Restore a bunch of files with Sleuthkit
If you have an image of a drive/partition that can't be mounted, you can use sleuthkit to respore the files. First, you will need to get the list of the files from that image:
$ fls -f ext2 -p -r ./image-of-my-drive \
| grep -v '^..-' | grep -v '^... \*' > files.lstThis command will give you a list of files and their inodes (asuming we are dealing with Ext2 FS). Then you'll be able to "mass-retore" files with this script:
IMAGE=image-of-my-drive
LIST=./files.lst
DEST=/home/ixti/recovered
cat $LIST | while read line; do
filetype=`echo "$line" | awk {'print $1'}`
filenode=`echo "$line" | awk {'print $2'}`
filenode=${filenode%:}
filename=`echo "$line" | cut -f 2 -d ' '`
if [ $filetype == "r/r" ]; then
echo "$filename"
mkdir -p "`dirname "$DEST/$filename"`"
icat -f ext2 -r -s $IMAGE "$filenode" > "$DEST/$filename"
fi
doneYou can also restore a particular directory. Just pass it's inode to fls command to get list of files from that directory only.
This will help to restore EXISTING files from the image of a rive that can't be mounted normally. But you can easily adopt it to be able mass-restore removed files/directories, just read the fls manual/wiki about it's output and tune batch-script of icat :))
Written by Aleksey V. Zapparov
Related protips
Have a fresh tip? Share with Coderwall community!
Post
Post a tip
Best
#File system
Authors
Sponsored by #native_company# — Learn More
#native_title#
#native_desc#