UbuntuHelp:DataRecovery/zh
来自Ubuntu中文
 |
翻译人员: |
lzhonsailing |
|
点击翻译: |
English • 中文 |
如果你有文件被删除或在错误和格式化中丢失,不管是从硬盘、分区、光驱还是记忆卡中丢失,都能通过 Ubuntu 软件库中的 free-libre 这个软件恢复。以下将介绍如何通过这个软件恢复丢失的数据。此教程适用于 Ubuntu 7.04 和 7.10。
目录
基本原则
你最好不要再去写出错的设备,除非你知道硬件哪里出错了。以下这些软件将试着从你出错或者摔坏的硬件中恢复数据。如果你的数据非常重要,而且以下这些软件不起作用,请寻求专业帮助而不要在这个设备中写入任何数据。如果你的硬件已经损坏,建议你先对其做个镜像备份,在从镜像中恢复数据。恢复数据时,你将需要另外一个存储设备,而且它的存储空间必须大于等于你所要恢复的那个存储设备的空间。你应该通过安装在其他位置的操作系统或一个 live CD 来运行这些软件。一个 Ubuntu 的 live CD 就很不错。如果你这台机器没有足够的内存或者不能上网,你可以使用一个专门用来数据恢复的 live CD -- Ubuntu-rescue-remix。在这个CD中含有以下介绍的所有软件。
Parted
通过命令行运行 parted 来恢复你的分区。在改变你硬盘的分区表时,请确认你的所有分区都没有被挂载。包括交换分区。最简单的方法就是通过 live CD 来运行这个命令。Parted在 Ubuntu 的基本系统中默认安装。一旦进入桌面,打开一个终端然后运行以下语句卸载交换分区:
sudo swapoff -a
然后运行 parted 并告诉它要处理那个设备。例如:如果你的硬盘驱动 /dev/sda 是你想恢复的驱动,那么运行:
sudo parted /dev/sda
然后,使用修复选项:rescue START END,START 是指你认为该分区开始的地方而 END 为结束的地方。如果 parted 找到一个可能的分区,它将询问你是否要将它加入分区表中。
Testdisk
另外,testdisk 这个软件也许也能恢复您的分区。使用任何方法来安装以下这个软件包:
testdisk
运行 testdisk,它将在你的电脑,并提供一个菜单式的界面帮助你恢复丢失的分区。
sudo testdisk
Data Recovery from damaged filesystem or drive
From /usr/share/doc/gnuddrescue/README GNU ddrescue is a data recovery tool. It copies data from one file or block device (hard disc, cdrom, etc) to another, trying hard to rescue data in case of read errors. Ddrescue does not truncate the output file if not asked to. So, every time you run it on the same output file, using a logfile, it tries to fill in the gaps. The basic operation of ddrescue is fully automatic. That is, you don't have to wait for an error, stop the program, read the log, run it in reverse mode, etc. If you use the logfile feature of ddrescue, the data is rescued very efficiently (only the needed blocks are read). Also you can interrupt the rescue at any time and resume it later at the same point. Automatic merging of backups: If you have two or more damaged copies of a file, cdrom, etc, and run ddrescue on all of them, one at a time, with the same output file, you will probably obtain a complete and error-free file. This is so because the probability of having damaged areas at the same places on different input files is very low. Using the logfile, only the needed blocks are read from the second and successive copies. ddrescue - copies data from one file or block device to another. It is a different tool that gnuddrescue. This documentation currently only applies to gnuddrescue. Use any method to install the following package:
<pre>gddrescue
</pre>
Run gnuddrescue like this:
<pre>ddrescue [options] infile outfile [logfile]
</pre>
So, if /dev/sda is unreadable, you will need to acquire another disk (or other media) onto which to save the output image. You will need to have more room on the new media than on the failed disk.
<pre>sudo ddrescue -r 3 /dev/sda /media/usbdrive/image /media/usbdrive/logfile
</pre>
Run successive passes like this:
<pre>sudo ddrescue -r 3 -C /dev/sda /media/usbdrive/image /media/usbdrive/logfile
</pre>
and gnuddrescue will use the log file to only read the gaps with errors. In both cases, the -r option determines the number of times gddrescue will try to read when it encounters an error (-1 = infinity). Other examples: These two examples are taken directly from the ddrescue info pages. Example 1: Rescue an ext2 partition in /dev/hda2 to /dev/hdb2
<pre>ddrescue -r3 /dev/hda2 /dev/hdb2 logfile
e2fsck -v -f /dev/hdb2
mount -t ext2 -o ro /dev/hdb2 /mnt
</pre>
Example 2: Rescue a CD-ROM in /dev/cdrom
<pre>ddrescue -b 2048 /dev/cdrom cdimage logfile
</pre>
write cdimage to a blank CD-ROM
Extract files from recovered image
Now that the drive has been imaged, recover files from the image.
Foremost
Foremost is a command-line tool which can recover files from a number of filesystems, including fat, ext3 and NTFS. It can be installed and run from the live cd. Boot from the live cd and then enable the universe repository and install foremost: Use any method to install the following package:
<pre>foremost
</pre>
Foremost can recover files from an image of the drive, of from the drive directly. If the drive has suffered hardware problems, use gnuddrescue to image the drive first. Assuming the lost files are on hda, you need to create a writeable directory on another drive where you can put the recovered files (lets say you have a big external usb drive (sdb)
<pre>sudo mount /dev/sdb1 /recovery
sudo mkdir /recovery/foremost
</pre>
And then run foremost:
<pre>sudo foremost -i /dev/hda -o /recovery/foremost
</pre>
To run formost on an image, just substitute the filename for the device
<pre>sudo foremost -i image -o /recovery/foremost
</pre>
The recovered files will then be owned by root. Change their ownership so that you can use them:
<pre>sudo chown -R youruser:youruser /recovery/foremost
</pre>
Use the -w switch to obtain only an audit of recoverable files:
<pre>sudo foremost -w -i /dev/hda -o /recovery/foremost
</pre>
To recover only specific file types, use the -t switch:
<pre>sudo foremost -t jpg -i /dev/hda -o /recovery/foremost
</pre>
Available types: jpg Support for the JFIF and Exif formats including implementations used in modern digital cameras. gif png bmp Support for windows bmp format. avi exe Support for Windows PE binaries, will extract DLL and EXE files along with their compile times. mpg Support for most MPEG files (must begin with 0x000001BA) wav riff This will extract AVI and RIFF since they use the same file for‐ mat (RIFF). note faster than running each separately. wmv Note may also extract -wma files as they have similar format. mov pdf ole This will grab any file using the OLE file structure. This includes PowerPoint, Word, Excel, Access, and StarWriter doc Note it is more efficient to run OLE as you get more bang for your buck. If you wish to ignore all other ole files then use this. zip Note is will extract .jar files as well because they use a simi‐ lar format. Open Office docs are just zip’d XML files so they are extracted as well. These include SXW, SXC, SXI, and SX? for undetermined OpenOffice files. rar htm cpp C source code detection, note this is primitive and may generate documents other than C code. all Run all pre-defined extraction methods. [Default if no -t is specified]
Photorec
Photorec is file data recovery software designed to recover lost pictures from digital camera memory or even Hard Disks. It has been extended to search also for non audio/video headers. It searches for 80 different types of files. Photorec is part of the Testdisk package. Use any method to install the following package:
<pre>testdisk
</pre>
To run Photorec on an image file, do:
<pre>sudo photorec imagefilename
</pre>
To recover files directly from a device, run photorec without any arguments and you will be given a menu of available devices.
<pre>sudo photorec
</pre>
=== Ntfsprogs ===
Ntfsundelete can recover deleted files from an NTFS filesystem From the manpage:
<pre>EXAMPLES
Look for deleted files on /dev/hda1.
ntfsundelete /dev/hda1
Look for deleted documents on /dev/hda1.
ntfsundelete /dev/hda1 -s -m '*.doc'
Look for deleted files between 5000 and 6000000 bytes, with at least
90% of the data recoverable, on /dev/hda1.
ntfsundelete /dev/hda1 -S 5k-6m -p 90
Look for deleted files altered in the last two days
ntfsundelete /dev/hda1 -t 2d
Undelete inodes 2, 5 and 100 to 131 of device /dev/sda1
ntfsundelete /dev/sda1 -u 2,5,100-131
Undelete inode number 3689, call the file 'work.doc' and put it in the
user's home directory.
ntfsundelete /dev/hda1 -u 3689 -o work.doc -d ~
Save MFT Records 3689 to 3690 to a file 'debug'
ntfsundelete /dev/hda1 -c 3689-3690 -o debug
</pre>
=== Magicnumber ===
Need info.
recoverjpeg
Need info.
sleuthkit and autopsy
Need info.
Autopsy
Autopsy can be run from the live cd, but you must specify an address to which you can connect remotely. You must also specify an external disk on which it can save the extracted information. Example, assuming you have an external disk mounted to /media/disk with an autopsy folder on it and your ip address is 192.168.0.1: sudo autopsy -d /media/disk/autopsy 192.168.0.1
Sleuthkit
Extract unallocated (deleted) blocks from a disk or disk image dls inputimage > outputimage Use any tool to search the output image for files.
