Sharing Linux Data Recovery combat case

The programmer's misoperation resulted in data loss and was swamped with one-week projects. The boss's rebuke and the manager's scolding ensued. Next is no rest, overtime, and even busy to the wee hours of the morning can not leave the damn computer, have a kind of think shit feeling?

For friends who don't like to back up data, let's talk about data recovery, and here's how you can use simple tools to recover data you've deleted.

Tools:

HexEdit, Fdisk

The content below is done in the root environment.

HexEdit:

On Linux, HexEdit is often used to modify the program's 16 code. And Fdisk here is not introduced.

Now we go into the disk world and see what the disk does with the data.

First, use root permissions under the terminal to run the command:

Fdisk-l

/DEV/SDB1 is the protagonist of today, from the picture very clearly see some relevant data, such as the size of the disk, sector, I/O size, and so on.

The disk format is EXT4, not the VFAT32 and NTFS format on MS, and a FAT32 picture is posted at the end of the article.

First step:

Run Fdisk and use expert mode to back up the partition table.

EXT4 's partition table is very simple, and the general Backup partition table is ext4.img. Backups are meant to avoid being corrupted in data recovery.

Step Two:

You first perform a cut command on the target sdb1, move the files on the SDB1 to your computer's hard disk, and then use HexEdit to open the SDB1 after the execution is complete.

Clipped file name: Usb.png

Command:hexedit-s/DEV/SDB1

The picture can see the filename and its sector, is not found the picture of the device is SDC1? Since the automatic mount of the disk has undergone a dev change, the data will not change as the disk dev changes. Here you have found the file name, and then you need to find the header.

How do I find the file header? You can use HexEdit for hex search, if you want to ASCII, you can press TAB to switch to the ASCII area.

The size of the file determines the number of sector that the file occupies on the disk, 1 sector==512 bytes. In the diagram, the file header offset and sector are shown.

Extracts the hex value and writes to the file.

After the restored picture:

It looks very simple, it is only a single file of the cut operation and data recovery. Here to remind you: the data stored on the disk, not deleted can be restored, cut off the same as recoverable data.

Let's take a look at how to do this when you delete data from a disk.

Delete a file named 1.gif by executing the delete command on disk, as follows:

It looks very simple, it is only a single file of the cut operation and data recovery. Here to remind you: the data stored on the disk, not deleted can be restored, cut off the same as recoverable data.

Let's take a look at how to do this when you delete data from a disk.

Delete a file named 1.gif by executing the delete command on disk, as follows:

File header sector:264056, end sector:264061, the first time the deleted file header sector:264056, end sector:264057, so you can see the first deletion of the data is overwritten, and the security Left the second data for this deletion.

The operation here is to demonstrate the data recovery of a single disk file and the data changes on its disk. Next we'll look at the operation of the two files.

There are two different types of files on the disk.

FileName: partition.zip

FileName: Cab.ico

Header Secotor:264056,end sector:264058 of the first file

The second file header Sector:264064,end sector:264076. found that the end sector of the first file differs from the header sector of the second file by more than one sector, so what is the median difference?

You can see that the difference in the middle is all filled with 00. Here's a summary of what we've done on Linux:

EXT4 File System

Performing clipping

File Name:usb.png Sector 67120

File header:sector 264064 file End:sector 264076

Perform deletes

File Name:1.gif sector 67112 (overlay)

File Header:start:sector 264056 end:sector 264057 (overlay)

File Name:56.jpg Sector 67112

File Header:start:sector 264056 end:sector 264061

When a single file is executed, overwrites the last data that was deleted.

File storage:

(1) file Name:partition.zip sector 67112

File Header:start sector 264056 end Sector 264058

(2) file Name:cab.ico sector 67112

File Header:start sector 264064 end sector:264068

Shear Area: Sector 264064

Deletion area: Sector 264056

Storage area: Coexistence with deletion area

Storage: When a single file is stored, the file overwrites the deleted area data.

Data recovery: When multiple files are deleted, the deletion area retains the data hex, and if the new file data is created, the deleted data is overwritten hex.

Figure (FAT32 disk format):