|
|
Often times, a computer user will delete a needed file accidentally andnot have an easy way to regain or recreate the file. Thankfully, filescan be undeleted. When a user deletes a file, it is not gone, onlyhidden for some time. Here is how it all works. On a filesystem, thesystem has what is called a file allocation list. This list keeps trackof what files are where on the storage unit (hard-drive, MicroSD card,flash-drive, etc.). When a file is deleted, the filesystem will performone of two tasks on the allocation table. The file's entry on the fileallocation table marked as "free space" or the file's entry on the listis erased and then the space is marked as free. Now, if a file needs tobe placed on the storage unit, the operating system will put the file inthe space marked as empty. After the new file is written to the "emptyspace", the deleted file is now gone forever. When a deleted file is tobe recovered, the user must not manipulate any files because if the"empty space" is used, then the file can never be retrieved.
How do undelete program work?
The majority of filesystems only mark the space as empty. With thesefilesystems, the undelete program looks at the file allocation list andcopies the deleted file to another storage unit. If the files werecopied to the same storage unit, then the user could lose other deletedfiles that are needed.
Rarely do filesystems erase the allocation table entry. If a filesystemdoes, this is how an undelete program undeletes the file. The programsearches the storage unit for file headers. All files have a specificstring of code that is at the very beginning of the file. This is calleda magic number. For example, the magic number of a compiled JAVA classis the hex number "CAFEBABE". So, an undelete program would find"CAFEBABE" and copy that file to another storage unit. Some undeleteprograms can look for a specific file type. The user may want a PDF, sothe program searches for the hex magic number "25504446" which is theASCII code for "%PDF". Other undelete programs search for all magicnumbers. Then, the user can select which deleted files to recover.
If a part of the file has been written over, then the whole file will becorrupted. The file can usually be recovered, but the contents will beuseless. For instance, recovering a corrupted JPEG file will bepointless because the image viewer will not be able to generate an imagefrom the file. So, the user has the file, but the file is useless.
Device Locations:
Before we continue, here is some information that will aid in directingthe undelete utilities to the correct storage unit. All devices are inthe /dev/ folder. The name of each device (not the name that the admingave each partition or device) that is given by the system follows apredictable scheme. The second partition on the first SATA hard-drivewould be sda2. The first letter indicates the storage type, in this caseSATA, but an "s" could also mean SCSI, FireWire, or USB. The secondletter "d" means disk. The third letter indicates the device number, soan "a" would be the first SATA and a "b" would be the second. The numberdisplays the partition. To name the whole device with all partitionstype the letters without the number. For this example that would be sda.Other possible letters "h" as the first letter. This means PATAhard-drive (IDE). As some examples of this scheme, a user has a computerwith one SATA hard-drive (sda). The drive has four partitions - sda1,sda2, sda3, and sda4. The user deletes the third one, but sda4 remainssda4 until sda4 is reformatted. The user then plugs in a usb memory card(sdb) with one partition - sdb1. The user then adds a IDE hard-drivewith one partition - hda1. Next, the user adds a SCSI hard-drive - sdc1.Then, the user removes the USB memory card (sdb). Now, the SCSI remainssdc, but if the SCSI is removed and added back, it will be sdb. Eventhough other storage device existed, the IDE drive will have the "a"because it is the first IDE drive. IDE devices are numbered separatelyfrom SCSI, SATA, FireWire, and USB devices.
Recovery:
Each undelete program has different abilities, features, and support forvarious filesystems. Below are some instructions for using TestDisk torecover files on a set of filesystems.
FAT16, FAT32, exFAT (FAT64), NTFS, and ext2/3/4:
TestDisk is an open-source, free program that works on Linux, *BSD,SunOS, Mac OS X, DOS, and Windows. TestDisk can be found here: http://www.cgsecurity.org/wiki/TestDisk.TestDisk can also be installed by typing "sudo apt-get installtestdisk". TestDisk has many abilities, but this article is concernedwith undeleting files.
Open TestDisk in a terminal using root privileges by typing “sudo testdisk”.
Now, the TestDisk command-line application will execute. The terminalappearance will change. TestDisk asks the user if it can keep logs. Thisis entirely up to the user. If the user is recovering files from thesystem storage, then do not keep a log. The choices are "Create","Append", and "No Log". If the user wants a log, it is kept in thatuser's home folder.
In the following screen, the storage devices are listed using the /dev/*method. For my system, the system's storage unit is /dev/sda. Thismeans that my storage unit is a SATA hard-drive (sd) and it is the firsthard-drive (a). The size of each storage unit is displayed inGigabytes. Use the up and down arrows to select a storage device and hitenter.
The next screen displays a list of partition table (also calledpartition map) types. Just as there is the file allocation table forfiles, there is a table for the partitions. Partitions are dividers on astorage device. For instance, on almost all Linux systems there is atleast two partitions - EXT3/4 and Swap. Each partition table will bebriefly described. TestDisk does not support all partition tables, sothis is not a complete list.
Intel - This partition table is very common on Windows systems and many Linux systems. This table is also know as MBR.
EFI GPT - This isusually used with Linux systems. This partition map is most recommendedfor Linux because the concept of logical/extended partitions does notapply to GPT (GUID Partition Table) tables. This means that a Linux usercan multiboot many forms of Linux with one Linux OS on each partition.There are other advantages to using GPT, but that is beyond thisarticle.
Humax - Humax maps are used with device made by the South Korean company Humax.
Mac - The Apple Partition Map (APM) is used by Apple devices.
None - Some devices donot have a partition table. For instance, many Subor game consoles donot use a partition map. If a user tried to undelete a file on thesedevices thinking that the partition map was one of the other choices,the user will be confused by the fact that TestDisk does not find anyfilesystem or files.
Sun - The Sun partition table is used by Sun systems.
Xbox - The Xbox uses the Xbox partition map for its storage devices.
If a user selects "Xbox" even though their system uses GPT, TestDiskwill not be able to find a partition or filesystem. If it does, then itwill guess incorrectly. (The image below displays the output when theincorrect partition type)
Once the user picks the correct choice for their device, on the next screen, select "Advanced".
Now, the user should see a list of all of their filesystems/partitionson the storage unit. If the user had chosen the wrong partition map,then here is where they will know if they made the incorrect selection.If there are no errors, highlight the partition that contains thedeleted file by placing the text-based cursor on it. Use the left andright arrows to highlight "List" on the bottom of the terminal. Now, hitenter.
A new screen is displayed with a list of files and folders. The whitishfiles are current files that are not deleted. The red files have beendeleted. On the far right column is the files' names. The next columnover to the left is the creation date of the file. One column over tothe left again is the files' sizes in bytes. To the far left is a columnwith dashes, "d"s, "r"s, "w"s, and "x"s. These are the filepermissions. A "d" indicates that the item is a directory. The rest ofthe permission syntax is irrelevant to this article. The item on the topof the file list titled "." means the current directory. The secondobject titled ".." means go up one directory, so a user can move up adirectory by selecting this line. For an example, I will go into thedirectory "Xaiml_Dataset". The folder is nearly full of deleted files. Iwill undelete "computers.xaiml" by pressing "c" on the keyboard. I amnow asked to select a destination directory. Of course, I will put it onanother partition. I am in my home folder, and I press "c". It does notmatter what folder is highlighted. The current folder is thedestination directory. Now, I am back to the list of files. At the topof the screen is a message that says "Copy Done!". In my home folder is afolder called "Xaiml_Dataset", and inside is the Xaiml file. If I press"c" on more deleted files, they will be placed in the new folderwithout asking me for a destination.
When finished press "q" repeatedly until the normal terminal is seen.The folder "Xaiml_Dataset" can only be accessed by the root. To fixthis, use root privileges to change the folder permissions and thecontained files. After that, the files have been recovered andaccessible to the user.
ReiserFS:
To undelete a file from a ReiserFS filesystem, make a backup of all ofthe files on the partition because this method can cause the file to belost if something goes wrong. Next, execute the following command whereDEVICE is the device in the form sda2. Some files will be put in thelost+found directory and other will remain where they were beforedeletion.
Code:reiserfsck --rebuild-tree --scan-whole-partition /dev/DEVICERecover Deleted File that is Still Open in Program:
Assume a user accidentally deletes a file that a program has open. Thefile of the hard-drive was deleted, but the program is using a copy ofthe file that is on the RAM. Thankfully, there are two easy solutions.
If the program has save capabilities like a text editor, the user canresave the file. Thus, the file editor will write the file to thehard-drive.
Assume that this is an MP3 file in a music player. The music playercannot save the MP3 file. This task requires a little more time than theprevious situation. Unfortunately, this method does not work on allsystems and applications. To begin, type the following command.
Code:lsof -c smplayer | grep mp3This command LiSts all of the Open Files used by Smplayer. Thislist is piped (given) to grep which searches for mp3. The output lookslike the following.
Code:smplayer 10037 collier mp3 169r 8,1 676376 1704294 /usr/bin/smplayer(deleted)Now, type the following command to recover the file directly fromthe RAM (on Linux systems, /proc/ is the RAM) and copy it to a folder ofchoice. The "cp" is the copy command. The 10037 number comes from theprocess number given in the output. The 169 is the file descriptor shownin the output. The "~/Music/" is the destination directory. Lastly,"music.mp3" is the file name that the user wants for the file.
Code:cp /proc/10037/fd/169 ~/Music/music.mp3
Real Deletion:
To make for sure that a file can never be recovered, use a command that"wipes" the hard-drive. Wiping the hard-drive means writing meaninglessdata to the disk. For example, many wiping programs write zeros, randomletters, or random data to the hard-drive. No space is taken up or lost.The wiping program just overwrites the "empty space". If the storageunit is ever full of files with no free space remaining, then all of thepreviously deleted files will be gone.
The purpose of wiping hard-drives is to make sure that private data isnever seen. For illustration, a company may order new computers. Themanager decides to sell the old computers. However, there is concernthat the new owners may view company secrets or customer informationlike credit card numbers and addresses. Thankfully, a computertechnician in the company can wipe the hard-drives before selling theold computers.
To install secure-delete, a wiping program, type "sudo apt-get installsecure-delete". This installs a set of four commands that make sure thatdeleted files are never recovered.
srm - permanently delete a file. Usage: srm -f ./secret_file.txt
sfill - wipe the free space. Usage: sfill -f /mount/point/of/partition
sswap - wipe swap space. Usage: sswap -f /dev/SWAP_DEVICE
If computers were to truly delete a file selected for deletion, thenmore time would be required to perform the task. It is quick and easy tomark some space as free, but to make the file gone forever requirestime. Wiping a storage unit, for instance, takes a few hours to complete(depending on storage size). Overall, the current system works wellbecause even when a user empties the recycle bin, they still haveanother chance to change their mind. |
|
发表于 2013-12-4 14:26:37