Restoring accidentally deleted files on Linux
sabotage-linux.github.ioIf you are using ext4 there is extundelete that simplifies the process, it requires to remount the filesystem read-only, though.
mount -o remount,ro /dev/sda1
extundelete --restore-all --after $(date -d "-1 hours" +%s) /dev/sda1
find /RECOVERED_FILES -name accidentally_deleted_file
mount -o remount,rw /dev/sda1Another fast way to search for text in binary files is to use "grep -abo" (treat all files as text / print matches only / print file offsets).
Anyone checked if that is actually faster than just using grep on the blockdevice? I've used grep the few times I've had a need for it, and just copied the source off the terminal when its found something. (Tell grep to give you some lines before and after a match, and tell it to treat the blockdevice as plain-text).. You usually get some trash before/after the matches, those could be terminal control characers, but a those can be trimmed with, drumroll: tr.
Last time I had this happen (thankfully a long time ago) I just used Perl against the block device and used a regex.
Forensic tools also work well for this.
Thanks, this will come in handy. Needed it a bunch in the past.
shouldn't that be (addr1-addr2+1)? Or does dd copy the first byte plus the count?