46 LXF257 December 2019 http://www.linuxformat.comIN-DEPTH Data recovery
The command magicsort /media/
recovery will create and file the
contents of the recovery folder into
directories categorised by their
magic number.Dig deeper
Digital forensics is a branch of
forensic science that involves
recovering data from digital devices.
The above-mentioned data recovery
tools are good for recovering files
that have been marked for deletion
but lie untouched in the area they
occupy on the disk.
Foremost, on the other hand, is
what is known as a file carver: it digs out untraceable
files by trying to identify existing data structures and
recover occupied sectors by referencing the metadata,
headers, footers and – like Magic Rescue – the magic
number of the file. The tool was originally written byagents of the U.S. Air Force Office of Special
Investigations and is included in the official repositories
of major Linux distros.
As we mentioned earlier, make sure that before you
run Foremost you create a recovery folder on a
separate partition, or better still on an external disk.
Now assuming the lost files are on sda1, you can
recover files with:
sudo foremost -i /dev/sda1 -o /media/recovery/
foremostTo run Foremost on an image, just replace the device
name with the name of the image, such as:
sudo foremost -i sda1.image -o /media/recovery/
foremost
When it’s done, head to the /media/recovery/
foremost directory, which will contain various folders
for different file formats, such as JPG, PNG, PDF, MP4
and dozens of others. In addition to various multimedia
files, Foremost also recovers some binary and
document formats without manual rework. It also
recognises some types of archives. The software
generates an audit file called audit.txt containing
information on the data-reconstruction process.
As you can see, Foremost is designed to reconstruct
numerous data formats out of the box. To recover only
specific file types use the -t option, such as:
sudo foremost -t png -i /dev/sda1 -o /media/
recovery/foremost
As with the other recovery tools, the recovery
process will not be able to recover the original name of
the file, so once Foremost has done its job, you’ll have
to manually go through all the folders to check and
rename the files. Depending on the type of files you’ve
asked it to restore, you’ll probably end up with
hundreds of them, and sorting through them is a task
in itself. If there’s a particular file you’re after, you can
save yourself a lot of time if you know the approximate
size of the file.Precision carving
While you can’t deny the effectiveness of Foremost, the
tool is painstakingly slow. Scalpel is another file carver
that’s based on foremost, but promises to be more
efficient. Scalpel too is available in the repositories of
most distros. Before you can use Scalpel, however,
you’ll have to edit its configuration file (usually placed
under the /etc/scalpel/ directory) in order to
uncomment the descriptors for the type of file you
want to recover. The developers ask you to avoid the
temptation to uncomment the entire file since that will
create an unnecessary overhead by digging up a whole
lot of files, much like Foremost. Again, it’s advisable to
store the recovered files on a separate partition/disk.
Invoking Scalpel on a disk is a lot simpler:The latest Scalpel v2.0 has a number of performance improvements over the older version that
is usually included in the official repositories.Use the File Type analysis that sorts files into categories such as
archive, compress, crypto, documents, and more.PREVENTION IS BETTER THAN...
“While you can’t use any of these tools
as an excuse for not taking backups,
one of them will surely come to your
aid to help you recover data.”
46 LXF257December 2019 444Decmbr 2019HD’21
IN-DEPTH Data recovery
The command magicsort /media/
recovery will create and file the
contents of the recovery folder into
directories categorised by their
magic number.Dig deeper
Digital forensics is a branch of
forensic science that involves
recovering data from digital devices.
The above-mentioned data recovery
tools are good for recovering files
that have been marked for deletion
but lie untouched in the area they
occupy on the disk.
Foremost, on the other hand, is
what is known as a file carver: it digs out untraceable
files by trying to identify existing data structures and
recover occupied sectors by referencing the metadata,
headers, footers and – like Magic Rescue – the magic
numberofthefile.Thetoolwasoriginallywrittenbyagents of the U.S. Air Force Office of Special
Investigations and is included in the official repositories
of major Linux distros.
As we mentioned earlier, make sure that before you
run Foremost you create a recovery folder on a
separate partition, or better still on an external disk.
Now assuming the lost files are on sda1, you can
recover files with:
sudo foremost -i /dev/sda1 -o /media/recovery/
foremostTorunForemostonanimage,justreplacethedevice
name with the name of the image, such as:
sudo foremost -i sda1.image -o /media/recovery/
foremost
When it’s done, head to the /media/recovery/
foremost directory, which will contain various folders
for different file formats, such as JPG, PNG, PDF, MP4
and dozens of others. In addition to various multimedia
files, Foremost also recovers some binary and
document formats without manual rework. It also
recognises some types of archives. The software
generates an audit file called audit.txt containing
information on the data-reconstruction process.
As you can see, Foremost is designed to reconstruct
numerous data formats out of the box. To recover only
specific file types use the -t option, such as:
sudo foremost -t png -i /dev/sda1 -o /media/
recovery/foremost
As with the other recovery tools, the recovery
process will not be able to recover the original name of
the file, so once Foremost has done its job, you’ll have
to manually go through all the folders to check and
rename the files. Depending on the type of files you’ve
asked it to restore, you’ll probably end up with
hundreds of them, and sorting through them is a task
in itself. If there’s a particular file you’re after, you can
save yourself a lot of time if you know the approximate
size of the file.Precision carving
While you can’t deny the effectiveness of Foremost, the
tool is painstakingly slow. Scalpel is another file carver
that’s based on foremost, but promises to be more
efficient. Scalpel too is available in the repositories of
most distros. Before you can use Scalpel, however,
you’ll have to edit its configuration file (usually placed
under the /etc/scalpel/ directory) in order to
uncomment the descriptors for the type of file you
want to recover. The developers ask you to avoid the
temptation to uncomment the entire file since that will
create an unnecessary overhead by digging up a whole
lot of files, much like Foremost. Again, it’s advisable to
store the recovered files on a separate partition/disk.
Invoking Scalpel on a disk is a lot simpler:The latest Scalpel v2.0 has a number of performance improvements over the older version that
is usually included in the official repositories.Use the File Type analysis that sorts files into categories such as
archive, compress, crypto, documents, and more.PREVENTION IS BETTER THAN...
“While you can’t use any of these tools
as an excuse for not taking backups,
one of them will surely come to your
aid to help you recover data.”