How to Restore a Deleted File in Linux
If you’ve accidentally deleted a file in Linux, don’t worry, you can probably still restore it as long as that area of disk has not yet been overwritten. This post will show you how to easily restore a deleted file in Linux.
Foremost is able to search a disk or raw image file to recover files based on their headers, footers, and internal data structures.
Install Foremost
Foremost is available in many different distributions of Linux.
Mint/Debian/Ubuntu
We can install Foremost in Linux Mint, Debian, or Ubuntu by simply running the following command.
apt-get install foremost
CentOS/RHEL
By default Foremost is not available in any of the standard CentOS/RHEL repositories, so we’ll install it directly from the RPM.
yum install https://forensics.cert.org/centos/cert/7/x86_64//foremost-1.5.7-13.1.el7.x86_64.rpm -y
This RPM is for el7, el6 can be found here.
Failing these options, you can download the Foremost source here.
In this example we are using CentOS 7, however once you’ve installed Foremost the rest of the steps should be the same in any Linux distribution.
Deleting a File
Now that Foremost is installed, let’s delete a file. It’s worth noting that Foremost does not need to be installed when the file was deleted, that’s just the order I happened to do things in.
In this example we will be removing the image.jpg file shown below.
[[email protected] ~]# file image.jpg image.jpg: JPEG image data, JFIF standard 1.01 [[email protected] ~]# md5sum image.jpg f2b6f5c9f3795363cddfd6aae6d1ba0d image.jpg
We’ll use this information later to verify that the file has been successfully restored. Now we’ll delete the file using the rm command .
[[email protected] ~]# rm -f image.jpg
Restore a Deleted File
Next we’ll create a directory to restore our files to. Foremost requires an empty directory for this purpose, so we’ll make /root/restored/.
[[email protected] ~]# mkdir /root/restored
Now we are ready to run the Foremost command and restore our image file. The -i switch is used to specify the disk or image file that we want to search, while -t is used to restore files of the type specified. Foremost supports many different files, check the foremost man page for the full list. This is required as foremost searches the disk based on the headers which that type of file uses.
[[email protected] ~]# foremost -i /dev/sda3 -t jpg -o /root/restored/ Processing: /dev/sda3 |**************************************************************************************************************************************************************************************|
This took approximately 2 minutes to complete on an 18gb disk. This will find any .jpg files in /dev/sda3 and restore them into the /root/restored/ directory, as long as the space they are using on disk has not yet been overwritten by anything else.
If we look inside our /root/restored directory, we can see that our image file has successfully been restored. The md5 hash of the file is exactly the same as the file before we deleted it.
[[email protected] ~]# md5sum /root/restored/jpg/18608472.jpg f2b6f5c9f3795363cddfd6aae6d1ba0d /root/restored/jpg/18608472.jpg
As file names are not stored within the file itself it is not possible to restore the file with the original file name, however the data is all there.
Summary
We installed the Foremost tool on our CentOS 7 machine and used it to restore a deleted file. Using the md5 hash of the file before and after recovery, we can confirm that the exact same file has successfully been recovered.
Foremost is a pretty simple to use tool to perform data carving, I’ve used it with some success in a number of Capture The Flag (CTF) style challenges.
Source: https://www.rootusers.com/restore-deleted-file-linux/
Nhận xét
Đăng nhận xét