You are not logged in.
Preamble
I've removed a folder with very important files for me. Unfortunately there were no any backups.
I've restored some files with photorec utility, but then I noticed, that ntfsundelete can restore much more files.
What is the problem
Deleted files have no names and ntfsundelete just restores them as unknown. So I can't just run ntfsundelete with inode range to restore all files (as it wount restore more than one file because of name conflict).
Also it would be great to restore only specific filetypes, as I know almost exactly, what filetypes I need. The only way to know filetype is to read first bytes of the file (files have no names).
What I want to do
1. Increment inode in cycle and restore files from this inode with ntfsundelete (I can implement this).
2. In cycle body I want to read first bytes and compare them to some table of values.
Here is the main question. How can I do this? Maybe grep would be fine for reading bytes? Please, suggest something.
3. Depending on result of comparison I want to rename restored file or delete it (I believe, I can implement this too, but it depends on how the second step will be implemented)
Please, I need your help very much. Maybe there is some ready-made solution. Any help is appreciated.
Thanks in advance.
Last edited by eDio (2010-07-11 19:53:37)
Offline
> I want to read first bytes
'hexdump -n 5 somefile' will read 5 bytes. man page says you can format the output.
> Maybe grep would be fine for reading bytes?
grep searches whole files
Last edited by karol (2010-07-10 22:21:16)
Offline
Thank you, karol!
Now I can share script. Maybe someone would find it useful.
As for me, I could not restore needed files. So now I know, backups are essential.
Offline
I'm glad it worked :-)
Correct me if I'm wrong, but you're basically reading inodes.txt line by line, undeleting the files and identyfying them, right?
for inode in $( ntfsundelete $DEVICE -p 100 -S 512-100m | grep -o -e ^[0-9]* ); do
ntfsundelete $DEVICE -u -i $inode > /dev/null
HEAD4="$(hexdump -f printformat -n 4 unknown)"
(...)
done
I don't think you need to count them: we have 151 lines, so now read the line # 1, do sth to it, good, move to line # 2, do sth to it, good ...
And if you really want to count the lines, turn
ntfsundelete $DEVICE -p 100 -S 512-100m | grep -o -e ^[0-9]* > inodes.txt
num_inodes=$(wc -l inodes.txt | grep -o -e ^[0-9]*)
into
num_inodes=$(ntfsundelete $DEVICE -p 100 -S 512-100m | grep -o -e ^[0-9]* | tee -a inodes.txt | wc -l)
No, it's not less readable, it l33t ;P
Last edited by karol (2010-07-11 15:24:46)
Offline
but you're basically reading inodes.txt line by line, undeleting the files and identyfying them, right?
You are right. I couldn't find better solution, as ntfsundelete can't print in specified format. So the solution is to store info to file, then parse it for inodes. As inodes are just numbers, parsing is very simple and could be done via grep
And if you really want to count the lines, turn
Of course, your version is better.
As for counting lines, maybe I could check if sed returns error or smthng else. But I'm noob in bash, so I try to keep solutions as simple as possible.
Offline