LinuxQuestions.org
Visit Jeremy's Blog.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - General
User Name
Password
Linux - General This Linux forum is for general Linux questions and discussion.
If it is Linux Related and doesn't seem to fit in any other forum then this is the place.

Notices


Reply
  Search this Thread
Old 06-21-2015, 06:11 PM   #1
dgermann
Member
 
Registered: Aug 2004
Distribution: Ubuntu 16.04 lts desk; Ubuntu 14.04 server
Posts: 361

Rep: Reputation: 31
Question opening ecryptfs files recovered by photorec


Friends--

Used photorec to recover some files that I hope contain two overwritten xournal .xoj files. I ran grep -rin (looking for a string that appeared in the name of each file) on the thousands of files restored, and came up with 4 possible files, named:
Code:
recupdir_141/f65949640.eCryptfs
recupdir_503/f189393168.eCryptfs
recupdir_503/f189393456.eCryptfs
recupdir_503/f189391096.eCryptfs
These files all currently reside in the /home/doug encrypted directory. I have rebooted and mounted that directory normally and am able to open other files in that directory.

I have tried opening these files with gedit (shows them all as binary files) and with xournal (after renaming as .xoj--this program merely reports "error in opening file"). Using cat and piping through less, I found that the first one has a lot of debug info and other things which look like pieces of other files (like lease info for wlan0 and eth0).

The 1096 file has stuff about charging and discharging, and the output of an ls -alh command, and binary info. 3168 is similar. 3456 has much less human readable text.

If my missing files are there, they are in the binary things I cannot read.

So I do not know if my missing .xoj files are in there, if they are encrypted or not, and especially how to deal with these files.

Any ideas how to recover these files? Or maybe my files are in the thousands of other files recovered.

My system:
12.04 lts Ubuntu
Used latest stable photorec--ran it against the empty space, since the missing files were already overwritten by another process. (I ran unison in the wrong direction!)

Thanks for helping me.
 
Old 06-24-2015, 09:55 PM   #2
dijetlo
Senior Member
 
Registered: Jan 2009
Location: RHELtopia....
Distribution: Solaris 11.2/Slackware/RHEL/
Posts: 1,491
Blog Entries: 2

Rep: Reputation: Disabled
Hey Doug,

From the photorec project page

Quote:
File systems
PhotoRec ignores the file system; this way it works even if the file system is severely damaged.
If I'm not mistaken, photorec isn't going to do anything useful on an encrypted file system. That doesn't mean you can't export the directory into an un-encrypted file system it can read... such as

FAT
NTFS
exFAT
ext2/ext3/ext4 filesystem
HFS+
 
Old 06-25-2015, 08:51 PM   #3
dgermann
Member
 
Registered: Aug 2004
Distribution: Ubuntu 16.04 lts desk; Ubuntu 14.04 server
Posts: 361

Original Poster
Rep: Reputation: 31
Question

dijetlo--

Thanks for your reply and for checking out the photorec page.

I think the problem is probably not the encryption. My theory is that A) I have run the photorec program while I have the directory open and unencrypted; and B) I can read some of the material in the file. I could be all wet on either or both scores.

That being the case, it looks like there are parts of these files which are pieces of binary files. Is there any way to look at the non-human readable parts and see what they contain?

For instance, here are a few lines from one of the files, as opened via cat:
Code:
    -rw-rw-r-- 1 doug data  28K Jun 12 15:47 20150611 cn mw esp bus tax seminar.odt
-rw-rw-r-- 1 doug data  14M Jun  8 21:09 20150611 man day1 mw esp tax bus inst 2015.pdf
-rwxrwxrwx 1 doug data 1.7K Jun  9 19:32 20150611 ml��hl�l�l
pSp �p0�p@5qP�q`�qp"rp1rp�rp�rp�rp.sx5s��s���s�$t�st��t��t�u�fu�zu��u��u�*v�lv��v��v�"w�&w�vw�yw��w��w�x�cx��x��x�Hy��y�y(z xz(�z0�z0�z0.{8<{@�{@�{@�{@4|HB|P�|P�|P�|X�|`8}p|}�
Is there any way to decode those strange symbols? (gedit shows them as strings of /00/00/00)

Thanks dijetlo!
 
Old 06-25-2015, 10:24 PM   #4
syg00
LQ Veteran
 
Registered: Aug 2003
Location: Australia
Distribution: Lots ...
Posts: 19,593

Rep: Reputation: 3510Reputation: 3510Reputation: 3510Reputation: 3510Reputation: 3510Reputation: 3510Reputation: 3510Reputation: 3510Reputation: 3510Reputation: 3510Reputation: 3510
File inodes don't contain the file name - that is only present (once) in the directory entry. That is why your grep found things like "ls" commands, not file data you hoped to find.
In normal operation I would expect files to be updated "in-place", not copied out in full to somewhere else. Hence there will be no old file in the "empty" space for you/photorec to find. That might (should) work for deleted files, not updated ones (if photorec knows the layout of the files).
 
Old 06-26-2015, 05:06 PM   #5
dgermann
Member
 
Registered: Aug 2004
Distribution: Ubuntu 16.04 lts desk; Ubuntu 14.04 server
Posts: 361

Original Poster
Rep: Reputation: 31
Question

syg00--

OK. Thanks.

I am reading your post to say I am out of luck and unlikely to get my data back. Yes?

Are you suggesting I can run photorec or something else on the file in place and stand a chance of recovering it?

Thanks, syg00!
 
Old 06-26-2015, 07:20 PM   #6
syg00
LQ Veteran
 
Registered: Aug 2003
Location: Australia
Distribution: Lots ...
Posts: 19,593

Rep: Reputation: 3510Reputation: 3510Reputation: 3510Reputation: 3510Reputation: 3510Reputation: 3510Reputation: 3510Reputation: 3510Reputation: 3510Reputation: 3510Reputation: 3510
Quote:
Originally Posted by dgermann View Post
I am reading your post to say I am out of luck and unlikely to get my data back. Yes?
Pretty much.
Quote:
Are you suggesting I can run photorec or something else on the file in place and stand a chance of recovering it?
Nope - IMHO there's nothing of substance to recover. There may be old fragments, but they will be effectively undetectable. Or they may already be included in files photorec has created. Even if you could find them, you wouldn't know which iteration of past updates they came from.

Nothing replaces good backups.
 
Old 06-27-2015, 10:24 AM   #7
dgermann
Member
 
Registered: Aug 2004
Distribution: Ubuntu 16.04 lts desk; Ubuntu 14.04 server
Posts: 361

Original Poster
Rep: Reputation: 31
Thumbs up

syg00--

Thanks!

Now I can forget about this data and move on!

The other saying is, I've always got good backups, except for what I lost!

Thanks, syg00!
 
  


Reply

Tags
.xoj, ecrypt, photorec, recover, xournal


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
ecryptfs : how to recover garbage files? kozaki Linux - Security 1 12-26-2014 06:19 AM
ecryptfs has hidden some of my files - can they be recovered? sonichedgehog Ubuntu 3 12-25-2012 05:22 PM
Copying files encrypted with ecryptfs newize Linux - Security 6 08-18-2012 11:42 AM
[SOLVED] photorec + .ecryptfs to restore files jamendo10 Linux - Security 4 08-07-2012 06:24 AM
[ECRYPTFS] ecryptfs_init_miscdev: Error whilst attempting to open [/dev/ecryptfs] nitinarora Linux - Kernel 0 03-22-2010 05:36 AM

LinuxQuestions.org > Forums > Linux Forums > Linux - General

All times are GMT -5. The time now is 12:44 AM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Open Source Consulting | Domain Registration