我想知道从FAT恢复已删除的文件。我创建了fat.img,如下所示。
cd /tmp
dd if=/dev/zero of=fat.img bs=1024 count=100
mkfs.msdos fat.img
mkdir -p /tmp/fs
sudo mount -t msdos fat.img /tmp/fs -o umask=000,loop
现在我用一些文本创建文件。
cd/tmp/fs
echo "hello world"> name
使用hexdump查看它是如何保存的
cd ..
hexdump -C fat.img
00000000 eb 3c 90 6d 6b 66 73 2e 66 61 74 00 02 04 01 00 |.<.mkfs.fat.....|
00000010 02 00 02 c8 00 f8 01 00 20 00 40 00 00 00 00 00 |........ .@.....|
00000020 00 00 00 00 80 01 29 3c 69 e6 fb 4e 4f 20 4e 41 |......)<i..NO NA|
00000030 4d 45 20 20 20 20 46 41 54 31 32 20 20 20 0e 1f |ME FAT12 ..|
00000040 be 5b 7c ac 22 c0 74 0b 56 b4 0e bb 07 00 cd 10 |.[|.".t.V.......|
00000050 5e eb f0 32 e4 cd 16 cd 19 eb fe 54 68 69 73 20 |^..2.......This |
00000060 69 73 20 6e 6f 74 20 61 20 62 6f 6f 74 61 62 6c |is not a bootabl|
00000070 65 20 64 69 73 6b 2e 20 20 50 6c 65 61 73 65 20 |e disk. Please |
00000080 69 6e 73 65 72 74 20 61 20 62 6f 6f 74 61 62 6c |insert a bootabl|
00000090 65 20 66 6c 6f 70 70 79 20 61 6e 64 0d 0a 70 72 |e floppy and..pr|
000000a0 65 73 73 20 61 6e 79 20 6b 65 79 20 74 6f 20 74 |ess any key to t|
000000b0 72 79 20 61 67 61 69 6e 20 2e 2e 2e 20 0d 0a 00 |ry again ... ...|
000000c0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 |................|
*
000001f0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 55 aa |..............U.|
00000200 f8 ff ff 00 f0 ff 00 00 00 00 00 00 00 00 00 00 |................|
00000210 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 |................|
*
00000400 f8 ff ff 00 f0 ff 00 00 00 00 00 00 00 00 00 00 |................|
00000410 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 |................|
*
00000600 4e 41 4d 45 20 20 20 20 20 20 20 20 00 00 00 00 |NAME ....|
00000610 00 00 00 00 00 00 21 86 91 4b 03 00 0c 00 00 00 |......!..K......|
00000620 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 |................|
*
00004e00 68 65 6c 6c 6f 20 77 6f 72 6c 64 0a 00 00 00 00 |hello world.....|
00004e10 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 |................|
*
00019000
删除文件名后,我们可以看到hexdump中的更改
00000600 4e 41 4d 45 20 20 20 20 20 20 20 20 00 00 00 00 |.AME ....|
00000610 00 00 00 00 00 00 21 86 91 4b 03 00 0c 00 00 00 |......!..K......|
00000620 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 |................|
这是我的问题你有什么建议我怎样才能将fat.img改为.AME到NAME来恢复我的文件?
如何将fat.img更改为.AME到NAME以恢复我的文件?
简短的回答是dd,下面是必要注意事项的一个例子。
添加到Martin的答案,在操作字节以恢复软盘映像内的文件时,使用dd是一个相对简单的命题,计算文件分配表中需要恢复的位置和内容是挑战。通过使用dd来恢复文件本身,通过以下示例说明了需要注意的字节数。
创建一个可以使用的软盘图像可以使您不必在实际图像上进行实验。只需复制您希望使用的图像,或在硬盘驱动器上的文件中创建一个新图像。您可以使用mkfs.msdos轻松完成此操作(根据需要调整文件系统类型),然后将文件挂载到文件系统中,如下所示,例如:
$ mkfs.msdos -C /home/david/tmp/tt/floppy_144.img 1440
$ sudo mount /home/david/tmp/tt/floppy_144.img /mnt/fd
现在让我们添加NAME文件:
$ echo "hello world" > NAME
$ sudo cp -a NAME /mnt/fd
$ ls -l /mnt/fd
total 1
-rwxr-xr-x 1 root root 12 Dec 17 13:55 NAME
$ cat /mnt/fd/NAME
hello world
在从映像中删除文件之前,请对内容进行hexdump,以便您可以确切地看到需要还原的内容。 (这是您必须计算的内容,以便了解原始图像的恢复位置和内容,您需要参考有关精确文件系统的参考资料)
$ hexdump -C floppy_144.img >flpwname.txt
现在从图像中删除该文件,然后再次保存显示更改的hexdump。
$ sudo rm /mnt/fd/NAME
$ hexdump -C floppy_144.img >flpwoname.txt
现在你可以用diff检查差异了。你发现你必须恢复超过被删除文件的第一个名称,你需要恢复文件分配表条目,以便恢复的文件可以再次位于文件系统(FAT的两个副本),例如,
$ diff flpwname.txt flpwoname.txt
16c16
< 00000200 f0 ff ff 00 f0 ff 00 00 00 00 00 00 00 00 00 00 |................|
---
> 00000200 f0 ff ff 00 00 00 00 00 00 00 00 00 00 00 00 00 |................|
19c19
< 00001400 f0 ff ff 00 f0 ff 00 00 00 00 00 00 00 00 00 00 |................|
---
> 00001400 f0 ff ff 00 00 00 00 00 00 00 00 00 00 00 00 00 |................|
22c22
< 00002600 4e 41 4d 45 20 20 20 20 20 20 20 20 00 00 fa 9e |NAME ....|
---
> 00002600 e5 41 4d 45 20 20 20 20 20 20 20 20 00 00 fa 9e |.AME ....|
请注意,当删除文件时,0x204和0x1404上的文件分配表的条目归零。使用dd可以轻松地将字节恢复为原始字节,但请注意您的选项。特别是你的block size(bs),output block size(obs),count和seek都必须在bytes(通过附加c指定)到数字,你必须设置notrunc转换选项,以防止在你做出的更改后截断你的图像。最后,所有尺寸必须在decimal而不是hexadecimal中指定。
此外,如果您使用bash,则可以使用进程重定向来指定要替换的字节(例如if=<(printf "\xf0\xff")以写入十六进制字节f0和ff),否则,您将必须准备包含替换字符串的输入文件。用于恢复FAT的dd命令和文件名的第一个字符非常简单(请参阅man 1 dd以获取选项说明)。
下面我们恢复FAT的第一个副本,然后是第二个副本,最后恢复文件名的第一个字符。 seek(偏移)值只是由hexdump转换为十进制提供的值。 (您应该在进行更改之前卸载文件系统。您可以在安装软盘映像时进行更改,但在重新安装之前不会反映它们)
$ sudo umount /mnt/fd
$ dd if=<(printf "\xf0\xff") of=floppy_144.img \
bs=1c obs=1c count=2c seek=516c conv=notrunc
$ dd if=<(printf "\xf0\xff") of=floppy_144.img \
bs=1c obs=1c count=2c seek=5124c conv=notrunc
$ dd if=<(printf "N") of=floppy_144.img \
bs=1c obs=1c count=1c seek=9728c conv=notrunc
现在,您可以创建已修复的软盘映像的hexdump,并将其与原始映像进行比较。如果一切都已经完成,那就没有区别了。
$ hexdump -C floppy_144.img >flprepair.txt
$ diff flpwname.txt flprepair.txt
最后,只需重新安装文件系统并确认文件已恢复。
$ sudo mount /home/david/tmp/tt/floppy_144.img /mnt/fd
$ ls -l /mnt/fd
total 1
-rwxr-xr-x 1 root root 12 Dec 17 13:55 NAME
$ cat /mnt/fd/NAME
hello world
而已。我希望这就是你要找的东西。有许多工具可以为您自动完成此过程,但dd和铅笔和纸可以帮助您。
完整的hexdumps表示完整性:
原/恢复
$ cat flpwname.txt
00000000 eb 3c 90 6d 6b 66 73 2e 66 61 74 00 02 01 01 00 |.<.mkfs.fat.....|
00000010 02 e0 00 40 0b f0 09 00 12 00 02 00 00 00 00 00 |...@............|
00000020 00 00 00 00 00 01 29 2c 72 18 ba 4e 4f 20 4e 41 |......),r..NO NA|
00000030 4d 45 20 20 20 20 46 41 54 31 32 20 20 20 0e 1f |ME FAT12 ..|
00000040 be 5b 7c ac 22 c0 74 0b 56 b4 0e bb 07 00 cd 10 |.[|.".t.V.......|
00000050 5e eb f0 32 e4 cd 16 cd 19 eb fe 54 68 69 73 20 |^..2.......This |
00000060 69 73 20 6e 6f 74 20 61 20 62 6f 6f 74 61 62 6c |is not a bootabl|
00000070 65 20 64 69 73 6b 2e 20 20 50 6c 65 61 73 65 20 |e disk. Please |
00000080 69 6e 73 65 72 74 20 61 20 62 6f 6f 74 61 62 6c |insert a bootabl|
00000090 65 20 66 6c 6f 70 70 79 20 61 6e 64 0d 0a 70 72 |e floppy and..pr|
000000a0 65 73 73 20 61 6e 79 20 6b 65 79 20 74 6f 20 74 |ess any key to t|
000000b0 72 79 20 61 67 61 69 6e 20 2e 2e 2e 20 0d 0a 00 |ry again ... ...|
000000c0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 |................|
*
000001f0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 55 aa |..............U.|
00000200 f0 ff ff 00 f0 ff 00 00 00 00 00 00 00 00 00 00 |................|
00000210 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 |................|
*
00001400 f0 ff ff 00 f0 ff 00 00 00 00 00 00 00 00 00 00 |................|
00001410 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 |................|
*
00002600 4e 41 4d 45 20 20 20 20 20 20 20 20 00 00 fa 9e |NAME ....|
00002610 91 4b 91 4b 00 00 f5 9e 91 4b 03 00 0c 00 00 00 |.K.K.....K......|
00002620 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 |................|
*
00004400 68 65 6c 6c 6f 20 77 6f 72 6c 64 0a 00 00 00 00 |hello world.....|
00004410 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 |................|
*
00168000
在NAME删除后
$ cat flpwoname.txt
00000000 eb 3c 90 6d 6b 66 73 2e 66 61 74 00 02 01 01 00 |.<.mkfs.fat.....|
00000010 02 e0 00 40 0b f0 09 00 12 00 02 00 00 00 00 00 |...@............|
00000020 00 00 00 00 00 01 29 2c 72 18 ba 4e 4f 20 4e 41 |......),r..NO NA|
00000030 4d 45 20 20 20 20 46 41 54 31 32 20 20 20 0e 1f |ME FAT12 ..|
00000040 be 5b 7c ac 22 c0 74 0b 56 b4 0e bb 07 00 cd 10 |.[|.".t.V.......|
00000050 5e eb f0 32 e4 cd 16 cd 19 eb fe 54 68 69 73 20 |^..2.......This |
00000060 69 73 20 6e 6f 74 20 61 20 62 6f 6f 74 61 62 6c |is not a bootabl|
00000070 65 20 64 69 73 6b 2e 20 20 50 6c 65 61 73 65 20 |e disk. Please |
00000080 69 6e 73 65 72 74 20 61 20 62 6f 6f 74 61 62 6c |insert a bootabl|
00000090 65 20 66 6c 6f 70 70 79 20 61 6e 64 0d 0a 70 72 |e floppy and..pr|
000000a0 65 73 73 20 61 6e 79 20 6b 65 79 20 74 6f 20 74 |ess any key to t|
000000b0 72 79 20 61 67 61 69 6e 20 2e 2e 2e 20 0d 0a 00 |ry again ... ...|
000000c0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 |................|
*
000001f0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 55 aa |..............U.|
00000200 f0 ff ff 00 00 00 00 00 00 00 00 00 00 00 00 00 |................|
00000210 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 |................|
*
00001400 f0 ff ff 00 00 00 00 00 00 00 00 00 00 00 00 00 |................|
00001410 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 |................|
*
00002600 e5 41 4d 45 20 20 20 20 20 20 20 20 00 00 fa 9e |.AME ....|
00002610 91 4b 91 4b 00 00 f5 9e 91 4b 03 00 0c 00 00 00 |.K.K.....K......|
00002620 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 |................|
*
00004400 68 65 6c 6c 6f 20 77 6f 72 6c 64 0a 00 00 00 00 |hello world.....|
00004410 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 |................|
*
00168000