Linux- this is good, but sometimes you have to switch to Windows, to perform a number of tasks that either cannot be performed in Linux, or can be performed, but are very hemorrhoids. In general, we switched to Windows, we want to copy something from the disk on which we saved it in Linux, and here newbies will have a problem - after all, Linux disks are not displayed in Windows, because this OS simply does not recognize them. She doesn’t understand what kind of file system this is (for example, ext3 or ext4), which is used in Linux. So what should we do now? Each time, transfer the necessary data to a flash drive or other removable media when you are on Linux, and then copy it again from the flash drive to yourself when you are on Windows? You can, of course, leave the data on the flash drive and work with it directly from removable media, but this is not always advisable.
So, the problems have been identified, and now they need to be solved. They (solutions), of course, exist. There are several useful programs in the world (free) that allow you to read the Linux file system from Windows, performing copy operations to the Windows file system (but not back!). Although, in principle, this will be enough.
Programs for reading ext3/ext4 partitions in Windows:
- Ext2Fsd
- Ext2IFS(supports ext2, ext3 and raserFS partitions)
- DiskInternal Linux Reader(supports ext2, ext3 and raserFS partitions)
- ext2explore(supports ext2, ext3, ext4 and raserFS partitions)
I think each of us has encountered a problem when, due to a glitch in the firmware of a camera, camera, PDA, smartphone, or simply because of a special device /dev/hands, the card was formatted and the data was deleted. At one time, I solved this problem quite simply, using the Portable version of Ontrack Easy Recovery, but since I have been a user of Linux systems for several years now, using this unlicensed application through wine seemed not entirely kosher, and besides, the thirst for research and adventure required me to find a free one native analogue for Linux systems. The research ended before it even began, as the first line in a Google search led to a set of TestDisk utilities, which I will talk about in more detail later.
And so, TestDist consists of two utilities:
testdisk and photorec; Official website of utilities.
Short description:
testdisk is a powerful utility designed to recover deleted partitions and to recover mbr boot records after software errors, some viruses, or human errors (for example, when a partition was simply deleted).
Testdisk features:
Fixing the partition table; recovering deleted partitions Restoring FAT32 boot sector from backup Rebuilding FAT12/FAT16/FAT32 boot sector Fixing FAT tables
Rebuilding the NTFS boot sector Restoring the NTFS boot sector from a backup Fixing MFT using an MFT mirror Finding ext2/ext3 Backup SuperBlock
Recovering deleted files in FAT, NTFS and ext2 file systems
Copying files from FAT, NTFS and ext2/ext3 remote partitions.
photorec– a utility for recovering data such as video files, documents, archives from hard drives and cdrom drives, as well as photos (hence the name of the program Photo Recovery) from the built-in memory of cameras. The list of file types for recovery is very impressive and you can familiarize yourself with it.
Both utilities are open source, distributed under the GNU General Public License (GPL). Versions are available for Linux, Unix, and Windows platforms.
Most Linux distributions are already included in the standard repository. For debian-based distributions, install with the command:
In my case, I needed to recover photos from a camera card after the camera accidentally formatted the card. Having inserted the flash drive into the card reader and launched photorec as root in the console, the utility prompted me to select the disk on which I wanted to restore the data.
In my case it will be /dev/sdb.
Next, select the type of partition table on the disk; for most users it will be Intel/PC.
And then select the entire partition or disk to search for deleted files. Since I needed to recover all deleted files after formatting, I chose to search the entire disk.
After this, photorec is required to indicate the type of file system in which the deleted files were stored. In this case, everything is simple, select the second item.
And then on another drive we select the directory where the utility will save the recovered files.
Next, press Y and the program begins its work. For a 32MB card it took her less than a minute.
Now about the results of the work:
To be honest, at first I was very doubtful about the program’s abilities. But having opened the directory with the results of the utility, I was surprised to find that not only the necessary 10 recently taken photographs were restored, but also 110 others, the earliest of which was taken 3 years ago and was not overwritten with further use of the card, although it was formatted card repeatedly.
As a result, we have another victory of good over evil, a happy smile from the owner of the camera, another proof that there is a sea of useful and high-quality opensource utilities.
Have you often encountered situations where you needed to recover data? You accidentally deleted the file, but when it was too late you came to your senses, but did not know how to restore it; as an option, you installed the operating system and, out of ignorance of disk layout, formatted the disk with all the data, music, movies, home photos and other other data. You are in despair, not knowing whether it is possible to recover, you have restored everything bit by bit, but this is only the smallest part of solving the consequences of the problem that has arisen, data in Linux can be recovered and for this there are utilities, both paid and free, and today we will discuss 7 utilities that will help with recovery data in Ubuntu Linux.
Partially, of course, all this helped, but most of the data was still lost, and imagine the situation, you are a student, preparing a coursework, there is a week or two left before it is due, and your hard drive on which your coursework was on crashed, what to do in this situation.
I know that many users are accustomed to working with a graphical interface from the time they worked on the system, but today we will also discuss console utilities, since many of them help in recovery no worse, and in some situations even better.
How to recover data and what applications to use?
How to recover data using Scalpel utility
Scalpel is a set of tools for fast file recovery. A unique utility, its uniqueness lies in the fact that it does not depend in any way on the file system. The utility searches the database for files of all known formats and tries to find them on the disk using its own specific patterns, looking at the beginning and end of the file. It can help in recovery in such file systems as FATx, NTFS, ext2/3, also from “RAW” partitions.
Let's install the utility, run the command in the terminal:
sudo apt install scalpelthe utility works according to its internal template /etc/scalpel/scalpel.conf, if you want to recover files of a certain format, you should open the config and uncomment the corresponding lines for this type of file. When editing a config template, you need to be very careful not to break it or delete anything unnecessary.
Example of using Scalpel:
sudo scalpel file.iso -o dir_recoveryrecovery directory" dir_recovery" must be empty file.iso this is an example of the data that we need to recover, we know that we had such an image with exactly the same name, we can specify not only the file directly, but we can also specify the full path to the device from which we need to restore, like this /dev/sdb1/directory_name/directory_name2/filename.
How to recover data using R-Linux
R-Linux is a free program for recovering Ext2/Ext3/Ext4 FS file systems used in Linux and some Unix operating systems (OS). Used in R-Linux Scanning technology and an easy-to-set program interface give the user absolute control over the data recovery process. The program recovers data from existing logical drives, even if file records are lost. However, the program does not have the ability to restore data over a network, as well as functionality for reconstructing disk arrays and recovering data from them.
There are two versions of the R-Linux utility: for Linux OS and for Windows OS. They have the same functionality, the only difference is the host OS.
R-Linux recovers the following files:
- Deleted as a result of a virus attack, power failure or system damage;
- From damaged or deleted partitions, after formatting the partition, even to a partition with a different file system;
- When the partition structure on the disk has been changed or damaged. In this case, R-Linux can scan the hard drive, find a previously deleted or damaged partition, and only then recover data from the found partition.
- From hard drives that have a large number of bad sectors. R-Linux allows you to copy information and create an image of an entire disk or part of it, and only then work with the image file saved on another medium, as with the original disk. This is especially useful and effective when the number of bad sectors on the disk is constantly growing, and the remaining information needs to be saved immediately.
What R-Linux can do:
- Host Operating System (OS):
- Option for Linux OS: any Linux OS based on kernel 2.6+
- Option for Windows OS: Win2000, XP, 2003, Vista, Windows 7, Windows 8/8.1, Windows Server 2008/2012
- Supported file systems: Ext2/Ext3/Ext4 FS (Linux) only.
- Recognition and analysis of Dynamic (Windows 2000/XP/2003/Vista/Win7), Primary, BSD (UNIX) partition schemes and APM (Apple Partition Map) partition schemes. Support for dynamic partitions on GPT as well as on MBR.
- Creating an IMAGE FILE for an entire physical disk, partition or part thereof. Disk image files can be processed by the program as a regular disk. Two types of images are possible: 1) Images that are an exact byte-by-byte copy of the object (Uncompressed images) - such images are compatible with previous versions of R-Linux; 2) Compressed images - can be compressed, split into multiple files and password protected. Such images are fully compatible with images created by the R-Drive Image program, but are incompatible with previous versions of R-Linux.
- Recovered files can be saved to any drive, including a network drive, accessible by the local operating system.
- Monitoring S.M.A.R.T parameters R-Linux can display S.M.A.R.T parameters. (Self-Monitoring, Analysis and Reporting Technology) for hard drives that show the state of their hardware and predict their possible failures. Any additional load on such disks should be avoided if warnings from the S.M.A.R.T system appear.
- Search for deleted versions of files. R-Linux can search for deleted versions of files using their sizes, names, extensions, and recognized file types as search parameters.
If there is something you don’t understand about the application, you can read the reference manual using the links / the manual is quite extensive, you will find answers to many questions.
How to install R-Linux
You can download the file for your architecture from the link - then to install, open a terminal and run the commands:
Cd ~/Downloads/ cd ~/Downloads/ sudo dpkg -i rli*
after installation is complete, look for the application in Ubuntu menu - System utilities - R-Linux, after the first launch you will see an English-language application, do not be alarmed, “Russian” support is also present. Go to Help menu - Interface Language, and select Russian, done.
If you need to restore files, connect a flash drive as an example, you see that the flash drive is detected, on the Ubuntu sidebar, click the update button in the application to see your media. Next, select a section of our flash drive with the mouse cursor and press the button " Scan".
As you can see, we are offered to configure the scanning parameters in more detail, whether to search by known file types, whether to keep a log, where specifically to search, we are allowed to specify from which segment of bytes the scanning should begin, from 0 according to the standard, or to specify your own data.
The scanning has started, we wait until it is completed, we do not cancel it in any case, sometimes this can end badly for the flash drive. The scanning is completed, then we see the following picture:
Below under our flash section there is an area called " Found by signatures", click on this section with the mouse cursor and we will see a new window:
click on the line " Files found based on information about typical features of their data structure". After clicking on this link we will see something like the following:
Select the directories you need and press the button " Restore marked", I checked for the sake of a test, the utility works well, try it and report back based on the results of how it works in a real situation when data is lost, files are deleted, etc.
How to recover data using the R-Studio utility
It's a paid utility, but it's worth it because it will help you out of even the most difficult situations. You can buy it on the official website -. An advanced utility, the best among data recovery utilities, works with file systems NTFS, NTFS5, ReFS, FAT12/16/32, exFAT, HFS/HFS+ (Macintosh), Little and Big Endian variants of UFS1/UFS2 (FreeBSD/OpenBSD/NetBSD /Solaris) and Ext2/Ext3/Ext4 FS (Linux). R-Studio also uses signature-based file recovery (scanning search for known file types) for severely damaged or unknown file systems. The program allows you to recover data both locally and on remote computers over a network, even if disk partitions have been formatted, damaged or deleted.
R-Studio includes:
- RAID reconstruction module
- Universal text/hexadecimal editor with a wide range of capabilities
- A separate system and data backup module (disk copy), which allows R-Studio to be considered the most optimal and complete solution when creating a workstation for data recovery.
R-Studio recovers files:
- Deleted outside the Recycle Bin or when the Recycle Bin was emptied;
- Deleted by a virus attack or computer power failure;
- After the partition with the files has been reformatted, even to a partition with a different file system;
- When the partition structure on the hard drive has been changed or damaged. In this case, using the R-Studio program, you can scan your hard drive, find a deleted or damaged partition, and only then recover data from the found partition.
- From hard drives that have a large number of bad sectors. The R-Studio recovery program can first copy information and create an image of the whole disk or part of it, and only then work with the image file saved on another medium as with the original disk. This is especially useful and effective when the number of bad sectors on the disk is constantly growing, and the remaining information needs to be saved immediately.
- By Order of the Ministry of Justice of the Russian Federation dated November 26, 2015 No. 269, R-STUDIO was included in the list of requirements for the minimum configuration of the material and technical base for several types of forensic examinations carried out in federal budgetary forensic institutions of the Ministry of Justice of the Russian Federation.
What the R-Studio utility can do:
- Standard Windows Explorer user interface.
- Host operating system (OS): Windows 2000, XP, 2003 Server, Vista, 2008 Server, Windows 7, Windows 8/8.1/10, Windows Server 2012.
- Data recovery over the Internet. Files can be recovered over the network from remote computers running Win2000/XP/2003/Vista/2008/Windows 7/8/8.1/10/Windows Server 2012, Macintosh, Linux and UNIX.
- Supported file systems: FAT12, FAT16, FAT32, exFAT, NTFS, NTFS5, ReFS (the new local file system introduced by Microsoft in Windows 2012 Server), HFS/HFS+ (Macintosh), Little and Big Endian variants of UFS1/UFS2 (FreeBSD /OpenBSD/NetBSD/Solaris) and Ext2/Ext3/Ext4 FS (Linux).
- Search for Known File Types when Scanning (recovering files by signature): if the file system on the disk is severely damaged or unknown, then R-Studio searches for data patterns (file signatures) characteristic of certain file types (Microsoft Office documents, jpgs, etc.) . If necessary, the user can add new file types to R-Studio.
- Recognition and analysis of Basic (MBR), GPT and BSD (UNIX) partition schemes, as well as Apple partition schemes. Support for Dynamic Volumes (Windows 2000-2012/8.1/10) on MBR and GPT.
- Support for Windows Storage Spaces (Windows 8/8.1 and 10/Threshold 2), Apple software RAID and Linux Logical Volume Manager (LVM/LVM2). R-Studio can automatically recognize and collect the components of these disk managers even if their databases are slightly damaged. Their components with seriously damaged databases can be added manually.
- Reconstruction of damaged disk arrays (RAID). If the OS does not recognize the disk array (RAID), you can create a virtual RAID from its components. Such a virtual array can be processed by the program as a regular physical one. Supports standard RAID levels: 0, 1, 4, 5, 6. Supports nested and non-standard levels: 10(1+0), 1E, 5E, 5EE, 6E. Parity delay support for all relevant RAID levels. Support for custom RAID schemes.
- Automatic recognition of RAID parameters.R-Studio is able to recognize all parameters for RAID 5 and 6. This allows the user to solve one of the most difficult tasks in RAID recovery - determining its parameters.
- Creating an IMAGE FILE for an entire Physical Disk (HD), Partition or part thereof. Such image files can be compressed and split into several files for saving on CD/DVD/Flash or FAT16/FAT32/exFAT. Disk image files can be processed by the program as a regular disk.
- Recovering data from damaged or deleted partitions, encrypted files (NTFS 5), alternative data streams (NTFS, NTFS 5).
- Data recovery after:
- launching FDISK or similar utilities;
- Virus attack; FAT damage; MBR destruction.
- Localized name recognition.
- Recovered files can be saved to any drive, including a network drive, accessible by the local operating system. Recovered files can be saved to another drive on a connected remote computer without being downloaded over the network to the local computer.
- View file contents to assess recovery chances. The contents of most file types (formats) can be viewed even if the application corresponding to the file is not installed.
- Files or disk contents can be viewed and edited using the built-in hex editor. The editor supports editing properties of NTFS files.
- Monitoring S.M.A.R.T. parameters R-Studio can display S.M.A.R.T. parameters. (Self-Monitoring, Analysis and Reporting Technology) for hard drives that show the state of their hardware and predict their possible failures. Any additional load on such disks should be avoided if warnings from the S.M.A.R.T system appear.
- Integration with DeepSpar Disk Imager - a professional hard drive imaging device specifically designed for data recovery from failed drives. This integration provides low-level, thin access to drives with a certain level of hardware failure. Moreover, it allows you to create a disk image and perform analysis at the same time. That is, any sector accessed by R-Studio on the source disk will be immediately copied to the clone disk, and all subsequent data recovery operations will be performed on the clone disk to prevent further deterioration of the source disk and significantly reduce the time processing.
Of course, not all utilities for data recovery are described above, there is also a list of such utilities as Unrm, Giis, Ddrescue, DMDE, PhotoRec, Mondo Rescue and Safecopy, I described only the main ones, about other utilities and their capabilities, I would advise you to familiarize yourself with the material - . This is probably the end of the material, there will be questions, ask, clarify and leave feedback about the utilities you used that you recovered data, maybe the article doesn’t contain what you use, describe in the comments what you use.
If you have Linux installed on one of your disks and, being booted into Windows, want to view the contents of this disk, it turns out that this is not so simple. You will need to install additional driver and software.
Otherwise, when connecting, for example, a flash drive with Linux, we are greeted with this “happy” message that “To use the disk in the drive, first format it.”
Yesterday's archiver update
Hidden from guests
Before version 15.08 beta gives us the opportunity to simplify this task. 7-Zip now supports extracting ext3 and ext4 images (Linux file system).
My tests gave different results, but the general conclusion is that the new feature works great with different distributions, except for CentOS (I don't know why).
Opening ext3 and ext4 file system from Windows
It's quite simple.
Hidden from guests
Version 15.08 or later. If Linux OS is installed on a hard drive partition or flash drive, then go to
\. \.PhysicalDrive0
If you need open image from linux, then you work with it as with a regular archive:
If needed view the contents of the virtual hard disk on which Linux is installed, then open this virtual hard disk as an archive, the available partitions are presented in the form of images:
By double clicking you can go inside these images and view/copy data from them:
An important detail - even large discs open very quickly. If the virtual disk is dynamic, then this does not cause any problems.
However, not everything is so rosy.
Opening Kali Linux and CentOS partitions from Windows using 7-Zip
I was not able to look inside the sections of these operating systems.
Instead of opening, 7-Zip tried to extract the image files to a temporary folder. This was giving me an out of space error on the C drive. When this error was resolved and I extracted the image file, 7-Zip still failed to open it, giving me the error “The disk image file is corrupt.”
Moving the 7-Zip temporary folder to another location
Since we're talking about the error about the C drive being full when running the 7-Zip archiver, I'll describe here a couple of ways in which it can be solved.
For some reason, the standard directory change setting does not work in the latest beta versions.
1st method to change temporary folder 7-Zip (I liked him better)
Switch to two-panel mode (run 7zFM.exe and press "F9"). Then open the desired archive in the left pane and use "F5" or "Extract" to extract the archive into another pane.
This method worked great for me.
2nd method of changing the temporary directory 7-Zip
Change the environment variable %Temp% to the directory you need. You can do this like this: right-click on This computer, then select Properties. After Advanced System Settings, select tab Additionally, and select Environment variable.
Select %Temp% from the list and edit it to suit your needs.
All programs that use the temporary directory Temp, will now use the new installed path.
The method, as they say, is not for everyone.
Due to various problems or an unexpected computer shutdown, the file system may become damaged. During a normal shutdown, all file systems are mounted read-only and all unsaved data is written to disk.
But if the power is turned off unexpectedly, some data is lost and important data may be lost, resulting in damage to the file system itself. In this article we will look at how to recover the fsck file system for several popular file systems, and also talk about how ext4 recovery works.
As you know, the file system contains all the information about all the files stored on the computer. This is the file data itself and the metadata that controls the location and attributes of files in the file system. As I already said, data is not immediately written to the hard drive, but remains in RAM for some time and if it is unexpectedly turned off, under a certain set of circumstances, the file system may be damaged.
Modern file systems are divided into two types - journaled and non-journaled. Journaled file systems log all actions that are about to be performed, and after execution they erase these records. This allows you to very quickly understand whether the file system has been damaged. But it doesn't help much with recovery. To recover a Linux file system, you need to check each block of the file system and find bad sectors.
The fsck utility is used for these purposes. Essentially, this is a shell for other utilities that are focused on working only with one or another file system, for example, there is one utility for fat, and a completely different one for ext4.
On most systems, the fsck check runs automatically for the root partition, but this does not apply to other partitions, and also will not work if you have disabled the check.
fsck basics
In this article we will look at manual work with fsck. You may need a LiveCD to run the utility from if the root partition is damaged. If not, the system will be able to boot into recovery mode and you will use the utility from there. You can also run fsck on an already booted system. Only the work requires superuser rights, so do it via sudo.
Now let's look at the syntax of the utility itself:
$fsck [options] [filesystem_options][disk_partition]
Basic options specify how the fsck shell utility behaves. A disk partition is a partition device file in the /dev directory, for example /dev/sda1 or /dev/sda2. The file system options are specific to each individual scan utility.
Now let's look at the most useful fsck options:
- -l- do not run another instance of fsck on this hard drive until the current one finishes. For SSD, the parameter is ignored;
- -t- set the types of file systems that need to be scanned. It is not necessary to specify a device; you can check multiple partitions with one command, simply by specifying the desired file system type. This could be the file system itself, for example ext4, or its options in the opts=ro format. The utility scans all file systems mounted in fstab. If you also specify a section, then a check of the specified type will be applied to it, without autodetection;
- -A- check all file systems from /etc/fstab. This is where the file system scanning parameters specified in /etc/fstab are applied, including priority. First of all, the root is checked. Typically used at system startup;
- -C- show the progress of the file system check;
- -M- do not check if the file system is mounted;
- -N- do nothing, show that the check was completed successfully;
- -R- do not check the root file system;
- -T- do not show information about the utility;
- -V- the most detailed output.
These were global utility options. Now let’s look at the options for working with the file system, there are fewer of them, but they will be more interesting:
- -a- during the check, correct all detected errors, without any questions. This option is obsolete and is not recommended;
- -n- perform only a file system check, do not fix anything;
- -r- ask before correcting each error, used by default for ext file systems;
- -y- answers all questions about error correction in the affirmative, we can say that this is the equivalent of a.
- -c- find and blacklist all bad blocks on your hard drive. Available only for ext3 and ext4;
- -f- forced check of the file system, even if according to the log it is clean;
- -b- set the superblock address if the main one was damaged;
- -p- another modern analogue of the -a option, it checks and corrects automatically. Basically, you can use one of three options for this purpose: p, a, y.
Now we have everything sorted out and you are ready to restore the linux file system. Let's get down to business.
How to restore a file system in fsck
Let's say you've already booted into a LiveCD system or recovery mode. Well, in a word, we are ready to restore ext4 or any other damaged FS. The utility is already installed by default in all distributions, so there is no need to install anything.
File system recovery
If your file system is on a partition with address /dev/sda1 run:
sudo fsck -y /dev/sda1
It is not necessary to specify the y option, but if you do not do this, the utility will simply flood you with questions that need to be answered yes.
Restoring a damaged superblock
Usually this team copes with all damage with a bang. But if you did something serious and damaged the superblock, then fsck may not help. The superblock is the beginning of the file system. Without it, nothing will work.
But don’t rush to say goodbye to your data, everything can still be restored. Using this command, we look at where the backup superblocks were written:
sudo mkfs -t ext4 -n /dev/sda1
This command actually creates a new file system. Instead of ext4, substitute the file system into which the partition was formatted; the block size must also match, otherwise nothing will work. With the -n option, no changes are made to the disk, but only information is displayed, including about superblocks.
Now we have six backup superblock addresses and we can try to restore the file system using each of them, for example:
sudo fsck -b 98304 /dev/sda1
After doing this, you will most likely be able to restore your file system. But let's look at a couple more examples.
Checking a clean file system
Let's check the file system, even if it is clean:
sudo fsck -fy /dev/sda1
Bad sectors
Or we can also find bad sectors and not write anything else in them:
sudo fsck -c /dev/sda1
File system installation
You can specify which file system should be scanned on the partition, for example:
sudo fsck -t ext4 /dev/sdb1
Checking all file systems
Using the -A flag you can check all file systems attached to the computer:
But such a command will only work in recovery mode; if the root partition and other partitions are already mounted, it will give an error. But you can exclude the root partition from the check by adding R:
sudo fsck -AR -y
Or exclude all mounted file systems:
You can also check not all file systems, but only ext4, for this use the following combination of options:
sudo fsck -A -t ext4 -y
Or you can also filter by mount options in /etc/fstab, for example let's check for filesystems that are mounted read-only:
sudo fsck -A -t opts=ro
Checking mounted file systems
I said before that it is impossible. But if there is no other way out, then it is possible, although it is not recommended. To do this, you must first remount the file system to read-only mode. For example:
sudo mount -o remount,ro /dev/sdb1
And now check the fsck file system in forced mode:
sudo fsck -fy /dev/sdb1
