Recently, I was presented with a laptop that had a non-functioning motherboard and asked if I could recover any files remaining on it. Initially, I thought that it would be easy, just a matter of attaching the hard drive to another computer and copying the files off. However, it turns out that in the process of the motherboard not working, Windows had decided to move all of the user documents to the Recycle Bin.
So, I set out to find how the Windows 7 Recycle Bin stores its files, since surely this person did not have a bunch of files all named $R247R2D, $I247R2D and so forth. I came across this post describing the nature of the files, and where to uncover the original filename(s). Now just to whip up something so that I don't have to look at each file individually.
Caveat: This is by no means the most elegant, compact, or precise way to do this, this is just the one-line bash script I used with some white space added for readability.
export RECYCLE_BIN="/path/to/$Recycle.Bin/userSID"
export RECOVER_PATH="/path/to/restore/files"
cd $RECYCLE_BIN
ls -ad \$R* | sed -e 's/^\$R//' |
while read f; do
export ORIG_FILE="$(dd if=\$I$f bs=1 skip=24 2>/dev/null |
iconv -f UTF16 -t UTF8 |
sed -e 's/^[A-Z]:\\//' -e 's/\\/\//g')"
mkdir -p "$RECOVER_PATH/$(dirname "$ORIG_FILE")"
cp -pr \$R$f "$RECOVER_PATH/$ORIG_FILE"
done
To quickly describe the script, it takes every filename in the Recycle Bin location starting with $R, and then strips off the $R, since each file/folder to recover has both a $R and $I file with the same rest of the filename. Then it skips 24 bytes into the metadata file (starting with $I) and outputs the rest of the binary file through iconv to convert the 16-bit Unicode characters back to 8-bit characters. Then it strips off the drive letter from the Windows pathname, and then replaces all of the backslashes with forward slashes.
Once all of that is done, it finally has the original filename in a format it can work with. The rest is simply creating the folder structure to receive the recovered file, followed by a copy back to its original filename.
You could have this script simply rename the files in-place rather than copying them to another location, or create soft links in another location. All that is needed would be to change the cp line to something else that suites your recovery situation.
Enjoy!
Monday, November 24, 2014
Tuesday, September 14, 2010
CentOS Kernels
So, recently I went through the CentOS 5 series kernel SRPMs and made a git repository out of them to be integrated into an LXR that I use. If anyone is interested here is the link:
http://github.com/spacex/kernel-centos5
Eventually, I plan to work through the CentOS 4 series as well, but that requires me to set up a CentOS 4 box that I don't have right now.
Enjoy!
http://github.com/spacex/kernel-centos5
Eventually, I plan to work through the CentOS 4 series as well, but that requires me to set up a CentOS 4 box that I don't have right now.
Enjoy!
Monday, August 30, 2010
HOWTO - list git tags by date
OK, so being new to git, I wanted to get a chronological list of git tags by date, rather than alphabetically, so I tweaked and found this command:
git for-each-ref refs/tags --sort=taggerdate --format="%(refname:short)"hope it helps someone else ... enjoy!
Saturday, January 26, 2008
About this blog ...
This blog is meant to be a description of my experiences with technology, specifically as it relates to my current network setup. That is not to say that I won't occasionally deviate from this topic in order to discuss something else that comes to my attention. If you have any thoughts, please feel free to share them.
Subscribe to:
Posts (Atom)