Scalpel恢复工具
什么是Scalpel工具?
手术刀是 Linux和 Mac操作系统的开源文件系统恢复。该工具访问块数据库存储,并从中识别已删除的文件,并立即恢复它们。除了文件恢复它也是有用的数字取证调查。如何安装Scalpel在Debian / Ubuntu和Linux Mint
要通过从桌面做 “CTRL + ALT + T”安装手术刀,打开终端,运行以下命令。$ sudo apt-get install scalpel
示例输出
Reading package lists... Done Building dependency tree Reading state information... Done The following NEW packages will be installed: scalpel 0 upgraded, 1 newly installed, 0 to remove and 390 not upgraded. Need to get 0 B/33.9 kB of archives. After this operation, 118 kB of additional disk space will be used. Selecting previously unselected package scalpel. (Reading database ... 151082 files and directories currently installed.) Unpacking scalpel (from .../scalpel_1.60-1build1_i386.deb) ... Processing triggers for man-db ... Setting up scalpel (1.60-1build1) ... youcl@youcl-Latitude-D630:~$
在RHEL / CentOS和Fedora中安装Scalpel
若要安装手术刀恢复工具,你需要先 启用EPEL软件库 。 一旦启用,你可以做“ Yum ”进行安装,如图所示。# yum install scalpel
示例输出
Loaded plugins: fastestmirror Loading mirror speeds from cached hostfile * base: centos.01link.hk * epel: mirror.nus.edu.sg * epel-source: mirror.nus.edu.sg Setting up Install Process Resolving Dependencies --> Running transaction check ---> Package scalpel.i686 0:2.0-1.el6 will be installed --> Finished Dependency Resolution Dependencies Resolved ========================================================================================================================================================== Package Arch Version Repository Size ========================================================================================================================================================== Installing: scalpel i686 2.0-1.el6 epel 50 k Transaction Summary ========================================================================================================================================================== Install 1 Package(s) Total download size: 50 k Installed size: 108 k Is this ok [y/N]: y Downloading Packages: scalpel-2.0-1.el6.i686.rpm | 50 kB 00:00 Running rpm_check_debug Running Transaction Test Transaction Test Succeeded Running Transaction Installing : scalpel-2.0-1.el6.i686 1/1 Verifying : scalpel-2.0-1.el6.i686 1/1 Installed: scalpel.i686 0:2.0-1.el6 Complete!一旦安装了手术刀,您需要进行文本编辑。默认情况下手术刀工具有 在“/ etc”目录下自己的配置文件和完整路径是 “/etc/scalpel/scalpel.conf”或 “/etc/scalpel.conf”。 你可以看到,一切都注释掉 (#)。所以在运行scalpel之前,您需要取消注释需要恢复的文件格式。但是取消注释整个文件是耗时的,并会产生一个巨大的错误结果。 让说,例如我想只恢复 名为.jpg文件,所以干脆取消注释 名为.jpg文件部分手术刀配置文件。
# GIF and JPG files (very common) gif y 5000000 \x47\x49\x46\x38\x37\x61 \x00\x3b gif y 5000000 \x47\x49\x46\x38\x39\x61 \x00\x3b jpg y 200000000 \xff\xd8\xff\xe0\x00\x10 \xff\xd9转到终端并键入以下语法。该' 的/ dev / SDA1'是从该文件已被删除的设备的位置。
$ sudo scalpel /dev/sda1-o output该 “-o”开关指示输出目录,要恢复删除的文件。在运行任何命令之前,请确保此目录为空,否则它将给您一个错误。上述命令的输出为。
Scalpel version 1.60 Written by Golden G. Richard III, based on Foremost 0.69. Opening target "/dev/sda1" Image file pass 1/2. /dev/sda1: 6.1% |***** | 6.6 GB 39:16 ETA正如您所看到的,手术刀现在正在执行其过程,并且需要一段时间来恢复已删除的文件,具体取决于您尝试扫描的磁盘空间和机器的速度。 我建议大家有仅使用 删除 ,而不是 “Shift + Delete键 ”的习惯。因为所说的预防总是比治疗好。
