Ceci est une ancienne révision du document !
You know that sinking feeling that happens when you realize you just deleted a bunch of important files you really needed. It's a terrible feeling - and often followed by worry, panic and repeated “why did I just do that?” Stealing a cue from Douglas Adams; “don't panic.” There is hope for deleted files even if the media has been reformatted. Foremost can also recover corrupted files, but it doesn’t fix corruption.
Foremost is a data recovery tool originally written by Kris Kendall and Jesse Kornblum, special agents for the United States Air Force Office of Special Investigations. It was picked up and modified by Nick Mikus as part of his master's thesis and is now available in the Ubuntu universe repositories. With the universe repositories enabled, installing Foremost is a simple matter:
sudo apt-get install foremost
A word of caution before proceeding any further - do not mount or boot the drive you’re recovering from. The more the medium is accessed the greater the chance of data loss. Before diving in to recovering data, we make a backup of the original medium. One of the main principles of data recovery is to work with a copy of the original medium rather than the medium itself.
Another important principle is to back up to a medium that isn’t the original medium (obviously you don’t want to corrupt the drive while trying to recover data from it!). The drive you back up to should have enough free space to hold an image of the entire drive (with the lost files). In this example, we'll recover data from a 1GB flash drive to a system with an 80GB hard drive. We begin by making that working image of the flash drive:
sudo dd if=/dev/sdb1 of=mypendrive.img
Next, we need to give the user ownership of the image file we just created. In this case the username and group are called charm:
sudo chown charm.charm mypendrive.img
Foremost recovers a lot of different types of data ranging from AOL .art files to audio .wav files. Another tool photorec (part of the testdisk package), actually recognizes many more, but Foremost can work with unmounted drives and with image files. Foremost needs a path to save data to. This path should not be on the original medium (or you would overwrite data).
mkdir ~/recovery
Now let's recover some pdf and png files:
foremost -vqQ -o recovery/ -t pdf,png -i mypendrive.img
The -v switch enables Foremost's verbose mode. Without the -v switch, Foremost displays asterisks as it processes. The -v switch gives us nice formatted output showing information about what is being recovered. Foremost can take a long time to recover data, particularly if you're trying to recover from a large hard drive full of data. Verbose mode (shown below) is nice since it gives an idea of what's being recovered.
The -q switch sets Foremost to run considerably faster by searching only the start of each sector. The large -Q switch suppresses most error messages. The -o switch specifies the directory to recover to. Within this recovery folder, Foremost creates a folder for each type of file being recovered. In this instance pdf/ and png/ folders are created along with an audit.txt file showing the same verbose output we saw earlier.
The -t switch specifies the types of files to recover. To specify multiple file types separate each file type with a comma. Lastly the -i switch indicates which image or device to recover from (again, it's best to use an image file rather than working with the original device).
Foremost can recover erased files, files from formatted drives, even files that have been lost over multiple formats. In one case we were able to recover dozens of files from a hard drive formatted for ext3 which were clearly graphic files from a previous Windows installation.
Foremost can also recover partial files using the -a switch which writes all headers, skipping error detection of corrupted files. Corrupted files, images in particular, are files where part of the data has already been overwritten. In the case of images, the corruption is obvious - often only part of the image is recovered - followed by banding.
Another handy Foremost switch is -T. It creates a timestamped directory name. If you plan on running Foremost multiple times the -T switch will create a directory name with the timestamp. For example: foremost -vqQT -o recovery/ -t pdf,png -i mypendrive.img In the above example, Foremost creates a directory with a name starting with recovery and ending with the datetimestamp (3:29pm here):
recovery_Sun_Mar_11_15_29_42_2012
Foremost is a great tool for recovering images, documents, movies, and other types of files. Because it can work with unmounted file systems, it comes in handy where other tools require a mounted partition. Of course the usual “back up your data” lecture applies to any conversation about data recovery, particularly since there have been a number of great backup articles in past issues of Full Circle Magazine.
Now, at least there’s one more option when you get that sinking feeling that you’ve just deleted something you really meant to keep.