If you have deleted a file that you really did not intend to, (example: a question of your assignment) you would think you are doomed, well there is nothing to worry. You can recover any file that was mistakenly deleted by you.
In Windows file’s location and metadata is moved from master file table (MFT) to a hidden file named info2 in the recycler folder (when we press DELETE key).
In both Windows and Linux, the file (as seen) moves to the recycle bin/trash from where we can restore it anytime but the exact location of the file on the hard disk remains same. When we permanently delete a file (SHIFT + DELETE) or delete it from recycle bin/trash, the file is not actually erased from the hard drive just the location on which it is stored is marked empty. This all is done to make the processing faster as physically deleting file hampers the speed. So the space that the deleted file occupied can be used to store another file.
The main problem faced by a recovery tool is to know where the parts (blocks) of the file are stored (this problem becomes more troublesome with ext4 which deletes even the memory block location where the file is stored).
Let’s walk through the different steps of data recovery.
#STEP 5: Select continue.
#STEP 7: Select the partition on your disk that contained deleted file.
At the end of the day everything is fine and all your important files are recovered.
WARNING: - Do not use the partition which contained deleted file otherwise the file needed to be restored may get corrupted or even become impossible to retain. Do not create or store new files, do not install any new software (not even recovery software) and do not run any software (including OS) on that drive.
If the lost data was stored on the drive containing OS it is recommended to physically remove that drive and recover data using another computer (attaching your drive as slave).
Let’s see what happens when we delete a file.
If we delete a file in Linux it is moved to ~/.local/share/trash/files (“.local” is a hidden directory). The path and deletion date are stored in ~/.local/share/trash/info/<file name. trashinfo>. (~ is the home directory of user)
In Windows file’s location and metadata is moved from master file table (MFT) to a hidden file named info2 in the recycler folder (when we press DELETE key).
In both Windows and Linux, the file (as seen) moves to the recycle bin/trash from where we can restore it anytime but the exact location of the file on the hard disk remains same. When we permanently delete a file (SHIFT + DELETE) or delete it from recycle bin/trash, the file is not actually erased from the hard drive just the location on which it is stored is marked empty. This all is done to make the processing faster as physically deleting file hampers the speed. So the space that the deleted file occupied can be used to store another file.
That is why if we manually delete a virus it may prove to be futile and the virus may still harm the functionality of the computer.
The process in MAC is similar to windows/Linux except that the hard drive’s directory entries (for the files) are moved to trash bin when we delete a file. When we empty trash only the directory entries are erased from trash bin.
As of now we all know that our file is not deleted but is just left unmarked in the MFT/inode table, this is where our recovery tool comes to rescue.The tool searches for clusters of files having unallocated space (this method is also helpful in retrieving data from a formatted disk) and whose address is marked as empty space. What it actually does is looking for a particular keyword in the beginning of data in a file type of a file (particularly in non-fragmented files) and hence is capable of restoring the file!
It lists all the found files which can be recovered. Some recovery tools offers to search selected file types.
If some part of the file is overwritten by another file the recovered files may be corrupted. The sooner you search the better are the chances of recovering a none corrupted file, as there are more chances that memory block is not overwritten.
The main problem faced by a recovery tool is to know where the parts (blocks) of the file are stored (this problem becomes more troublesome with ext4 which deletes even the memory block location where the file is stored).
Some utilities, which claim shred files such that they are not recoverable, overwrite the file for about 30-40 times but still there are some chances of recovery of that file (although very less).
Let’s walk through the different steps of data recovery.
Recommended: Start the recovery wizard whenever the utility starts.
#STEP 1: Click next.
#STEP 2: Explore recycle bin and choose the suitable option and click next.
#STEP 3: Select the drive which contained lost data.
#STEP 4: Select the method of recovery on the selected drive and click next.
- Browse: To find all the deleted files.
- Search: To search specific files by name, size, created between details.
- Deep (surface) scan: To search by file type.
THE DISK WILL BE SCANNED AND FOUND FILES WILL BE LISTED.
#STEP 5: Explore using the size, name, preview etc and double click file to restore.
IF THE DESIRED FILE IS NOT LISTED USING Browse and Search method (in step 4) search again with Deep (surface) scan method.
#STEP 6: Specify the destination folder and click recover now.
REMEMBER TO RECOVER FILE ATTRIBUTES AND ALTERNATIVES.
THE FILE WILL BE RECOVERED.
NOTE: DO NOT RECOVER TO THE DRIVE WHICH HAS THE LOST FILE AS THE DELETED FILE MIGHT BE PARTIALLY OR PERMANENTLY LOST.
FILE RECOVERY IN LINUX
using photorec
using photorec
#STEP 1: Install photorec.
To install the freeware photorec type the command “sudo apt-get install testdisk” in the terminal.
#STEP 2: Run photorec.
Enter “sudo photorec” to open photorec in terminal.
#STEP 3: If you have ever started a task to restore file before and you wish to resume it then enter 'y'
Otherwise enter 'n'.
(This prompted window will not occur if you are not running the software first time.)
#STEP 4: Select your media device.
#STEP 6: Select the appropriate partition table type.
#STEP 8: Select the file system you have.
#STEP 9: Select ‘free’ if you want to scan for a file in ext2/ext3 partition (will also work for ext4).
#STEP 10: Select the directory in which you want to save the recovered files (here the name of the directory is delete).
#STEP 11: Now the photorec will show you how many files it has found and has saved in your selected directory.
#STEP 12: Below is the screenshot of restored files (as seen in GUI).
At the end of the day everything is fine and all your important files are recovered.
So keep smiling, stay relaxed.
Cheers...:)
Cheers...:)
No comments:
Post a Comment