http://www.techradar.com/pro/linux December2019 LXF257 47Data recovery IN-DEPTH
FILESYSTEM RECOVERY TOOLS
While the tools covered in the feature work at a deeper level than the
filesystem, there are a couple of handy utilities that are experts at
recovering files from particular filesystems. First up is the extundelete
tool that can hunt for files in ext3- and ext4-formatted partitions.
You can use the tool to restore a single file. Assuming you know the
name of the file you accidentally zapped (deletedfile.jpg), you can
restore it with:
sudo extundelete /dev/sda1 --restore-file /home/bodhi/
deletedfile.jpg
The restored file will be kept in the RECOVERED_FILES directory.
You can similarly restore all files inside a directory:
sudo extundelete /dev/sda1 --restore-directory /home/bodhi/
deleteddir
Then there’s ntfsundelete, which is designed to recover files from an
NTFS filesystem. Assuming /dev/sda5 is your NTFS-formatted
partition, in a terminal enter:
sudo ntfsundelete /dev/sda5
This will display a list of files it has found. You can also use the -t
option to look for files modified in a specific time period. The command
sudo ntfsundelete /dev/sda5 -t 2d will look for files that were altered
in the past two days.
The tool also has very flexible recovery options. For instance, to
recover all PDF files and keep them in a recovered/ directory under
your home directory, enter:
sudo ntfsundelete /dev/sda5 -u -m *.pdf -d ~/recoveredYou can add multiple disks or partition images to any case file, which is useful if a computer has
multiple physical disks.sudo scalpel /dev/sda1 -o /media/recovery/scalpel
Instead of the disk you can also point it to an image file:
sudo scalpel sda1.image -o /media/recovery/scalpel
Scalpel will then perform two passes of sda1. It’ll
process data in chunks of 10MB, first searching for file
headers, and then for their corresponding footers. Any
recovered files are placed in an output directory you
specify, along with a log of Scalpel’s progress.Down the rabbit hole
The tools we’ve seen till now are excellent and will even
dig up files that were deleted quite a while back. But
they won’t be of much help if the headers or footers of
the files have been overwritten. You’ll also not have any
success with these tools if the target drive is encrypted.
In this case, none of the tools we’ve covered till now will
be able to scan the contents of the disks to identify the
data structures of the files, making recovery impossible.
But don’t despair. The Sleuth Kit (TSK) is an
advanced recovery tool that can detect encrypted and
password-protected files. It can also identify BitLocker
and VeraCrypt volumes, which makes it useful for
recovering files from encrypted silos.
TSK uses code from the file system analysis tools of
The Coroner’s Toolkit (TCT) with additional support for
FAT and NTFS file systems. As its name suggests, TSK
is made up of a bunch of tools. However, the developers
recommend using the command-line tools from the
unified graphical interface, called Autopsy. Autopsy and
TSK are available in the official repos of several distros.
Even if they aren’t in yours, the process to install them
is well-documented on the project’s website.Slice and dice
Autopsy is a browser-based app and by default runs
on http://localhost:9999/autopsy. The interface
is intuitive enough. The app is designed for forensic
analysis and should be used as such, even if all you
need it for is to recover deleted files on your own
machine. You’ll first have to create a New Case,
followed by details about the host being investigated.
Once that’s out of the way, use the Add Image
button to associate an image of the disk or the partition
you want analysed. Of the three import methods, it’s
always a good idea to use Copy, which doesn’t touch
the original image for the recovery process, and instead
works on a copy (or a copy of a copy, if you imaged the
original disk). Once the image has been associated the
tool gives you various options to prod and poke it. Use
the Image Details to get various details about the image
that helps forensically identify its contents,
Autopsy presents various analysis modes to scan
the image. The first is the File Analysis mode, which
resembles a file manager and enables you to examine
the contents of the filesystem within the image. For
every file and directory, the interface will show you
when it was last written, accessed and modified, along
with several other metadata including its size. You can
get more details about a file by clicking its
corresponding metadata entry. Forensic investigators
use this to view the hexadecimal entry for a file to verify
whether its extension was changed.Unlike investigators, however, we have a very limited
objective, which is to recover deleted files. To that end,
files that have been deleted are listed in red. The All
Deleted Files button in the left-hand column under the
File Analysis view displays all deleted files. You can click
and view the contents of a file and once you’ve found
the one you’re looking for, use the Export button to
extract it from the image on to your disk.
There you have it. While you can’t use any of these
tools as an excuse for not taking backups (look, I said
I was sorry – Ed), one of them will surely come to your
aid to help you recover data that you thought was gone
for good.444Decmbr 2 rDm019Hr09’snoy December2019LXF257 47
Data recovery IN-DEPTH
FILESYSTEMRECOVERYTOOLS
Whilethetoolscoveredinthefeatureworkatadeeperlevel than the
filesystem,thereareacoupleofhandyutilitiesthatareexperts at
recoveringfilesfromparticularfilesystems.Firstupistheextundelete
toolthatcanhuntforfilesinext3-andext4-formattedpartitions.
Youcanusethetooltorestoreasinglefile.Assumingyou know the
nameofthefileyouaccidentallyzapped(deletedfile.jpg), you can
restoreitwith:
sudoextundelete/dev/sda1--restore-file/home/bodhi/
deletedfile.jpg
TherestoredfilewillbekeptintheRECOVERED_FILES directory.
Youcansimilarlyrestoreallfilesinsideadirectory:
sudoextundelete/dev/sda1--restore-directory /home/bodhi/
deleteddir
Thenthere’sntfsundelete,whichisdesignedtorecoverfiles from an
NTFSfilesystem.Assuming/dev/sda5isyourNTFS-formatted
partition,inaterminalenter:
sudontfsundelete/dev/sda5
Thiswilldisplayalistoffilesithasfound.Youcanalsouse the -t
optiontolookforfilesmodifiedinaspecifictimeperiod.The command
sudontfsundelete/dev/sda5-t2dwilllookforfilesthat were altered
inthepasttwodays.
Thetoolalsohasveryflexiblerecoveryoptions.Forinstance, to
recoverallPDFfilesandkeeptheminarecovered/directory under
yourhomedirectory,enter:
sudontfsundelete/dev/sda5-u-m*.pdf-d~/recoveredYoucanaddmultipledisksorpartitionimagestoanycasefile,whichisuseful if a computer has
multiplephysicaldisks.sudo scalpel /dev/sda1 -o /media/recovery/scalpel
Instead of the disk you can also point it to an image file:
sudo scalpel sda1.image -o /media/recovery/scalpel
Scalpel will then perform two passes of sda1. It’ll
process data in chunks of 10MB, first searching for file
headers, and then for their corresponding footers. Any
recovered files are placed in an output directory you
specify, along with a log of Scalpel’s progress.
Down the rabbit hole
The tools we’ve seen till now are excellent and will even
dig up files that were deleted quite a while back. But
they won’t be of much help if the headers or footers of
the files have been overwritten. You’ll also not have any
success with these tools if the target drive is encrypted.
In this case, none of the tools we’ve covered till now will
be able to scan the contents of the disks to identify the
data structures of the files, making recovery impossible.
But don’t despair. The Sleuth Kit (TSK) is an
advanced recovery tool that can detect encrypted and
password-protected files. It can also identify BitLocker
and VeraCrypt volumes, which makes it useful for
recovering files from encrypted silos.
TSK uses code from the file system analysis tools of
The Coroner’s Toolkit (TCT) with additional support for
FAT and NTFS file systems. As its name suggests, TSK
is made up of a bunch of tools. However, the developers
recommend using the command-line tools from the
unified graphical interface, called Autopsy. Autopsy and
TSK are available in the official repos of several distros.
Even if they aren’t in yours, the process to install them
is well-documented on the project’s website.
Slice and dice
Autopsy is a browser-based app and by default runs
on http://localhost:9999/autopsy. The interface
is intuitive enough. The app is designed for forensic
analysis and should be used as such, even if all you
need it for is to recover deleted files on your own
machine. You’ll first have to create a New Case,
followed by details about the host being investigated.
Once that’s out of the way, use the Add Image
button to associate an image of the disk or the partition
you want analysed. Of the three import methods, it’s
always a good idea to use Copy, which doesn’t touch
the original image for the recovery process, and instead
works on a copy (or a copy of a copy, if you imaged the
original disk). Once the image has been associated the
tool gives you various options to prod and poke it. Use
the Image Details to get various details about the image
that helps forensically identify its contents,
Autopsy presents various analysis modes to scan
the image. The first is the File Analysis mode, which
resembles a file manager and enables you to examine
the contents of the filesystem within the image. For
every file and directory, the interface will show you
when it was last written, accessed and modified, along
with several other metadata including its size. You can
get more details about a file by clicking its
corresponding metadata entry. Forensic investigators
use this to view the hexadecimal entry for a file to verify
whether its extension was changed.
Unlike investigators, however, we have a very limited
objective, which is to recover deleted files. To that end,
files that have been deleted are listed in red. The All
Deleted Files button in the left-hand column under the
File Analysis view displays all deleted files. You can click
and view the contents of a file and once you’ve found
the one you’re looking for, use the Export button to
extract it from the image on to your disk.
There you have it. While you can’t use any of these
tools as an excuse for not taking backups (look, I said
I was sorry–Ed), one of them will surely come to your
aid to helpyourecover data that you thought was gone
for good.