“UbuntuHelp:DataRecovery”的版本间的差异

2007年11月30日 (五) 16:39的版本

文章出处:

https://help.ubuntu.com/community/DataRecovery

点击翻译:

English  • 中文

请不要直接编辑翻译本页，本页将定期与来源同步。

Deleted or lost files can be recovered from failed or formatted drives and partitions, cdroms and memory cards using the free-libre software available in the Ubuntu repositories. Follow these steps to recover lost data. This guides applies to Ubuntu 7.04 and version 7.10.

Guidelines

Unless you can rule out hardware failure, you must not write to the failed device. The following software will passively try to recover your data from failed or failing hardware. If your data is not replaceable, do not attempt to write to the failed device if the following applications do not work but seek professional advice instead. If your device is damaged, it is advisable to image the device and work on the image file for data recovery. If hardware failure is not the problem, you can recover data directly from the device. To recover data from a failed device, you will need anther device of equal or greater storage onto which to save your data. If you need to make an image of the failed device, you will need yet another quantity of space. You should run these tools from another OS which resides on another disk or a live cd. An Ubuntu live cd will work fine. If you do not have a lot of ram, or do not have an internet connection on the failed computer, you can use Ubuntu-rescue-remix, a live cd data recovery toolkit. It includes all the software mentioned in this page.

Lost Partition

If you made a mistake while partitioning and the partition no longer appears in the partition table, so long as you have not written data in that space, all your data is still there.

Parted

Run parted from the command line to recover your partition. When changing the partition table on your hard drive, you must ensure that no partition on the disk is mounted. This includes swap space. The easiest way to accomplish this is to run the live cd. Parted is installed on the base Ubuntu system. Once at the desktop, open a terminal and run

sudo swapoff -a

Next run parted and tell it to use the device in question. For example, if your /dev/sda drive is the drive from which you want to recover, run

sudo parted /dev/sda

Then, use the rescue option: rescue START END where Start is the area of the disk where you believe the partition began and END is it's end. If parted finds a potential partition, it will ask you if you want to add it to the partition table.

Testdisk

Alternatively, the testdisk application may recover your partition. Use any method to install the following package:

testdisk

Run testdisk and it will scan your computer for media and offer you a menu-driven way to recover your partition.

sudo testdisk

Data Recovery from damaged filesystem or drive

From /usr/share/doc/gnuddrescue/README GNU ddrescue is a data recovery tool. It copies data from one file or block device (hard disc, cdrom, etc) to another, trying hard to rescue data in case of read errors. Ddrescue does not truncate the output file if not asked to. So, every time you run it on the same output file, using a logfile, it tries to fill in the gaps. The basic operation of ddrescue is fully automatic. That is, you don't have to wait for an error, stop the program, read the log, run it in reverse mode, etc. If you use the logfile feature of ddrescue, the data is rescued very efficiently (only the needed blocks are read). Also you can interrupt the rescue at any time and resume it later at the same point. Automatic merging of backups: If you have two or more damaged copies of a file, cdrom, etc, and run ddrescue on all of them, one at a time, with the same output file, you will probably obtain a complete and error-free file. This is so because the probability of having damaged areas at the same places on different input files is very low. Using the logfile, only the needed blocks are read from the second and successive copies. ddrescue - copies data from one file or block device to another. It is a different tool that gnuddrescue. This documentation currently only applies to gnuddrescue. Use any method to install the following package:

gddrescue

Run gnuddrescue like this:

ddrescue [options] infile outfile [logfile]

So, if /dev/sda is unreadable, you will need to acquire another disk (or other media) onto which to save the output image. You will need to have more room on the new media than on the failed disk.

sudo ddrescue -r 3 /dev/sda /media/usbdrive/image /media/usbdrive/logfile

Run successive passes like this:

sudo ddrescue -r 3 -C /dev/sda /media/usbdrive/image /media/usbdrive/logfile

and gnuddrescue will use the log file to only read the gaps with errors. In both cases, the -r option determines the number of times gddrescue will try to read when it encounters an error (-1 = infinity). Other examples: These two examples are taken directly from the ddrescue info pages. Example 1: Rescue an ext2 partition in /dev/hda2 to /dev/hdb2

ddrescue -r3 /dev/hda2 /dev/hdb2 logfile
e2fsck -v -f /dev/hdb2
mount -t ext2 -o ro /dev/hdb2 /mnt

Example 2: Rescue a CD-ROM in /dev/cdrom

ddrescue -b 2048 /dev/cdrom cdimage logfile 

write cdimage to a blank CD-ROM

Extract files from recovered image

Now that the drive has been imaged, recover files from the image.

Foremost

Foremost is a command-line tool which can recover files from a number of filesystems, including fat, ext3 and NTFS. It can be installed and run from the live cd. Boot from the live cd and then enable the universe repository and install foremost: Use any method to install the following package:

foremost

Foremost can recover files from an image of the drive, of from the drive directly. If the drive has suffered hardware problems, use gnuddrescue to image the drive first. Assuming the lost files are on hda, you need to create a writeable directory on another drive where you can put the recovered files (lets say you have a big external usb drive (sdb)

sudo mount /dev/sdb1 /recovery
sudo mkdir /recovery/foremost

And then run foremost:

sudo foremost -i /dev/hda -o /recovery/foremost

To run formost on an image, just substitute the filename for the device

sudo foremost -i image -o /recovery/foremost

The recovered files will then be owned by root. Change their ownership so that you can use them:

sudo chown -R youruser:youruser /recovery/foremost

Use the -w switch to obtain only an audit of recoverable files:

sudo foremost -w -i /dev/hda -o /recovery/foremost

To recover only specific file types, use the -t switch:

sudo foremost -t jpg -i /dev/hda -o /recovery/foremost

Available types: jpg Support for the JFIF and Exif formats including implementations used in modern digital cameras. gif png bmp Support for windows bmp format. avi exe Support for Windows PE binaries, will extract DLL and EXE files along with their compile times. mpg Support for most MPEG files (must begin with 0x000001BA) wav riff This will extract AVI and RIFF since they use the same file for‐ mat (RIFF). note faster than running each separately. wmv Note may also extract -wma files as they have similar format. mov pdf ole This will grab any file using the OLE file structure. This includes PowerPoint, Word, Excel, Access, and StarWriter doc Note it is more efficient to run OLE as you get more bang for your buck. If you wish to ignore all other ole files then use this. zip Note is will extract .jar files as well because they use a simi‐ lar format. Open Office docs are just zip’d XML files so they are extracted as well. These include SXW, SXC, SXI, and SX? for undetermined OpenOffice files. rar htm cpp C source code detection, note this is primitive and may generate documents other than C code. all Run all pre-defined extraction methods. [Default if no -t is specified]

Photorec

Photorec is file data recovery software designed to recover lost pictures from digital camera memory or even Hard Disks. It has been extended to search also for non audio/video headers. It searches for 80 different types of files. Photorec is part of the Testdisk package. Use any method to install the following package:

testdisk

To run Photorec on an image file, do:

sudo photorec imagefilename

To recover files directly from a device, run photorec without any arguments and you will be given a menu of available devices.

sudo photorec

Ntfsprogs

Ntfsundelete can recover deleted files from an NTFS filesystem From the manpage:

EXAMPLES
Look for deleted files on /dev/hda1.
ntfsundelete /dev/hda1
Look for deleted documents on /dev/hda1.
ntfsundelete /dev/hda1 -s -m '*.doc'
Look for deleted files between 5000 and 6000000 bytes,  with  at  least
90% of the data recoverable, on /dev/hda1.
ntfsundelete /dev/hda1 -S 5k-6m -p 90
Look for deleted files altered in the last two days
ntfsundelete /dev/hda1 -t 2d
Undelete inodes 2, 5 and 100 to 131 of device /dev/sda1
ntfsundelete /dev/sda1 -u 2,5,100-131
Undelete  inode number 3689, call the file 'work.doc' and put it in the
user's home directory.
ntfsundelete /dev/hda1 -u 3689 -o work.doc -d ~
Save MFT Records 3689 to 3690 to a file 'debug'
ntfsundelete /dev/hda1 -c 3689-3690 -o debug

Magicnumber

Need info.

recoverjpeg

Need info.

sleuthkit and autopsy

Need info.

Autopsy

Autopsy can be run from the live cd, but you must specify an address to which you can connect remotely. You must also specify an external disk on which it can save the extracted information. Example, assuming you have an external disk mounted to /media/disk with an autopsy folder on it and your ip address is 192.168.0.1: sudo autopsy -d /media/disk/autopsy 192.168.0.1

Sleuthkit

Extract unallocated (deleted) blocks from a disk or disk image dls inputimage > outputimage Use any tool to search the output image for files.