LinuxQuestions.org

LinuxQuestions.org (/questions/)
-   Linux - Newbie (https://www.linuxquestions.org/questions/linux-newbie-8/)
-   -   Setting to a previous date (https://www.linuxquestions.org/questions/linux-newbie-8/setting-to-a-previous-date-463201/)

pwnd 07-12-2006 02:01 AM
Setting to a previous date
 
I accidently deleted a folder with some photos in them which I didn't want to delete. I did this about a day ago or so. I know in windows you can set your computer to a previous date so you can retrieve deleted folders and such. Is there such thing in Linux(Ubuntu)? If not that, than any other way possible to bring my photos back to life?

pljvaldez 07-12-2006 02:43 AM
I think there are some commercial versions of software that might let you go back and undelete the folder, but I'm not sure.

I personally have had success recovering data off of a drive using the program foremost on linux. But you can't be running an OS from that partition to recover data from it. For example, I unplugged the drive and made it a slave on my debian box. I was pretty impressed with what it came back with. Just be ready to weed through all the data when it's done. Some of the photos will be ruined, but most of mine were salvageable...

Tinkster 07-12-2006 02:44 AM
The date wouldn't have any impact on it... if you're using ext2
as your file-system and you didn't write any new stuff to the
hdd since you may be lucky, fire up midnight commander (type mc)
and look through the menu. In all other cases you're pretty much
on your own; there's a few forensic tools that try to recover
certain file-types from the raw-device, but it's not a laymans
thing, I don't think.


Cheers,
Tink


P.S.: I'm not windows expert by any means, but I think that you got
the date thing wrong ;}

pwnd 07-12-2006 09:19 PM
I appreciate the help but neither of these worked :( . Is these ANY other way I can retrieve the photos. They were really good!

AwesomeMachine 07-12-2006 11:20 PM
Jpeg files have a signature, which is the first four bytes of the file:

ff d8 ff e0 hex

You can search for this value with:

dd if=/dev/sda | hexdump -C | grep ff d8 ff e0

Wherever you get a hit is where a jpg file starts. Over on the left of the output are hex offsets. That is the exact byte on the disk where the line begins. You convert the byte offset where you find the the signature bytes to decimal with one of the many calculators in linux. Then, say you located ff d8 ff e0 at offset 000 0ac 000 0. That's decimal offset 11,272,192. If you divide that by 512 bytes per sector you get 22,016. So, to get to that file:

dd if=/dev/sda count=22,016 bs=512 | hexdump -C | less

Now, the first bytes on the screen should be ff d8 ff e0. That is the beginning of a jpeg. Jpegs end with ff d9. So, using pgup, pgdn, arrows, navigate to where you see a a bunch of lines of zeros. Right before the zeros start, you will see ff d9. d9 is the end of the jpg file. Make note of that offset. That is the file length in hex. Convert it to decimal with a calculator. Say it's 8000 hex long. That's 32,768 decimal.

dd if=/dev/sda skip=11272192 count=32768 bs=1 > /directoryonadifferentdrive/filename.jpg

Tinkster 07-13-2006 03:12 AM
You could try the following tools ...

http://www.vanheusden.com/recoverdm/

http://jbj.rapanden.dk/magicrescue/



Cheers,
Tink


All times are GMT -5. The time now is 10:37 PM.