What is the method of data recovery in linux system

Tools: hexedit, fdisk

The following operations are all completed in the root environment.

hexedit:

On Linux, hexedit is often used to modify the hexadecimal code of the program. Fdisk will not be introduced here.

Now let’s go into the world of disks and see what the disks do to the data.

First, use root privileges in the terminal to run the following command:

Command: fdisk -l

/dev/sdb1 It is today's protagonist. From the picture, you can clearly see some relevant data, such as disk size, sector, I/O size, etc.

The disk format is ext4, not the vfat32 and NTFS formats on MS. Paste a picture of FAT32 at the end of the article.

Step***:

Run fdisk and use expert mode to back up the Partition table.

The partition table of ext4 is very simple. Generally, the backup partition table is ext4.img. Backups are done to avoid data corruption during recovery.

Second step:

First execute the cut command operation on target sdb1, and move the files on sdb1 to the computer hard disk. After the execution is completed, use hexedit to open sdb1.

Cut file name: usb.png

Command: hexedit -s /dev/sdb1

You can see it in the picture Looking at the file name and the sector in which it is located, did you find that the device of the picture is sdc1? Due to the automatic mounting of the disk, the dev has changed, and the data will not change with the change of the dev of the disk. The file name has been found here. Next, we need to find the file header.

How to find the file header? You can use hexedit to perform hex search. If you want ASCII, you can press TAB to switch to the ASCII area.

#The size of the file determines the number of sectors occupied by the file on the disk, 1 sector==512 bytes. In the figure, the file header offset and sector are shown.

Extract the hex value and write it to the file.

Restored picture:

It looks very simple, it is just a single file cutting operation and data recovery. Here is a reminder: the data saved on the disk cannot be recovered after being deleted, but the data that has been cut can also be recovered.

Let’s take a look at how to operate after deleting data from the disk?

Execute the delete command on the disk to delete a file named 1.gif. The operation is as follows:

#The picture shows the changes from the file header to the file end sector, header sector: 264056, end sector: 264057, file size is 1K, the picture is very small.

Create a new file, and then perform the delete operation to see the disk data changes.

File header sector: 264056, end sector: 264061, the first time to delete The file header sector: 264056, end sector: 264057, this way you can see that the first deleted data is overwritten, while the second deleted data is retained.

This operation is to perform data recovery on a single file on the disk and demonstrate the data changes in the disk. Next let's take a look at the operation of double files.

There are two different types of files on the disk.

File name: partition.zip

File name: cab.ico

Header secotor of *** file: 264056, end sector: 264058

The second file header sector: 264064, end sector: 264076. It is found that the end sector of the first file and the header sector of the second file differ by multiple sectors, so what is the difference in the middle?

You can see the middle All differences are filled with 00. Here we summarize the practical operation on Linux:

ext4 file system

Execute cut and paste

file name: usb.png sector 67120

file header: sector 264064 file end: sector 264076

Execute deletion

file name: 1.gif sector 67112 (overwrite)

file header: start: sector 264056 end: sector 264057 (overwrite)

file name: 56.jpg sector 67112

file header:start: sector 264056 end: sector 264061

When a single file is used, execute When deleting, the last deleted data will be overwritten.

Save file

(1) file name: partition.zip sector 67112

file header: start sector 264056 end sector 264058

(2) file name: cab.ico sector 67112

file header: start sector 264064 end sector: 264068

Cut area: sector 264064

Delete area: sector 264056

Storage area: Coexists with the deleted area

Storage area: When a single file is used, the stored file overwrites the deleted area data.

Data recovery: When multiple files are deleted, the deleted data hex is retained in the deleted area. If new file data is created, the deleted data hex will be overwritten.

Attachment:

FAT32 disk format diagram:

##

The above is the detailed content of What is the method of data recovery in linux system. For more information, please follow other related articles on the PHP Chinese website!