Question

我想知道从FAT恢复已删除的文件。我创建了fat.img，如下所示。

cd /tmp
dd if=/dev/zero of=fat.img bs=1024 count=100
mkfs.msdos fat.img
mkdir -p /tmp/fs
sudo mount -t msdos fat.img /tmp/fs -o umask=000,loop

现在我正在用一些文字创建文件。

cd/tmp/fs
echo "hello world"> name

使用hexdump查看其保存方式

cd ..
hexdump -C fat.img 

00000000  eb 3c 90 6d 6b 66 73 2e  66 61 74 00 02 04 01 00  |.<.mkfs.fat.....|
00000010  02 00 02 c8 00 f8 01 00  20 00 40 00 00 00 00 00  |........ .@.....|
00000020  00 00 00 00 80 01 29 3c  69 e6 fb 4e 4f 20 4e 41  |......)<i..NO NA|
00000030  4d 45 20 20 20 20 46 41  54 31 32 20 20 20 0e 1f  |ME    FAT12   ..|
00000040  be 5b 7c ac 22 c0 74 0b  56 b4 0e bb 07 00 cd 10  |.[|.".t.V.......|
00000050  5e eb f0 32 e4 cd 16 cd  19 eb fe 54 68 69 73 20  |^..2.......This |
00000060  69 73 20 6e 6f 74 20 61  20 62 6f 6f 74 61 62 6c  |is not a bootabl|
00000070  65 20 64 69 73 6b 2e 20  20 50 6c 65 61 73 65 20  |e disk.  Please |
00000080  69 6e 73 65 72 74 20 61  20 62 6f 6f 74 61 62 6c  |insert a bootabl|
00000090  65 20 66 6c 6f 70 70 79  20 61 6e 64 0d 0a 70 72  |e floppy and..pr|
000000a0  65 73 73 20 61 6e 79 20  6b 65 79 20 74 6f 20 74  |ess any key to t|
000000b0  72 79 20 61 67 61 69 6e  20 2e 2e 2e 20 0d 0a 00  |ry again ... ...|
000000c0  00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00  |................|
*
000001f0  00 00 00 00 00 00 00 00  00 00 00 00 00 00 55 aa  |..............U.|
00000200  f8 ff ff 00 f0 ff 00 00  00 00 00 00 00 00 00 00  |................|
00000210  00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00  |................|
*
00000400  f8 ff ff 00 f0 ff 00 00  00 00 00 00 00 00 00 00  |................|
00000410  00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00  |................|
*
00000600  4e 41 4d 45 20 20 20 20  20 20 20 20 00 00 00 00  |NAME        ....|
00000610  00 00 00 00 00 00 21 86  91 4b 03 00 0c 00 00 00  |......!..K......|
00000620  00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00  |................|
*
00004e00  68 65 6c 6c 6f 20 77 6f  72 6c 64 0a 00 00 00 00  |hello world.....|
00004e10  00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00  |................|
*
00019000

删除文件名后，我们可以看到hexdump中的更改

00000600  4e 41 4d 45 20 20 20 20  20 20 20 20 00 00 00 00  |.AME        ....|
00000610  00 00 00 00 00 00 21 86  91 4b 03 00 0c 00 00 00  |......!..K......|
00000620  00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00  |................|

这是我的问题你有什么建议我怎样才能将fat.img改为.AME到NAME来恢复我的文件？

Answer 1

如何将fat.img更改为.AME以恢复我的文件？

简短回答是dd，下面是必要注意事项的示例。

添加到Martin的答案，同时操作字节以恢复软盘映像中的文件是一个相对直接的命题与dd，计算文件分配表中的位置和内容需要恢复是挑战。通过使用dd来恢复文件本身，通过以下示例说明了需要注意的字节数。

创建可以使用的软盘图像使您无需在实际图像上进行实验。只需复制您希望使用的图像，或在硬盘驱动器上的文件中创建一个新图像。您可以使用mkfs.msdos轻松完成此操作（根据需要调整文件系统类型），然后按如下方式将文件挂载到文件系统中，例如

$ mkfs.msdos -C /home/david/tmp/tt/floppy_144.img 1440
$ sudo mount /home/david/tmp/tt/floppy_144.img /mnt/fd

现在让我们添加NAME文件：

$ echo "hello world" > NAME
$ sudo cp -a NAME /mnt/fd
$ ls -l /mnt/fd
total 1
-rwxr-xr-x  1 root root   12 Dec 17 13:55 NAME
$ cat /mnt/fd/NAME
hello world

在从图像中删除文件之前，请对内容进行hexdump，以便您可以准确查看需要恢复的内容。（这是您必须计算的内容，以便了解原始图像的恢复位置和内容，您需要参考有关精确文件系统的参考资料）

$ hexdump -C floppy_144.img >flpwname.txt

现在从图像中删除该文件，然后再次保存显示更改的hexdump。

$ sudo rm /mnt/fd/NAME
$ hexdump -C floppy_144.img >flpwoname.txt

现在，您可以使用diff检查差异。你发现你必须恢复超过已删除文件的第一个名称，你需要恢复文件分配表条目，以便恢复的文件可以再次位于文件系统（FAT的两个副本）中，例如

$ diff flpwname.txt flpwoname.txt
16c16
< 00000200  f0 ff ff 00 f0 ff 00 00  00 00 00 00 00 00 00 00  |................|
---
> 00000200  f0 ff ff 00 00 00 00 00  00 00 00 00 00 00 00 00  |................|
19c19
< 00001400  f0 ff ff 00 f0 ff 00 00  00 00 00 00 00 00 00 00  |................|
---
> 00001400  f0 ff ff 00 00 00 00 00  00 00 00 00 00 00 00 00  |................|
22c22
< 00002600  4e 41 4d 45 20 20 20 20  20 20 20 20 00 00 fa 9e  |NAME        ....|
---
> 00002600  e5 41 4d 45 20 20 20 20  20 20 20 20 00 00 fa 9e  |.AME        ....|

请注意，在删除文件时，0x204和0x1404处的文件分配表的条目归零。使用dd可以轻松地将字节恢复为原始字节，但会注意您的选项。具体而言，您的block size（bs），output block size（obs），count和seek必须全部位于bytes（已指定）通过将c）附加到该号码，您必须设置notrunc转换选项，以防止在您所做的更改后截断您的图片。最后，必须在decimal而不是hexadecimal中指定所有尺寸。

此外，如果您正在使用bash，则可以使用进程重定向来指定要替换的字节（例如if=<(printf "\xf0\xff")以写入十六进制字节f0和ff），否则，您必须准备包含替换字符串的输入文件。用于恢复FAT的dd命令和文件名的第一个字符非常简单（请参阅man 1 dd以获取选项说明）。

下面我们恢复FAT的第一个副本，然后是第二个副本，最后恢复文件名的第一个字符。 seek（偏移）值只是由hexdump转换为十进制提供的值。（您应该在进行更改之前卸载文件系统。您可以在安装软盘映像时进行更改，但在重新安装之前它们不会反映出来）

$ sudo umount /mnt/fd

$ dd if=<(printf "\xf0\xff") of=floppy_144.img \
bs=1c obs=1c count=2c seek=516c conv=notrunc

$ dd if=<(printf "\xf0\xff") of=floppy_144.img \
bs=1c obs=1c count=2c seek=5124c conv=notrunc

$ dd if=<(printf "N") of=floppy_144.img \
bs=1c obs=1c count=1c seek=9728c conv=notrunc

现在，您可以创建已修复的软盘映像的hexdump，并将其与原始映像进行比较。如果一切都已经完成，那就没有区别了。

$ hexdump -C floppy_144.img >flprepair.txt
$ diff flpwname.txt flprepair.txt

最后，只需重新安装文件系统并确认文件已恢复。

$ sudo mount /home/david/tmp/tt/floppy_144.img /mnt/fd
$ ls -l /mnt/fd
total 1
-rwxr-xr-x 1 root root 12 Dec 17 13:55 NAME
$ cat /mnt/fd/NAME
hello world

那就是它。我希望这就是你要找的东西。有许多工具可以为您自动完成此过程，但dd和铅笔和纸可以帮助您。

完整的hexdump表示完整性：

<强>原始/恢复

$ cat flpwname.txt
00000000  eb 3c 90 6d 6b 66 73 2e  66 61 74 00 02 01 01 00  |.<.mkfs.fat.....|
00000010  02 e0 00 40 0b f0 09 00  12 00 02 00 00 00 00 00  |...@............|
00000020  00 00 00 00 00 01 29 2c  72 18 ba 4e 4f 20 4e 41  |......),r..NO NA|
00000030  4d 45 20 20 20 20 46 41  54 31 32 20 20 20 0e 1f  |ME    FAT12   ..|
00000040  be 5b 7c ac 22 c0 74 0b  56 b4 0e bb 07 00 cd 10  |.[|.".t.V.......|
00000050  5e eb f0 32 e4 cd 16 cd  19 eb fe 54 68 69 73 20  |^..2.......This |
00000060  69 73 20 6e 6f 74 20 61  20 62 6f 6f 74 61 62 6c  |is not a bootabl|
00000070  65 20 64 69 73 6b 2e 20  20 50 6c 65 61 73 65 20  |e disk.  Please |
00000080  69 6e 73 65 72 74 20 61  20 62 6f 6f 74 61 62 6c  |insert a bootabl|
00000090  65 20 66 6c 6f 70 70 79  20 61 6e 64 0d 0a 70 72  |e floppy and..pr|
000000a0  65 73 73 20 61 6e 79 20  6b 65 79 20 74 6f 20 74  |ess any key to t|
000000b0  72 79 20 61 67 61 69 6e  20 2e 2e 2e 20 0d 0a 00  |ry again ... ...|
000000c0  00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00  |................|
*
000001f0  00 00 00 00 00 00 00 00  00 00 00 00 00 00 55 aa  |..............U.|
00000200  f0 ff ff 00 f0 ff 00 00  00 00 00 00 00 00 00 00  |................|
00000210  00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00  |................|
*
00001400  f0 ff ff 00 f0 ff 00 00  00 00 00 00 00 00 00 00  |................|
00001410  00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00  |................|
*
00002600  4e 41 4d 45 20 20 20 20  20 20 20 20 00 00 fa 9e  |NAME        ....|
00002610  91 4b 91 4b 00 00 f5 9e  91 4b 03 00 0c 00 00 00  |.K.K.....K......|
00002620  00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00  |................|
*
00004400  68 65 6c 6c 6f 20 77 6f  72 6c 64 0a 00 00 00 00  |hello world.....|
00004410  00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00  |................|
*
00168000

NAME删除后

$ cat flpwoname.txt
00000000  eb 3c 90 6d 6b 66 73 2e  66 61 74 00 02 01 01 00  |.<.mkfs.fat.....|
00000010  02 e0 00 40 0b f0 09 00  12 00 02 00 00 00 00 00  |...@............|
00000020  00 00 00 00 00 01 29 2c  72 18 ba 4e 4f 20 4e 41  |......),r..NO NA|
00000030  4d 45 20 20 20 20 46 41  54 31 32 20 20 20 0e 1f  |ME    FAT12   ..|
00000040  be 5b 7c ac 22 c0 74 0b  56 b4 0e bb 07 00 cd 10  |.[|.".t.V.......|
00000050  5e eb f0 32 e4 cd 16 cd  19 eb fe 54 68 69 73 20  |^..2.......This |
00000060  69 73 20 6e 6f 74 20 61  20 62 6f 6f 74 61 62 6c  |is not a bootabl|
00000070  65 20 64 69 73 6b 2e 20  20 50 6c 65 61 73 65 20  |e disk.  Please |
00000080  69 6e 73 65 72 74 20 61  20 62 6f 6f 74 61 62 6c  |insert a bootabl|
00000090  65 20 66 6c 6f 70 70 79  20 61 6e 64 0d 0a 70 72  |e floppy and..pr|
000000a0  65 73 73 20 61 6e 79 20  6b 65 79 20 74 6f 20 74  |ess any key to t|
000000b0  72 79 20 61 67 61 69 6e  20 2e 2e 2e 20 0d 0a 00  |ry again ... ...|
000000c0  00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00  |................|
*
000001f0  00 00 00 00 00 00 00 00  00 00 00 00 00 00 55 aa  |..............U.|
00000200  f0 ff ff 00 00 00 00 00  00 00 00 00 00 00 00 00  |................|
00000210  00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00  |................|
*
00001400  f0 ff ff 00 00 00 00 00  00 00 00 00 00 00 00 00  |................|
00001410  00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00  |................|
*
00002600  e5 41 4d 45 20 20 20 20  20 20 20 20 00 00 fa 9e  |.AME        ....|
00002610  91 4b 91 4b 00 00 f5 9e  91 4b 03 00 0c 00 00 00  |.K.K.....K......|
00002620  00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00  |................|
*
00004400  68 65 6c 6c 6f 20 77 6f  72 6c 64 0a 00 00 00 00  |hello world.....|
00004410  00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00  |................|
*
00168000

如何从FAT图像恢复已删除的文件？

1 个答案: