ext3grep - Mai da fayilolin da aka goge akan Debian da Ubuntu


ext3grep shiri ne mai sauƙi don dawo da fayiloli akan tsarin fayil na EXT3. Kayan aiki ne na bincike da dawo da aiki wanda ke da amfani a binciken bincike na forensics. Yana taimakawa don nuna bayanai game da fayilolin da suka wanzu akan bangare da kuma dawo da fayilolin da aka goge ba da gangan ba.

A cikin wannan labarin, za mu nuna dabara mai amfani, wanda zai taimaka muku dawo da fayilolin da aka goge ba da gangan ba akan tsarin fayil na ext3 ta amfani da ext3grep a Debian da Ubuntu.

  • Sunan na'ura: /dev/sdb1
  • Dutsen Dutse: /mnt/TEST_DRIVE
  • Nau'in tsarin fayil: EXT3

Yadda ake Mai da Deleted Files Ta amfani da kayan aikin ext3grep

Zuwa mai sarrafa fakitin APT kamar yadda aka nuna.

$ sudo apt install ext3grep

Da zarar an shigar, yanzu za mu nuna yadda ake dawo da fayilolin da aka goge akan tsarin fayil na ext3.

Da farko, za mu ƙirƙiri wasu fayiloli don dalilai na gwaji a cikin wurin dutse /mnt/TEST_DRIVE na ext3 partition/na'ura watau /dev/sdb1 a wannan yanayin.

$ cd /mnt/TEST_DRIVE
$ sudo touch files[1-5]
$ ls -l

Yanzu za mu cire fayil ɗaya mai suna file5 daga wurin mount /mnt/TEST_DRIVE na ext3 partition.

$ sudo rm file5

Yanzu za mu ga yadda za a mai da Deleted fayil ta amfani da ext3grep shirin a kan niyya bangare. Da farko, muna buƙatar cire shi daga dutsen dutsen da ke sama (lura cewa dole ne ku yi amfani da umarnin cd don canzawa zuwa wani kundin adireshi don aikin cirewa don yin aiki, in ba haka ba umarnin mai amfani zai nuna kuskuren wannan manufa yana aiki).

$ cd
$sudo umount /mnt/TEST_DRIVE

Yanzu da mun share ɗaya daga cikin fayilolin (wanda za mu ɗauka an yi da gangan), don duba duk fayilolin da ke cikin na'urar, gudanar da zaɓin --dump-name (maye gurbin >/dev/sdb1tare da ainihin sunan na'urar).

$ ext3grep --dump-name /dev/sdb1

Don dawo da fayil ɗin da aka goge a sama wato file5, muna amfani da zaɓin --restore-all kamar yadda aka nuna.

$ ext3grep --restore-all /dev/sdb1

Da zarar an gama aikin dawo da su, duk fayilolin da aka kwato za a rubuta su zuwa ga directory RESTORED_FILES, za ku iya bincika ko an dawo da fayilolin da aka goge ko a'a.

$ cd RESTORED_FILES
$ ls 

Muna iya ƙila takamaiman fayil ɗin don murmurewa, misali fayil ɗin da ake kira file5 (ko saka cikakken hanyar fayil ɗin a cikin na'urar ext3).

$ ext3grep --restore-file file5 /dev/sdb1 
OR
$ ext3grep --restore-file /path/to/some/file /dev/sdb1 

Bugu da kari, za mu iya kuma mayar da fayiloli a cikin wani lokaci da aka ba. Misali, kawai saka madaidaicin kwanan wata da firam ɗin lokaci kamar yadda aka nuna.

$ ext3grep --restore-all --after `date -d 'Jan 1 2019 9:00am' '+%s'` --before `date -d 'Jan 5 2019 00:00am' '+%s'` /dev/sdb1 

Don ƙarin bayani, duba shafin man ext3grep.

$ man ext3grep

Shi ke nan! ext3grep kayan aiki ne mai sauƙi kuma mai amfani don bincike da dawo da fayilolin da aka goge akan tsarin fayil na ext3. Yana daya daga cikin mafi kyawun shirye-shirye don dawo da fayiloli akan Linux. Idan kuna da wasu tambayoyi ko wani tunani don raba, ku same mu ta hanyar amsawar da ke ƙasa.