ext3grep - Mai da fayilolin da aka goge akan Debian da Ubuntu
ext3grep shiri ne mai sauƙi don dawo da fayiloli akan tsarin fayil na EXT3. Kayan aiki ne na bincike da dawo da aiki wanda ke da amfani a binciken bincike na forensics. Yana taimakawa don nuna bayanai game da fayilolin da suka wanzu akan bangare da kuma dawo da fayilolin da aka goge ba da gangan ba.
A cikin wannan labarin, za mu nuna dabara mai amfani, wanda zai taimaka muku dawo da fayilolin da aka goge ba da gangan ba akan tsarin fayil na ext3 ta amfani da ext3grep a Debian da Ubuntu.
- Sunan na'ura: /dev/sdb1
- Dutsen Dutse: /mnt/TEST_DRIVE
- Nau'in tsarin fayil: EXT3
Yadda ake Mai da Deleted Files Ta amfani da kayan aikin ext3grep
Zuwa mai sarrafa fakitin APT kamar yadda aka nuna.
$ sudo apt install ext3grep
Da zarar an shigar, yanzu za mu nuna yadda ake dawo da fayilolin da aka goge akan tsarin fayil na ext3.
Da farko, za mu ƙirƙiri wasu fayiloli don dalilai na gwaji a cikin wurin dutse /mnt/TEST_DRIVE
na ext3 partition/na'ura watau /dev/sdb1
a wannan yanayin.
$ cd /mnt/TEST_DRIVE $ sudo touch files[1-5] $ ls -l
Yanzu za mu cire fayil ɗaya mai suna file5
daga wurin mount /mnt/TEST_DRIVE
na ext3 partition.
$ sudo rm file5
Yanzu za mu ga yadda za a mai da Deleted fayil ta amfani da ext3grep shirin a kan niyya bangare. Da farko, muna buƙatar cire shi daga dutsen dutsen da ke sama (lura cewa dole ne ku yi amfani da umarnin cd don canzawa zuwa wani kundin adireshi don aikin cirewa don yin aiki, in ba haka ba umarnin mai amfani zai nuna kuskuren wannan manufa yana aiki).
$ cd $sudo umount /mnt/TEST_DRIVE
Yanzu da mun share ɗaya daga cikin fayilolin (wanda za mu ɗauka an yi da gangan), don duba duk fayilolin da ke cikin na'urar, gudanar da zaɓin --dump-name
(maye gurbin >/dev/sdb1
tare da ainihin sunan na'urar).
$ ext3grep --dump-name /dev/sdb1
Don dawo da fayil ɗin da aka goge a sama wato file5
, muna amfani da zaɓin --restore-all
kamar yadda aka nuna.
$ ext3grep --restore-all /dev/sdb1
Da zarar an gama aikin dawo da su, duk fayilolin da aka kwato za a rubuta su zuwa ga directory RESTORED_FILES, za ku iya bincika ko an dawo da fayilolin da aka goge ko a'a.
$ cd RESTORED_FILES $ ls
Muna iya ƙila takamaiman fayil ɗin don murmurewa, misali fayil ɗin da ake kira file5
(ko saka cikakken hanyar fayil ɗin a cikin na'urar ext3).
$ ext3grep --restore-file file5 /dev/sdb1 OR $ ext3grep --restore-file /path/to/some/file /dev/sdb1
Bugu da kari, za mu iya kuma mayar da fayiloli a cikin wani lokaci da aka ba. Misali, kawai saka madaidaicin kwanan wata da firam ɗin lokaci kamar yadda aka nuna.
$ ext3grep --restore-all --after `date -d 'Jan 1 2019 9:00am' '+%s'` --before `date -d 'Jan 5 2019 00:00am' '+%s'` /dev/sdb1
Don ƙarin bayani, duba shafin man ext3grep.
$ man ext3grep
Shi ke nan! ext3grep kayan aiki ne mai sauƙi kuma mai amfani don bincike da dawo da fayilolin da aka goge akan tsarin fayil na ext3. Yana daya daga cikin mafi kyawun shirye-shirye don dawo da fayiloli akan Linux. Idan kuna da wasu tambayoyi ko wani tunani don raba, ku same mu ta hanyar amsawar da ke ƙasa.