When a user accidentally deletes a file are still needed, in most cases, there is no easy way to retrieve or reconstruct the file. Fortunately, however, the file can be restored through a number of methods. When a user deletes a file, the file has not disappeared, only to be hidden for a while.
Here we will explain how it works. In a file system, there is something called a file allocation table, the table storage unit trace file location (such as a hard disk, MicroSD card, flash drives, etc.) in the. When a file is deleted, the file system will perform one of the following two tasks in the file allocation table: This file entries in the file allocation table is marked as "free space" or delete the file allocation table entries in the file, and the corresponding space is marked as free space. Now, if there is a new file needs to be placed on a storage unit, the operating system will be placing the file to be marked as empty places. In the new file is written to this space, the file is deleted completely disappeared. When you need to recover a deleted file, the user can no longer afford to operate any files, because if the file corresponding to the "space" is occupied, the file can never be restored.
How to restore the software work?
Most of the file system (when deleting files) simply marked as blank space. In these file systems, file allocation table recovery software to view this file, then copy the deleted files to another storage unit. If the file is copied to the other memory cells need to recover deleted, the user will likely lose the required delete files.
File systems rarely erases the file allocation table entries. If the file system is really doing, and this is the recovery software restore files. Recovery software scans the file header in the storage unit, all of the files have a special code string, which is located in front of the file, also called the magic number. For example, a magic number compiled JAVA class files in hexadecimal is "CAFEBABE". So, if you want to restore the type of file recovery software looks for "CAFEBABE" and then copy the files to another storage unit. Some recovery software can find a particular file type. If users want to restore a PDF file, the recovery software will find the hexadecimal magic number "25504446", which is precisely the ASCII encoding "% PDF". Recovery software will find all the magic numbers, then the user can choose to restore files which have been deleted.
If part of a file is overwritten, the entire file will be damaged. Usually this file can be restored, but the contents may have been useless. For example, to restore a corrupted JPEG file will be meaningless, because the picture viewer can not produce a picture from this corrupted file. Thus, even if the user owns the file, the file will be useless.
Before we continue, here are some guidelines for information on recovery software will find the correct storage unit play some help. All devices are mounted under / dev / directory. Operating system gives each device name (not the name given to the administrator of each partition or device) to follow certain naming rules.
The first name of the second partition of the SATA hard drive will be sda2. The first letter of the name implies storage type, in this case is SATA, but the letter "s" may also refer to the SCSI, FireWire (FireWire port) or USB. The second letter "d" refers to a disk (hard disk). The third letter refers to the sequence number of the device, namely the letter "a" refers to the first SATA and "b" refers to the second. The final figure represents the partition. Without all the partition device name represents the partition number of the setting. For the above example, the name corresponding to sda. Named as the first letter may also be a "h", which corresponds to PATA hard disk (IDE).
The following are some examples of the naming rules. If a user has a SATA hard drive (sda), the device has four partitions - sda1, sda2, sda3 and sda4. The user deletes the third partition, but until the fourth formatted partitions, the fourth partition sda4 name will remain unchanged. The user is then inserted with a partition - that sdb1- the usb memory card (sdb), he added with a IDE hard disk partition -hda1-, and then the user has added a SCSI hard disk - sdc1. Then the user removes the USB memory card (sdb). Now, SCSI hard disk name still sdc, but if the SCSI is removed and then inserted again, its name becomes sdb. Although there are other storage device is present, the IDE hard disk will have the name of a "a", because it is the first IDE hard drive, IDE device naming with SCSI, SATA, FireWire and USB devices to be counted separately.
Use TestDisk to recover:
Each recovery software has its different functions, features, and support for different file systems. Here are some guidelines on the use TestDisk to recover files in a variety of file system.
FAT16, FAT32, exFAT (FAT64), NTFS and ext2 / 3/4:
TestDisk is a free open source software running under Linux, * BSD, SunOS, Mac OS X, DOS and Windows and other operating systems. TestDisk can be found from the following link: http: //www.cgsecurity.org/wiki/TestDisk. TestDisk can also be installed by typing sudo apt-get install testdisk. TestDisk has many features, but this article will focus only restore files this function.
TestDisk can use root privileges by typing sudo testdisk command to open the terminal.
Now, TestDisk command line application will be executed. Display terminal will change. TestDisk asks the user whether it can keep the log, it is entirely up to the user. If a user is to restore files from the system memory, you do not have to keep a log. Selectable options are "generated", "additional" and "No Log." If the user wants to keep a log, the log will be retained in the user's home directory.
In the next screen, the storage device to / dev / * manner set out. For my system, the system's storage unit is / dev / sda, which means my storage unit as a SATA hard disk (sd) and it is the first hard disk (a). The capacity of each memory cell to Gigabyte (gigabytes) for the unit display. Use the arrow keys to select a storage device and then click enter.
The next screen shows a listed partition table (also known as the partition map table) list. As the file has the file allocation table, the partition has a partition table. Partition is segmented storage device. For example, in almost all Linux systems, there are at least two types of partitions - EXT3 / 4 and Swap. Each partition table will be briefly described below. TestDisk does not support all types of partition table, so this is not a complete list.
Intel - this type of partition table in Windows and many Linux systems is very common, it is often referred to as MBR partition table.
EFI GPT - This type of partition table is often used in Linux systems. For Linux systems, the partition table is the most recommended, because the concept of logical or extended partition does not apply to GPT (GUID Partition Table) partition table. This means that if each partition has a Linux system, a Linux user can make multiple boot from various types of Linux systems. Of course, there are other advantages of using a GPT partition table, but that is beyond the scope of this article.
Humax - Humax partition map table applies to the Korean company Humax production equipment.
Mac - Apple Partition Map (APM) for Apple devices.
None - some devices and not the partition table. For example, many Subor game console does not use zoning map. If a user tries to other types of partition table restore files from these devices, users will be troubled by TestDisk why porphyrin to find any file system or file.
Sun - Sun partition table for Sun systems.
Xbox -Xbox apply to the use Xbox partition map table storage device.
If the user selects the "Xbox", although his system using a GPT partition table, TestDisk will not find any partition or file system. If TestDisk choose to perform in accordance with the user, it may guess wrong. (The picture below shows the output when the partition table type of error)
When the user selects the correct option for their devices, then in the next screen, select "Advanced" option.
Now, the user will see a list of user lists all storage device file system or partition. If the user selects the wrong partition map table, in this step the user will know that they made the wrong choice. If there is no error, the text by moving the cursor to highlight the partition containing the deleted files. Use the left and right keys to highlight at the bottom end of the "list." Then, press Enter to confirm.
A new screen will be listed showing a list of files and directories. Those white file name is not deleted file, and the file name in red are those files have been deleted. The rightmost column is the name of the file, right-to-left direction, then one is the creation date of the file, an then left is the file size (in byte / bit units), the left with a "-", " d "," r "," w "and" x "represents one of the privileges of documentation. "D" indicates that the file is a directory, not the other permissions term relationship with this article. In the list of the top order. "" Represents a represents the current directory, the second line with ".." represents a represents the parent directory of the current directory, so the user can select the directory where the line reaches the directory.
I want to get into "Xaiml_Dataset" directory, which is basically composed by the deleted files. By pressing the "c" key on the keyboard, I will restore the file "computers.xaiml", then I was asked to select a destination directory, of course, I should place the files to another partition. Now, when I was in my home directory, press the "c" key. (When selecting a target directory) which directory is highlighted and there is no impact on the current directory is the target directory, in the top of the screen will be "Copy completed" message is displayed. In my home directory, there will be a "Xaiml_Dataset" directory called, which has a Xaiml file. If I'm on the more deleted files press "c" key, these files will be placed into a new folder without asking me again the target directory.
When these steps are completed, press the "q" key until you see the appearance of a normal terminal. Directory "Xaiml_Dataset" can only be root user access. To solve this problem, the use of root privileges to change the permissions on the directory and its subdirectories. After this is done, the file will be restored and the user can access them.
To recover a file from ReiserFS file system partition will first need to make a backup of all files. Because if some error occurs, this method may result in missing files. Then execute the following command, where DEVICE refers to those named in the form of equipment sda2. Some files will be placed in lost + found directory while others will be saved to the original location is deleted.
reiserfsck --rebuild-tree --scan-whole-partition / dev / DEVICE
Recover deleted files from being opened a program:
Suppose a user accidentally deletes a file, and the file is opened a program. Although the hard disk the file is deleted, but the program is being used in RAM copy of the file with. Fortunately, we have two simple solutions to restore the file.
If this software has a save function, such as a text editor, the user can re-save the file so that the text editor can write to a file in the hard disk.
Suppose you have a file in MP3 music player, and the music player and can not save the MP3 file, in this case need to spend more time than before to restore the files. Unfortunately, this approach does not guarantee valid in all systems and applications. First, type the following command.
lsof -c smplayer | grep mp3
The above command lists all files used by the smplayer this list by the grep command is piped search mp3. Enter the command similar to the following:
smplayer 10037 collier mp3 169r8,16763761704294 / usr / bin / smplayer
Now, type the following command from the RAM (in Linux systems, / proc / mapped to RAM) directly recover files and copy the file to the selected folder. Where cp refers to the copy command, the digital output from the 10037 number of processes, the digital output 169 refers to the file descriptor, "~ / Music /" as the target directory, the last "music.mp3" as the user wants name of file recovery.
To ensure that a file can not be restored, you can use a command to "wipe" the hard disk. Erase hard drive data is actually written to the hard disk meaningless. For example, many programs written to zero to erase the hard drive, random letters or random data. There will be no space is occupied or lost, erased space program just rewrite coverage. If the file storage unit is filled and no spare space, all previously deleted files will disappear and can not be restored.
Erase the hard disk in order to ensure the privacy of data is not visible to others. For example, a company may Reserve some new computers, general manager decided to sell the old computer, however, the new computer owners may see some companies, such as confidential or credit card numbers, addresses and other customer information. Fortunately, the company's computer technician before it can sell the old computer hard drive erased.
To install the program to erase secure-delete, type sudo apt-get install secure-delete, the command will install an assembly contains four procedures to ensure that deleted files can not be restored.
srm - permanently delete a file. Usage: srm -f ./secret_file.txt
sfill - erase blank space. Usage: sfill -f / mount / point / of / partition
sswap - Erase swap space. Usage: sswap -f / dev / SWAP_DEVICE
If the actual computer to clear those deleted files, then you need to take a longer time to execute the deletion. Some space will mark the space is quick and easy, but making the file is gone forever take some time. For example, erasing a memory cell, it may take several hours (depending on the size of the disk capacity). In short, the current system works just fine, since even if the user to empty the trash, they still have another chance to change their original idea (or error).