Recover deleted file with foremost

foremost(1) - Linux man page
Name
foremost - Recover files using their headers, footers, and data structures
Synopsis
foremost[-h][-V][-d][-vqwQT][-b][-o] [-t][-s][-i]
Builtin Formats

Recover files from a disk image based on file types specified by the user using the -t switch.

jpg
Support for the JFIF and Exif formats including implementations used in modern digital cameras.
gif
png
bmp
Support for windows bmp format.
avi
exe
Support for Windows PE binaries, will extract DLL and EXE files along with their compile times.
mpg
Support for most MPEG files (must begin with 0x000001BA)
wav
riff
This will extract AVI and RIFF since they use the same file format (RIFF). note faster than running each separately.
wmv
Note may also extract -wma files as they have similar format.
mov
pdf
ole
This will grab any file using the OLE file structure. This includes PowerPoint, Word, Excel, Access, and StarWriter
doc
Note it is more efficient to run OLE as you get more bang for your buck. If you wish to ignore all other ole files then use this.
zip
Note is will extract .jar files as well because they use a similar format. Open Office docs are just zip'd XML files so they are extracted as well. These include SXW, SXC, SXI, and SX? for undetermined OpenOffice files.
rar
htm
cpp
C source code detection, note this is primitive and may generate documents other than C code.
all
Run all pre-defined extraction methods. [Default if no -t is specified]

Description

Recover files from a disk image based on headers and footers specified by the user.

-h
Show a help screen and exit.
-V
Show copyright information and exit.
-d
Turn on indirect block detection, this works well for Unix file systems.
-T
Time stamp the output directory so you don't have to delete the output dir when running multiple times.
-v
Enables verbose mode. This causes more information regarding the current state of the program to be displayed on the screen, and is highly recommended.
-q
Enables quick mode. In quick mode, only the start of each sector is searched for matching headers. That is, the header is searched only up to the length of the longest header. The rest of the sector, usually about 500 bytes, is ignored. This mode makes foremost run considerably faster, but it may cause you to miss files that are embedded in other files. For example, using quick mode you will not be able to find JPEG images embedded in Microsoft Word documents.

Quick mode should not be used when examining NTFS file systems. Because NTFS will store small files inside the Master File Table, these files will be missed during quick mode.
-Q
Enables Quiet mode. Most error messages will be suppressed.
-w
Enables write audit only mode. No files will be extracted.
-a
Enables write all headers, perform no error detection in terms of corrupted files.
-b number
Allows you to specify the block size used in foremost. This is relevant for file naming and quick searches. The default is 512. ie. foremost -b 1024 image.dd

-k number
Allows you to specify the chunk size used in foremost. This can improve speed if you have enough RAM to fit the image in. It reduces the checking that occurs between chunks of the buffer. For example if you had > 500MB of RAM. ie. foremost -k 500 image.dd

-i file
The file is used as the input file. If no input file is specified or the input file cannot be read then stdin is used.
-o directory
Recovered files are written to the directory directory.
-c file
Sets the configuration file to use. If none is specified, the file "foremost.conf" from the current directory is used, if that doesn't exist then "/etc/foremost.conf" is used. The format for the configuration file is described in the default configuration file included with this program. See the CONFIGURATION FILE section below for more information.
-s number
Skips number blocks in the input file before beginning the search for headers. ie. foremost -s 512 -t jpeg -i /dev/hda1


Configuration File

The configuration file is used to control what types of files foremost
searches for. A sample configuration file, foremost.conf, is included with this distribution. For each file type, the configuration file describes the file's extension, whether the header and footer are case sensitive, the maximum file size, and the header and footer for the file. The footer field is optional, but header, size, case sensitivity, and extension are not!

Any line that begins with a pound sign is considered a comment and ignored. Thus, to skip a file type just put a pound sign at the beginning

of that line

Headers and footers are decoded before use. To specify a value in hexadecimal use \x[0-f][0-f], and for octal use \[1-9][1-9][1-9]. Spaces can be represented by \s. Example: "\x4F\123\I\sCCI" decodes to "OSI CCI".

To match any single character (aka a wildcard) use a ?. If you need to search for the ? character, you will need to change the wildcard line *and* every occurrence of the old wildcard character in the configuration file. Do not forget those hex and octal values! ? is equal to \x3f and \063.

There is a sample set of headers in the README file.

Examples
Search for jpeg format skipping the first 100 blocks
foremost -s 100 -t jpg -i image.dd
Only generate an audit file, and print to the screen (verbose mode)
foremost -av image.dd
Search all defined types

foremost -t all -i image.dd

Search for gif and pdf's

foremost -t gif,pdf -i image.dd

Search for office documents and jpeg files in a Unix file system in verbose mode.

foremost -vd -t ole,jpeg -i image.dd

Run the default case

foremost image.dd

recover file from ext3

#debugfs /dev/sdax
#lsdel
#ls -d
find appropriate
#dump <> new_filename

recover file from ext2 filesystem

apt-get install e2undel
#e2undel -d /dev/sdax -s /root/recovery -a -t
where
-d device from which files to be recover
-s where to save recovered files

selinux in debian

-Run apt-get install selinux-basics selinux-policy-refpolicy-targeted¹.

-Edit /boot/grub/menu.lst and add selinux=1 to your kernel command line (by adding it to the #kopt= line and then running update-grub). If you are using lilo, you must instead make similar changes to /etc/lilo.conf and run lilo.

-Fix dependencies listed. Below are the highlights. For a complete list please visit, http://wiki.debian.org/SELinux/Setup#package-specific):

• In /etc/pam.d/login uncomment the session required pam_selinux.so multiple" line. Do the same for /etc/pam.d/ssh
• In /etc/default/rcS set FSCKFIX=yes and add EDITMOTD=no. [Only important for 'strict' policy:] In /etc/init.d/bootmisc.sh search for "Update motd" and comment the two lines below that line. Then run rm /var/run/motd. Replace the symlink /etc/motd with a static "message of the day" file instead.
• Add no_static_dev="1" to /etc/udev/udev.conf to prevent udev from providing the /dev/.static directory.
• The cron package includes a daily cronjob to backup some system files, including /etc/shadow. For security reasons, you don't want cron to be able to read this file, so edit /etc/cron.daily/standard and disable the part making a backup of /etc/shadow and /etc/gshadow ( bug #333837).
• "locate" is part of fileutils, and a useful tool for finding files on your system. To work it however needs to scan your whole filesystem for files - which would require rather extensive SELinux permissions and might be considered an "information leak". Currently there is no SELinux policy for regular locate to work flawlessly, so it is recommended to disable it on SELinux boxes. To do this, insert an exit 0 as the second line of /etc/cron.daily/find.
• Check that the /selinux directory exists and if not, create it with mkdir /selinux.
• Run touch /.autorelabel and reboot
• Run touch /.autorelabel and reboot again
• Run check-selinux-installation

winodows troubleshooting..

to run chkdsk ..
>chkdsk /f


BOOTMGR not found
>bootrec /rebuildbcd
>bootrec /fixmbr
>bootrec /fixboot
>bootrec /scanos

how to smart card in debian/BOSS

install following packages,..
#apt-get install pcscd libccid libpcsclite1 libusb-0.1-4

Gemplus CCID Smart card reader drivers for Debian Sarge 3.1 Linux distribution
and x86 processor architecture.

Version 1.2.4, March 2006.

Before proceeding, you might want to check whether a new driver version
is available from http://support.gemplus.com/


1. Description
--------------
This archive contains DEB packages of the CCID device driver for the Gemplus
CCID based devices and the PCSC-Lite daemon.

The CCID device driver:
* libccid_1.2.4-0_i386.deb

The pcsc-lite :

( from http://www.backports.org/debian/pool/main/p/pcsc-lite/)

* libpcsclite1_1.2.9-beta9-0bpo1_i386.deb
* libpcsclite-dev_1.2.9-beta9-0bpo1_i386.deb
* pcscd_1.2.9-beta9-0bpo1_i386.deb

This archive contains the source code of the CCID device driver for
the Gemplus CCID based devices and the PCSC-Lite daemon.

The CCID device driver:
* ccid-1.2.4.tar.gz

The pcsc-lite:
* pcsc-lite-1.2.9-beta10.tar.gz

It requires:
* A Debian Sarge 3.1 platform based on a x86 processor architecture,
* A Gemplus CCID based device

If you intend to use this driver with a different configuration (such
as a non x86 platform), please contact the support at the address
indicated at the very end of this document.


2. Installation
---------------

- Install the driver: # dpkg -i libccid_1.2.4-0_i386.deb

- Install the pcscd provided with this package:
# dpkg -i pcscd_1.2.9-beta9-0bpo1_i386.deb
libpcsclite-dev_1.2.9-beta9-0bpo1_i386.deb
libpcsclite1_1.2.9-beta9-0bpo1_i386.deb

The pcsc-lite daemon will (re)start automatically during installation.


3. Troubleshooting
------------------

For some Linux distributions, the pcmcia daemon should be loaded after
the pcscd daemon. As the pcscd daemon does not manage PCMCIA smart card
reader as hotplug devices, it might not take into account your GemPCCard
presence. To solve this issue, please restart the pcscd daemon as
explained below:

# /etc/init.d/pcscd restart



4. Support
----------

In case of problem, please contact Gemplus through the Gemplus web site
(http://www.gemplus.com/) or depending on your location:

For North America
email: HOTLINEUSA@gemplus.com

For ASIA
email: ASIA.hotline@gemplus.com

For other countries
email: hotline@gemplus.com

----------------------------------------------------------------------

how to extract/create initrd.img ??

Extracting initrd..
#mkdir initrd_test

#cd initrd_test

#gzip -dc < /boot/initrd.img | cpio -i


creating initrd..
#cd initrd_test
#find . | cpio -o -c | gzip -9 > /boot/initrd.img

what is typeof??

#include

int main()
{
int a=12;
typeof (a) b; //same as int b
b=123;
printf("b is %d \n a is %d \n",b,a);
return 0;
}

Finding out processor is little or big endian using c program

#include
int main()
{
int num=1;
char *cptr;

cptr = (char *)#

if (*cptr)
printf ("little endian\n");
else
printf ("big endian\n");
return 0;
}
...........................
for little endian it stores 00000001
for big endian it stores 00010000

Converting Ext2 Filesystems to Ext3

Ext2 is a fragmentation, redundant enough to be reliably regenerated on error yet diskspace efficient, fast, and adaptable. But when the computer is rebooted or powered off without correctly shutting down, Ext2 filesystems are placed in an error state. When the computer comes back up, the user is confronted with some mildly confusing, and very intimidating, messages and choices. Should he let the filesystem correct itself? Warning, this can lose data!
Journalized filesystems are made to eliminate such error messages.
You can boot with Linux Live CD (BOSS Live CD)
do following steps..

Converting from Ext2 to Ext3

Log in as root

• umount /dev/hda10 //where hda10 is a device,on which filsystem we want to convert
  
• If you can't unmount it, then remount it read only (mount -o remount,ro /dev/hda10)
• tune2fs -j /dev/hda10
• Edit /etc/fstab, and for /dev/hda10, change ext2 to ext3
• mount /dev/hda10
• /sbin/shutdown -h now
• mount | grep /dev/hda10
  • If it's not shown as ext3, reboot, if still not, troubleshoot
  • Otherwise, you're done

if still you are getting error in # dmesg |tail for command #mount /dev/hda10 /mnt ..

JBD: no valid journal superblock found:

..means still journal is not created run this command once again #tune2fs -j /dev/hda10
if your / was ext2 and now you have converted in ext3 then we require to recreate initrd.
#cd /boot
#mv /boot/initrd.img-2.6.22-3-486 /boot/initrd.img-2.6.22-3-486_bkup
#mkinitrd initrd.img-2.6.22-3-486
#reboot

Converting from Ext3 back to Ext2

• umount /dev/hda10
  
• tune2fs -O ^has_journal /dev/hda10
• e2fsck /dev/hda10
• Edit /etc/fstab to change /dev/hda10 to mount type ext2
• mount /dev/hda10
  

Linux tgtadm: Setup iSCSI Target ( SAN )

Linux target framework (tgt) aims to simplify various SCSI target driver (iSCSI, Fibre Channel, SRP, etc) creation and maintenance. The key goals are the clean integration into the scsi-mid layer and implementing a great portion of tgt in user space.

The developer of IET is also helping to develop Linux SCSI target framework (stgt) which looks like it might lead to an iSCSI target implementation with an upstream

kernel component. iSCSI Target can be useful:

a] To setup stateless server / client (used in diskless setups).
b] Share disks and tape drives with remote client over LAN, Wan or the Internet.
c] Setup SAN - Storage array.
d] To setup loadbalanced webcluser using cluster aware Linux file system etc.

In this tutorial you will learn how to have a fully functional Linux iSCSI SAN using tgt framework.

iSCSI target (server)

Storage resource located on an iSCSI server known as a "target". An iSCSI target usually represents nothing but hard disk storage. As with initiators, software to provide an iSCSI target is available for most mainstream operating systems.

iSCSI initiator (client)

An initiator functions as an iSCSI client. An initiator typically serves the same purpose to a computer as a SCSI bus adapter would, except that instead of physically cabling SCSI devices (like hard drives and tape changers), an iSCSI initiator sends SCSI commands over an IP network.

Debian / Ubuntu Linux Install tgt

Type the following command to install Linux target framework user-space tools:
$ sudo apt-get install tgt

CentOS / RHEL / Red Hat Linux Install tgt

RHEL 5.2 and older version do not have tgt tools. However, RHEL 5.3 (preview version) comes with tgt tools.

tgtadm - Linux SCSI Target Administration Utility

tgtadm is used to monitor and modify everything about Linux SCSI target software: targets, volumes, etc. This tool allows a system to serve block-level SCSI storage to other systems that have a SCSI initiator. This capability is being initially deployed as a Linux iSCSI target, serving storage over a network to any iSCSI initiator.

Start tgtd

To start the tgtd, enter:
# /usr/sbin/tgtd
Under RHEL 5.3 to start the tgtd service, enter:
# /etc/init.d/tgtd start

Define an iscsi target name

The following example creates a target with id 1 (the iqn is 19 iqn.2001-04.com.example:storage.disk2.amiens.sys1.xyz) and adds a 20 logical unit (backed by /dev/hdc1) with lun 1.
# tgtadm --lld iscsi --op new --mode target --tid 1 -T iqn.2001-04.com.example:storage.disk2.amiens.sys1.xyz

To view the current configuration, enter:
# tgtadm --lld iscsi --op show --mode target
Sample output:

Target 1: iqn.2001-04.com.example:storage.disk1.amiens.sys1.xyz
   System information:
       Driver: iscsi
       Status: running
   I_T nexus information:
   LUN information:
       LUN: 0
           Type: controller
           SCSI ID: deadbeaf1:0
           SCSI SN: beaf10
           Size: 0
           Online: No
           Poweron/Reset: Yes
           Removable media: No
           Backing store: No backing store
   Account information:
   ACL information:

Add a logical unit to the target (/dev/sdb1):
# tgtadm --lld iscsi --op new --mode logicalunit --tid 1 --lun 1 -b /dev/sdb1

A note about home computer / test system

Most production boxes will only use iSCSI root with real iSCSI devices, but for testing purposes it can be quite useful to set up an iSCSI target on your image server. This is useful for testing and learning iSCSI target and iSCSI initiator at home, simply use filesystem for testing purpose. Use dd command to create diskbased filesystem:
# dd if=/dev/zero of=/fs.iscsi.disk bs=1M count=512
Add /fs.iscsi.disk as a logical unit to the target:
# tgtadm --lld iscsi --op new --mode logicalunit --tid 1 --lun 1 -b /fs.iscsi.disk
Now, you should able to view details:
# tgtadm --lld iscsi --op show --mode target
Sample output:

Target 1: iqn.2001-04.com.example:storage.disk1.amiens.sys1.xyz
   System information:
       Driver: iscsi
       Status: running
   I_T nexus information:
   LUN information:
       LUN: 0
           Type: controller
           SCSI ID: deadbeaf1:0
           SCSI SN: beaf10
           Size: 0
           Online: No
           Poweron/Reset: Yes
           Removable media: No
           Backing store: No backing store
       LUN: 1
           Type: disk
           SCSI ID: deadbeaf1:1
           SCSI SN: beaf11
           Size: 512M
           Online: Yes
           Poweron/Reset: Yes
           Removable media: No
           Backing store: /fs.iscsi.disk
   Account information:
   ACL information:

Accept iSCSI Target

To enable the target to accept any initiators, enter:
# tgtadm --lld iscsi --op bind --mode target --tid 1 -I ALL
This should open network port # 3260:
# netstat -tulpn | grep 3260
Sample output:

tcp        0      0 0.0.0.0:3260            0.0.0.0:*               LISTEN      27328/tgtd
tcp6       0      0 :::3260                 :::*                    LISTEN      27328/tgtd      

And you are done. Your system is configured as iSCSI Target. Remote client computer can access this computers hard disk over network. Your can use cluster aware filesystem to setup real shared storage for small business. Open TCP port 3260 in your firewall, if required.

How do I access iSCSI Target (server) via iSCSI initiator (client)?

See detailed os specific iSCSI initiator instuctions:

1. RHEL 4 or RHEL 5 Linux iSCSI initiator tutorial.
2. Debian Linux iSCSI initiator tutorial.
3. FreeBSD iSCSI initiator tutorial.
4. Windows iSCSI initiator tutorial.

Following is a quick way to access iSCSI target, under RHEL 5. Let us say your server iSCSI Target IP is 192.168.1.2. Type the following command to discover targets at a given IP address such as 192.168.1.2 (use 127.0.0.1 if you are testing it from same computer):
# iscsiadm --mode discovery --type sendtargets --portal 192.168.1.2
OR
# iscsiadm --mode discovery --type sendtargets --portal 127.0.0.1
Sample output:

127.0.0.1:3260,1 iqn.2001-04.com.example:storage.disk1.amiens.sys1.xyz

Login to the iscsi target session:
# iscsiadm --mode node --targetname iqn.2001-04.com.example:storage.disk1.amiens.sys1.xyz --portal 192.168.1.2:3260 --login
OR
# iscsiadm --mode node --targetname iqn.2001-04.com.example:storage.disk1.amiens.sys1.xyz --portal 127.0.0.1:3260 --login
Verify that login was successful:
# tail -f /var/log/messages
Sample output:

Nov 11 07:34:04 vivek-desktop kernel: [ 9039.562312] scsi 6:0:0:1: Direct-Access     IET      VIRTUAL-DISK     0001 PQ: 0 ANSI: 5
Nov 11 07:34:04 vivek-desktop kernel: [ 9039.572268] sd 6:0:0:1: [sdc] 1048576 512-byte hardware sectors (537 MB)
Nov 11 07:34:04 vivek-desktop kernel: [ 9039.572374] sd 6:0:0:1: [sdc] Write Protect is off
Nov 11 07:34:04 vivek-desktop kernel: [ 9039.572530] sd 6:0:0:1: [sdc] Write cache: enabled, read cache: enabled, doesn't support DPO or FUA
Nov 11 07:34:04 vivek-desktop kernel: [ 9039.572715] sd 6:0:0:1: [sdc] 1048576 512-byte hardware sectors (537 MB)
Nov 11 07:34:04 vivek-desktop kernel: [ 9039.572790] sd 6:0:0:1: [sdc] Write Protect is off
Nov 11 07:34:04 vivek-desktop kernel: [ 9039.572940] sd 6:0:0:1: [sdc] Write cache: enabled, read cache: enabled, doesn't support DPO or FUA
Nov 11 07:34:04 vivek-desktop kernel: [ 9039.572946]  sdc: unknown partition table
Nov 11 07:34:04 vivek-desktop kernel: [ 9039.573492] sd 6:0:0:1: [sdc] Attached SCSI disk
Nov 11 07:34:04 vivek-desktop kernel: [ 9039.573593] sd 6:0:0:1: Attached scsi generic sg4 type 0

sdc is new scsi disk. You may need to restart iSCSI to probe partition and check disks:
# service iscsi restart
# partprobe
# fdisk -l
You can now create parition and mount file system using usual fdisk and mkfs.ext3 commands:
# fdisk /dev/sdc
# mkfs.ext3 /dev/sdc1mkdir /iscsi
# mkdir /iscsi
# mount /dev/sdc1 /iscsi
# df -H
Sample output:

Filesystem             Size   Used  Avail Use% Mounted on
/dev/sda2               99G    30G    64G  32% /
tmpfs                  1.1G      0   1.1G   0% /lib/init/rw
varrun                 1.1G   361k   1.1G   1% /var/run
varlock                1.1G      0   1.1G   0% /var/lock
udev                   1.1G   2.9M   1.1G   1% /dev
tmpfs                  1.1G   312k   1.1G   1% /dev/shm
/dev/sda1              105G    32G    73G  31% /media/sda1
/dev/sda5              294G   275G    20G  94% /share
/dev/sdb2              247G   119G   116G  51% /disk1p2
/dev/sdc1              520M    11M   483M   3% /iscsi