How to Restore a Deleted File in Linux

 If you’ve accidentally deleted a file in Linux, don’t worry, you can probably still restore it as long as that area of disk has not yet been overwritten. This post will show you how to easily restore a deleted file in Linux.

Foremost is able to search a disk or raw image file to recover files based on their headers, footers, and internal data structures.

Install Foremost

Foremost is available in many different distributions of Linux.

Mint/Debian/Ubuntu

We can install Foremost in Linux Mint, Debian, or Ubuntu by simply running the following command.

apt-get install foremost

CentOS/RHEL

By default Foremost is not available in any of the standard CentOS/RHEL repositories, so we’ll install it directly from the RPM.

yum install https://forensics.cert.org/centos/cert/7/x86_64//foremost-1.5.7-13.1.el7.x86_64.rpm -y

This RPM is for el7, el6 can be found here.

Failing these options, you can download the Foremost source here.

In this example we are using CentOS 7, however once you’ve installed Foremost the rest of the steps should be the same in any Linux distribution.

Deleting a File

Now that Foremost is installed, let’s delete a file. It’s worth noting that Foremost does not need to be installed when the file was deleted, that’s just the order I happened to do things in.

In this example we will be removing the image.jpg file shown below.

[root@centos7 ~]# file image.jpg
image.jpg: JPEG image data, JFIF standard 1.01
[root@centos7 ~]# md5sum image.jpg
f2b6f5c9f3795363cddfd6aae6d1ba0d  image.jpg

We’ll use this information later to verify that the file has been successfully restored. Now we’ll delete the file using the rm command .

[root@centos7 ~]# rm -f image.jpg

Restore a Deleted File

Next we’ll create a directory to restore our files to. Foremost requires an empty directory for this purpose, so we’ll make /root/restored/.

[root@centos7 ~]# mkdir /root/restored

Now we are ready to run the Foremost command and restore our image file. The -i switch is used to specify the disk or image file that we want to search, while -t is used to restore files of the type specified. Foremost supports many different files, check the foremost man page for the full list. This is required as foremost searches the disk based on the headers which that type of file uses.

[root@centos7 ~]# foremost -i /dev/sda3 -t jpg -o /root/restored/
Processing: /dev/sda3
|**************************************************************************************************************************************************************************************|

This took approximately 2 minutes to complete on an 18gb disk. This will find any .jpg files in /dev/sda3 and restore them into the /root/restored/ directory, as long as the space they are using on disk has not yet been overwritten by anything else.

If we look inside our /root/restored directory, we can see that our image file has successfully been restored. The md5 hash of the file is exactly the same as the file before we deleted it.

[root@centos7 ~]# md5sum /root/restored/jpg/18608472.jpg
f2b6f5c9f3795363cddfd6aae6d1ba0d  /root/restored/jpg/18608472.jpg

As file names are not stored within the file itself it is not possible to restore the file with the original file name, however the data is all there.

Summary

We installed the Foremost tool on our CentOS 7 machine and used it to restore a deleted file. Using the md5 hash of the file before and after recovery, we can confirm that the exact same file has successfully been recovered.

Foremost is a pretty simple to use tool to perform data carving, I’ve used it with some success in a number of Capture The Flag (CTF) style challenges.

Source: https://www.rootusers.com/restore-deleted-file-linux/

Nhận xét

Đăng nhận xét

Bài đăng phổ biến từ blog này

Tạo SSH key trên MAC OS X

Hình ảnh
SSH là gì? SSH (Secure Shell) là một phương thức mã hoá trên internet để tiện lợi cho việc đăng nhập từ xa và tăng tính bảo mật. Bản chất mã hoá của nó là sử dụng thuật toán RSA vì vậy mà nó sẽ 2 key: Private key và Public key. Puclic key sẽ được lưu trữ trên server còn Private key thì được lưu trữ tại client. Khi gửi một yêu cầu đăng nhập sẽ kèm theo Private key này và server có thể kiểm tra được xem có phải cùng bộ với Pulic key không, nếu đúng thì sẽ cho qua. Tạo SSH key Mở phần mềm Terminal gõ: ls -al ~/.ssh Lệnh trên sẽ kiểm tra có SSH tạo ra trước đó chưa? Nếu chưa tiếp tục gõ lệnh: ssh-keygen -t rsa Sau đó nó sẽ hỏi chỗ lưu. Mặc định là homeuser/.ssh Sau đó nó sẽ hỏi có muốn tạo keyphare không? (keyphare là mật khẩu để mở private key, khi đăng nhập vào server sẽ hỏi). Copy SSH key vào Clipboard: pbcopy < ~/.ssh/id_rsa.pub Sau đó vào Finder→Edit→Show Clipboard để copy hoặc lưu public key lại. OK, vậy là xong 😃
Đọc thêm

Journalctl: How to Read and Edit Systemd Logs

Hình ảnh
  Introduction Systemd logs all  Linux  messages from the  kernel  and system processes. The journalctl command enables viewing and editing the systemd logs, making it a powerful tool for service and process debugging. This guide shows how to read, control, and maintain systemd logs using journalctl through examples. Prerequisites Access to the command line/terminal window. A text editor (such as  nano ) to edit the config file. A user with sudo privileges (see how to  add a user to sudoers ). What Is Systemd? Systemd is a Linux service and system manager. While users do not invoke systemd directly, the manager contains many tools and daemons to run individually for various system processes. One of the most powerful systemd functionalities is the logging features. Systemd provides a centralized solution for logging all  kernel  and user processes through logs known as  journals . The  journald  daemon collects all the messages the system outputs and then creates journals, regardless of
Đọc thêm

Restrict SSH to one IP on VPS with firewalld

Hình ảnh
I am pretty new to CentOS but the most logical way (at least to me) seemed to be to add your ip address (in my case 192.168.0.22 (static)) to the trusted zone and remove ssh from the public zone: firewall-cmd --permanent --add-source=192.168.0.22 --zone=trusted firewall-cmd --permanent --add-service=ssh --zone trusted firewall-cmd --permanent --remove-service=ssh --zone-public firewall-cmd --reload My thoughts were that you only add ports and services like http and https to 'public' and keep the risky stuff on 'trusted' tied to the (static) ip address of the computer you use for access. So if your ip is 192.16.0.22 you can access all services listed in trusted and if your ip is anything other than 192.168.0.22 then you can only access the restricted set of services in the public zone e.g. http and https. This seems incredibly simple compared to other solutions but worked great for my tests and keeps everything neat - isn't that the whole purpose of zones or have I c
Đọc thêm