Re: recover files

To: debian-user@lists.debian.org
Subject: Re: recover files
From: Hans <hans.ullrich@loop.de>
Date: Sat, 26 Oct 2024 15:26:39 +0200
Message-id: <[🔎] 2601597.sPTIobQ9Gj@protheus2>
In-reply-to: <[🔎] vfik96$1ss$1@ciao.gmane.io>
References: <[🔎] 671be43d5ed796.68558429.1d0ea233@m1.mail.sina.com.cn> <[🔎] 4470433.KVQPIDvDuA@protheus2> <[🔎] vfik96$1ss$1@ciao.gmane.io>

> Thank you for the detailed answer.

youre welcome.
> 
> I have tried ext4magic. My impression is that it might have an issue
> with reading journal and that it is unnecessary strict walking through
> inodes (zeroing invalidates checksums if I remember it correctly). It
> may restore some files, however I can not figure out what approach
> extundelete or other tools may use to noticeably improve success rate
> since important data is overwritten.
> 
As far as I know, it does not use journal. It is looking at the data it reads 
(form the imagefile) and then finds headers and footers (similar to scalpel) 
and as what it reada, it creates the surname (like jpg , doc whatever). As it 
reads also the metadata in the header, it knows, what kind of file it reaches.

> > I was very successfull with photorec and autopsy.
> 
> Does autopsy/sleuthkit use some heuristic that allows to restore
> significantly more data than extundelete and photorec in the case of
> unintentional removing of directories?

as fatr as I know, it doews, but I am no coder, so I can not prove it.
> 
> > Last time I had to revover 2 TB music files for a friend, and photorec
> > gave me all files back.
> 
> Of course, a few MB size files with reach metadata (audio, image, zip)
> is an optimal case for photorec and foremost. For 1 hour long .mp3 files
> fragmentation causes recovery of only some parts of files (at least in
> the case of FAT32).

Ah no, these were not only a few audio files. These were about 90.000 audio 
files (which I all could recover) whilst about 2000 I could not rename again 
(mp3 was too old version). The whole process lasted per run about 36 hours! 

First I had to create an image of the drive (this was about 2TB), which lasted 
about 28 hours (as it was an USB-drive I had to use the USB-port), then 
several scnas with different tools. Each scan about 36 hours, then after I got 
all files, renaming (using puddletag) and sorting (using find). 

All about several days and nights (it was for a good friend of mine!) and I 
was happy of the result. An he, too!

What I wanted to say: I am always using several and different tools to get 
best results over all. It is time consuming, yes, but that is what I in my 
first post meant: If you are doing carefully, you will get most data 
recovered.

> 
> > Also foremost is another tool of my favourites, as it is easy to use.
> 
> I am curious what are cases when it may perform noticeably better than
> photorec.

Oh, you will have noticed, that I not mentioned some of the commercial tools 
like FTK or ENCASE. I am not using these, I do not like those (for some 
personal reasons) and the free tools are fully satisfying my needs.

Hans

Best

Hans

Reply to:

Follow-Ups:
- Re: recover files
  - From: Max Nikulin <manikulin@gmail.com>

References:
- recover files
  - From: louletian@sina.com
- Re: recover files
  - From: Hans <hans.ullrich@loop.de>
- Re: recover files
  - From: Max Nikulin <manikulin@gmail.com>

Prev by Date: Re: New Debian 12 installation, GUI login doesn't run .profile
Next by Date: Re: Popularity contest files in /var/log
Previous by thread: Re: recover files
Next by thread: Re: recover files
Index(es):
- Date
- Thread