photorec

由 datahunter 在五, 03/06/2016 - 14:01 發表

最後更新: 2020-12-03

介紹

photorec: http://www.cgsecurity.org/wiki/PhotoRec

raw data stream of the analyzed disk or image is searched for common file headers to identify files – without using information of the file system.

As a result of this technique, neither file names nor folder structures can be restored so the recovered files have to be viewed,

renamed and re-organized one by one, manually.

Photorec is part of the Testdisk package.

安裝

wget http://www.cgsecurity.org/testdisk-7.0.linux26-x86_64.tar.bz2

tar -jxf testdisk-7.0.linux26-x86_64.tar.bz2

Usage

cd testdisk-7.0

./photorec_static /dev/sdd1

Step1 - select disk

Select a media (use Arrow keys, then press Enter):
>Disk /dev/sdd1 - 320 GB / 298 GiB (RO) - NORELSYS 106X

>[Proceed ]  [  Quit  ]

Step2 - Set options

    Search after selecting the partition that holds the lost files to start the recovery,
    Options to modify the options,
    File Opt to modify the list of file types recovered by PhotoRec.

s to disable all file families

Options:

Paranoid By default, recovered files are verified and invalid files rejected.
Enable bruteforce if you want to recover more fragmented JPEG files, note it is a very CPU intensive operation.

File Opt:

7z
bmp
fat FAT subdirectory
doc Microsoft Office Document (doc/xls/ppt/vsd/...)
fat FAT
jpg JPG picture
mp3
mpg
png

b to save the settings

Step3 - 選 File System

To recover lost files, PhotoRec need to know the filesystem type where the
file were stored:
 [ ext2/ext3 ] ext2/ext3/ext4 filesystem
>[ Other     ] FAT/NTFS/HFS+/ReiserFS/...

Step4 - recovery 幾多野

Please choose if all space need to be analysed:
 [   Free    ] Scan for file from FAT32 unallocated space only
>[   Whole   ] Extract files from whole partition

Recovery 中

Disk /dev/sdd1 - 320 GB / 298 GiB (RO) - NORELSYS 106X
     Partition                  Start        End    Size in sectors
   P FAT32                    0   0  1 38912 253 63  625137282 [DATAONE]


Pass 1 - Reading sector   92269572/625137282, 11182 files found
Elapsed time 0h38m36s - Estimated time to completion 3h42m55
jpg: 10981 recovered
doc: 163 recovered
png: 32 recovered
bmp: 4 recovered
mp3: 2 recovered

為 file 改名

Eliminate small photos:

mkdir recovery/SMALL

find recovery/JPG/ -name "*.jpg" -size -200k | xargs -i mv {} recovery/SMALL/

Rename jpegs according to exif data:

find JPG/ -name "*.jpg" | xargs -i jhead -nf%Y%m%d-%H%M%S {}

exiftool

exiftool -r "-FileName<IMG_${FileIndex}%c.%e" DIR

It uses FileIndex from EXIF information in file to rename to original filename, the %c is checking for duplicate names and appends other digit to the name. And it works recursively (-r).

exiv2

find ./ -exec exiv2 -t rename {} \;

Copy files with matching strings:

cd recovery
mkdir ../copy/
grep -l "enter the string of text here" *.doc | xargs -i cp {} ../copy/

加 signature

Example: 加 php file type

# 測試, 係唔認識 php 的

fidentify test.php

test.php: unknown

# 建立了 ~/.photorec.cfg

Select "[File Opt]" > “custom Own custom signatures” option and hit ‘b’ to save the settings.

# 自定 signature (~/.photorec.sig)

one signature definition per line

A signature is composed of

extension name (php)
offset of the signature (0)
signature or magic value (0x3c3f20)

signature 的 hexadecimal data format :

ie 0x12, 0x1234, 0x123456...

Note that 0x123456, 0x12 0x34 0x56 and 0x12, 0x34, 0x56 are equivalents.

hexdump -C test.php

00000000  3c 3f 20 70 68 70 69 6e  66 6f 20 3e 0a           |<? phpinfo >.|
0000000d

~/.photorec.sig

php 0 0x323f20

# 再測試