linux poison RSS
linux poison Email

Recovering deleted file using Foremost

Ever deleted an important file? I haven’t recently done this on Linux, but when I used Windows I had a utility for recovering deleted files.

Foremost is a command line utility for finding and recovering deleted files based on their type. It was origionally developed for the US Air Force Office of Special Investigations.

How is this type of data recovery possible? When you delete a file, the data is not really overwritten. The pointer in the filesystem to the file is simply removed so the disk area can be overwritten when necessary. The more the disk is written to after the file is deleted, the larger the chance it will be overwritten and become unrecoverable.

I decided to test out Foremost in a virtual machine. First, I created some JPEG images, deleted them, and emptied the trash. Next, I shutdown the system and booted up the Ubuntu 8.04 Beta live-CD. Live-CDs don’t write to the hard disk, so they work well for data recovery.

To install in Ubuntu is rather simple, just issue the standard “sudo apt-get install foremost” command. You will have to check if you use another distro if it’s in your repositories, if not, the source can be grabbed at the link at the top of the screen and can be compiled - check this.

You need to know your target partition’s path to recover from it. You can simply start System-Administration->Partition Editor in Ubuntu, or use fdisk, Qtparted or any partition editor to see what discs are for what purpose. I saw the the home partition is /dev/sda1 on my machine.

Let’s recover some JPEG images:

sudo foremost -t jpeg -i /dev/sda1

Now the -t switch denotes that you’re looking for a file type. The -i switch denotes you’re looking on a particular device. This command causes Foremost to create a directory called output and put every file it can recover in. This could take a while.

Foremost isn’t the greatest solution; it recovers every file it sees and doesn’t support very many file types. It is possible to add types to the /etc/foremost.conf file, but it doesn’t look an easy task. However, if you’ve lost a bunch of photos or documents, Foremost could be just what you need.

Check out the man pages for more.


0 comments:

Post a Comment

Related Posts with Thumbnails