File recovery

這篇文章列舉了一系列的Arch Linux下恢復數據的選擇.

特別提示[編輯 | 編輯原始碼]

三思而後行[編輯 | 編輯原始碼]

這篇文章主要的意圖是教學. 如果你意外的刪除或損壞了你的有價值且不可替代的數據並且毫無數據恢復的經驗的話, 請立刻關閉你的電腦(只要長按電源鍵或直接拔插頭即可; 不要使用系統的關機功能)然後尋求專業的幫助. 如果你在沒有充分理解下述行為的情況下進行了任何一個操作都極有可能使你的情況更糟.

故障的磁盤[編輯 | 編輯原始碼]

在數據恢復的領域裏, 操作一個磁盤的鏡像會比直接操作物理磁盤會更好些. 總體上來說, 一個壞掉的硬盤的情況會隨着時間惡化. 我們的目標應當是首先儘快的搶救出儘可能多的數據並且拋棄故障的磁盤. ddrescue^包 與 dd_rescue^包 工具與 dd 不同, 他們會反覆嘗試從錯誤中恢復並且從頭到尾從尾到頭的讀磁盤以搶救出數據. 他們不停的記錄數據, 所以恢復過程中的暫停-恢復並不會損失進度.

參閱 Disk cloning.

由類如 ddrescue 這樣的工具創建的鏡像文件可以像物理設備一樣被掛載並且安全的工作. 請務必做好原始鏡像的備份以便在恢復工作黃掉的時候重新做人.

一種正確的久經考驗的改進故障磁盤的讀取工作的方法就是保持設備清涼. 在冰箱裏放一會兒是個好主意, 不過在不要讓冰冷的設備變熱的太快, 因為這樣會產生冷凝水. 如果能在進行恢復工作的時候把硬盤放在冰箱裏並用線材連接電腦就再好不過了.

不要指望對故障磁盤的檔案檢查會管用, 這只會使情況變得更糟糕. 請務必把它掛載為只讀.

備份閃存介質或者小分區[編輯 | 編輯原始碼]

通常優先選擇鏡像去替代「活」的分區（已經掛載或者沒有掛載），原因是有問題的文件系統通常不是很大並且你有足夠大的硬盤空間來容納它（映像文件）。比如說，U盤，數碼相機，便攜式音樂播放器，流動電話等快閃存儲器裝置在許多情況下可能是足夠小的鏡像。

請務必確信你已經閱讀了下面列出工具的man手冊，這的目的是要你驗證這些工具是否能夠處理映像文件。

你能夠使用 dd 去製作一個鏡像，如下所示:

# dd if=/dev/target_partition of=/home/user/partition.image

恢復數碼相機[編輯 | 編輯原始碼]

為了與下一節中的部分閃存相協調，有問題的設備需要作為一個塊設備掛載到 /dev。使用 PTP(Picture Transfer Protocol) 模式的數碼相機不會在這方面工作。PTP 相機是一種通過使用 libgphoto 或者 libptp 的傳輸處理。在這種情況下， "transparently" 意思是，PTP設備不能作為一個塊設備掛載。 另一種為PTP模式，也就是USB大容量存儲（UMS）模式，不支持所有的攝像機。一些相機有一個在兩種模式間切換的選項：請參閱你相機的用戶手冊。如果你的相機不支持UMS模式並且它不能夠作為塊設備傳輸數據。我們唯一的選擇是使用閃存介質讀卡器和從相機中取出存儲介質。

Foremost[編輯 | 編輯原始碼]

Foremost is a console program to recover files based on their headers, footers, and internal data structures. This process is commonly referred to as data carving. Foremost can work on disk image files (such as those generated by dd, Safeback, Encase, etc.) or directly on a drive. The headers and footers can be specified by a configuration file or command line switches can be used to specify built-in file types. These built-in types look at the data structures of a given file format, allowing for more reliable and faster recovery.

See Foremost article.

Extundelete[編輯 | 編輯原始碼]

Extundelete is a terminal-based utility designed to recover deleted files from ext3 and ext4 partitions. It can recover all the recently deleted files from a partition and/or a specific file(s) given by relative path or inode information. Note that it works only when the partition is unmounted. The recovered files are saved in the current directory under the folder named RECOVERED_FILES/.

安裝[編輯 | 編輯原始碼]

能夠通過official repositories安裝extundelete^AUR .

Usage[編輯 | 編輯原始碼]

Derived from the post on Linux Poison.

To recover data from a specific partition, the device name for the partition, which will be in the format /dev/sdXN (X is a letter and N is a number.), must be known. The example used here is /dev/sda4, but your system might use something different (For example, MMC card readers use /dev/mmcblkNpN as their naming scheme.) depending on your filesystem and device configuration. If you are unsure, run df, which prints currently mounted partitions.

Once which partition data is to be recovered from has been determined, simply run:

# extundelete /dev/sda4 --restore-file directory/file

Any subdirectories must be specified, and the command runs from the highest level of the partition, so, to recover a file in /home/SomeUserName/, assuming /home is on its own partition, run:

# extundelete /dev/sda4 restore-file SomeUserName/SomeFile

To speed up multi-file recovery, extundelete has a --restore-files option as well.

To recover an entire directory, run:

# extundelete /dev/sda4 --restore-directory SomeUserName/SomeDirectory

For advanced users, to manually recover blocks or inodes with extundelete, debugfs can be used to find the inode to be recovered; then, run:

# extundelete --restore-inode inode

inode stands for any valid inode. Additional inodes to recover can be listed in an unspaced, comma-separated fashion.

Finally, to recover all deleted files from an entire partition, run:

# extundelete /dev/sda4 --restore-all

Testdisk and PhotoRec[編輯 | 編輯原始碼]

TestDisk and Photorec are both open-source data recovery utilities licensed under the terms of the GNU Public License (GPL).

TestDisk is primarily designed to help recover lost partitions and/or make non-booting disks bootable again when these symptoms are caused by faulty software, certain types of viruses, or human error, such as the accidental deletion of partition tables.

PhotoRec is file recovery software designed to recover lost files including photographs (Hint: PhotographRecovery), videos, documents, archives from hard disks and CD-ROMs. PhotoRec ignores the filesystem and goes after the underlying data, so it will still work even with a re-formatted or severely damaged filesystems and/or partition tables.

Installation[編輯 | 編輯原始碼]

testdisk^包 from the official repositories provides both TestDisk and PhotoRec.

Files recovered by photorec[編輯 | 編輯原始碼]

The photorec utility stores recovered files with a random names(for most of the files) under a numbered directories, e.g. ./recup_dir.1/f872690288.jpg, ./recup_dir.1/f864563104_wmclockmon-0.1.0.tar.gz.

See also[編輯 | 編輯原始碼]

• Wiki (TestDisk): https://www.cgsecurity.org/wiki/TestDisk
• Wiki (Photorec): https://www.cgsecurity.org/wiki/PhotoRec
• Homepage: https://www.cgsecurity.org/
• Sort images by resolution
• Restore name of a tar.gz archive
• Post recovery tasks

e2fsck[編輯 | 編輯原始碼]

e2fsck is the ext2/ext3 filesystem checker included in the base install of Arch. e2fsck relies on a valid superblock. A superblock is a description of the entire filesystem's parameters. Because this data is so important, several copies of the superblock are distributed throughout the partition. With the -b option, e2fsck can take an alternate superblock argument; this is useful if the main, first superblock is damaged.

To determine where the superblocks are, run dumpe2fs -h on the target, unmounted partition. Superblocks are spaced differently depending on the filesystem's blocksize, which is set when the filesystem is created.

An alternate method to determine the locations of superblocks is to use the -n option with mke2fs. Be sure to use the -n flag, which, according to the mke2fs manpage, "Causes mke2fs to not actually create a filesystem, but display what it would do if it were to create a filesystem. This can be used to determine the location of the backup superblocks for a particular filesystem, so long as the mke2fs parameters that were passed when the filesystem was originally created are used again. (With the -n option added, of course!)".

Installation[編輯 | 編輯原始碼]

Both e2fsck and dumpe2fs are included in the base Arch install as part of e2fsprogs^包.

See also[編輯 | 編輯原始碼]

• e2fsck man page: http://phpunixman.sourceforge.net/index.php/man/e2fsck/8
• dumpe2fs man page: http://phpunixman.sourceforge.net/index.php?parameter=dumpe2fs&mode=man

Working with raw disk images[編輯 | 編輯原始碼]

If you have backed up a drive using ddrescue or dd and you need to mount this image as a physical drive, see this section.

Mount the entire disk[編輯 | 編輯原始碼]

To mount a complete disk image to the next free loop device, use the losetup command:

# losetup -f -P /path/to/image

Mounting partitions[編輯 | 編輯原始碼]

In order to be able to mount a partiton of a whole disk image, follow the steps above.

Once the whole disk image is mounted, a normal mount command can be used on the loop device:

# mount /dev/loop0p1 /mnt/example

This command mounts the first partition of the image in loop0 to the folder to the mountpoint /mnt/example. Remember that the mountpoint directory must exist!

Getting disk geometry[編輯 | 編輯原始碼]

Once the entire disk image has been mounted as a loopback device, its drive layout can be inspected.

使用 QEMU 來修復 NTFS[編輯 | 編輯原始碼]

對於包含有不少於一個那些需要在Windows下 chkdsk一下的NTFS分區的鏡像(為什麼是Windows?因為Linux下沒有優秀的NTFS檢查器), QEMU可以把原始鏡像在虛擬中當做物理硬盤來操作:

# qemu -hda /path/to/primary.img -hdb /path/to/DamagedDisk.img

然後, 假設Windows被安裝在 primary.img, 它就可以用來檢查 /path/to/DamagedDisk.img上的分區.

文本文件恢復[編輯 | 編輯原始碼]

在磁盤塊設備上直接搜尋被刪掉的文本文件是可能的. 你需要一段來自你所需要恢復的文件中的比較獨一無二的字符串.

使用 grep 在分區上直接篩選固定字符串（-F）:

$ grep -a -C 200 -F 'Unique string in text file' /dev/sdXN > OutputFile

如果運氣好的話, 你刪掉的文件可以從搜尋的文本上下文中提取出來，保存在 GrepOutputFile裡.

參閱[編輯 | 編輯原始碼]

• Data Recovery on the Ubuntu wiki