal mount
command can be used on the loop device:
# mount /dev/loop0p1 /mnt/example
This command mounts the first partition of the image in loop0 to the folder to the mountpoint /mnt/example
. Remember that the mountpoint directory must exist!
Getting disk geometry[编辑 | 编辑源代码]
Once the entire disk image has been mounted as a loopback device, its drive layout can be inspected.
使用 QEMU 来修复 NTFS[编辑 | 编辑源代码]
对于包含有不少于一个那些需要在Windows下 chkdsk
一下的NTFS分区的镜像(为什么是Windows?因为Linux下没有优秀的NTFS检查器), QEMU可以把原始镜像在虚拟中当做物理硬盘来操作:
# qemu -hda /path/to/primary.img -hdb /path/to/DamagedDisk.img
然后, 假设Windows被安装在 primary.img
, 它就可以用来检查 /path/to/DamagedDisk.img
上的分区.
文本文件恢复[编辑 | 编辑源代码]
在磁盘块设备上直接搜寻被删掉的文本文件是可能的. 你需要一段来自你所需要恢复的文件中的比较独一无二的字符串.
使用 grep
在分区上直接筛选固定字符串(-F):
$ grep -a -C 200 -F 'Unique string in text file' /dev/sdXN > OutputFile
如果运气好的话, 你删掉的文件可以从搜寻的文本上下文中提取出来,保存在 GrepOutputFile里.
-C -200
选项告诉grep打印每个匹配字符串的前后200行.如果你在寻找的文本很长, 你需要视情况调整. 可选参数 -A 与 -B 可以分别输出匹配到的内容之前或之后的内容.参阅[编辑 | 编辑源代码]
- Data Recovery on the Ubuntu wiki