Linux file recovery multiple ways

strings

strings <path to block device>

E.g.

strings /dev/sdb

Hex editor method

xxd <path to block device>

  • Lines of all zeroes means nothing has been writing to it in that location

grep method

grep '<the pattern that you're looking for>' /dev/sdb

E.g.

grep -a '[a-z0-9]\{32\}' /dev/sdb

  • grep also allows you to display lines before and after the match the -B# and -A# flags respectively

  • This allows you to recover entire files

E.g.

grep -B2 -A2 -a '[a-z0-9]\{32\}' /dev/sdb

binwalk method

binwalk -Me /dev/sdb

  • Can also use testdisk tool or photorec tool

*you can determine the path to the device by running df -lh

PreviousgrepNextBandit Wargames

Last updated