Today's post is a follow up (and, in many respects, a point of closure) to our previous posts on using TCT's unrm to recover lost data and using TCT's Lazarus to make data recovery using TCT's unrm a bit simpler (both posts are filled with sentences even more convoluted than that one ;)
As we noted in those previous posts, Lazarus comes with the option to restore from tagged blocks using an HTML interface (Please see the preceding two posts for any back-explanation. It took two posts to cover all the details, and this post won't benefit from being 6 screen length's longer ;). At first this may seem trivial. In point of fact, it is to a certain degree. Everything that's done for you via the web browser, you could do yourself. However, this might be a bear of a wheel to reinvent ;)
We're using the same recovered data blocks that we used in our first two posts (so everything will tie together nicely if you need to refer back to them) to showcase what the HTML output from Lazarus can produce. Also, one should note that producing the HTML output (in addition to the tagged blocks) didn't seem to add any noticeable time to Lazarus' block-tagging process (which takes so freakin' long, you'll walk away eventually ;) and can be added by simply inserting the "-h" flag into your command line. So:
host # ./lazarus /usr/local/recovery/the_found_file_I_hope
host # ./lazarus -h /usr/local/recovery/the_found_file_I_hope
NOTE: Although (since we didn't specify on the command line) the default directory for block restoration is under TCT's main directory (the one with bin, etc in it - see the previous post), the main HTML files get created in the directory you named on the command line! In our case: /usr/local/recovery
Below, we're going to walk through a few different ways you can get to your recovered data more easily (or browse through all the stuff you thought you'd gotten rid of or never knew was there ;) using the HTML files created by Lazarus. The first thing to note (which is very easy to see when you do an "ls" on /usr/local/recovery) is that Lazarus creates three main HTML files:
host # ls /usr/local/recovery
You'll want to open the "frame" HTML page so that the upper menu and main screen are both visible. Every single link in the main screen is already created (assuming you've let Lazarus finish ;) in TCT's main directory under the "www" directory. Each block has a frame and a menu HTML page. The main page (when you select a particular hyperlink to a block) is actually just the block itself viewed through a browser. This works out very nicely in some ways, as we'll see below. Enough with the explaining. Let's go :)
The first picture in our gallery is the main screen you'd see (the_found_file_I_hope.frame.html), as brought up on a local browser. The cartoonish arrows and big letters were drawn in by yours truly using The Gimp's line tool. The same with the blanked out parts. It's a much better tool than we make it seem. Thankfully, we don't work in graphic design ;)
Click any of the below Pictures to return them to their original gigantic size :)
The next two pictures demonstrate what executable data looks like. It's not very impressive in the browser, but you'll note that the menu allows you to follow blocks of a similar type, so you can just hop from one to the next and note those numbers so you'll have an easier go of recreating a binary executable from its individual blocks (if it spans more than one) when you get back to the command line. Of course, you can do that just as simply by grepping out the block numbers and types from the available files in the blocks directory. Purists may note that one of these "exe" blocks is an "elf" block. I have no idea how Lazarus makes the distinction, but I'm not going to complain about it, either... The next stuff is cooler - I promise :)
This next picture shows how a recovered HTML block would look (in HTML, but not parsed as such):
And this picture shows us how a "program" (What it says in the menu) looks like. Every one we found before boredom set in was actually a shell (or someother kind of) script, which would account for the "exe," "elf," and generic "binary" types being represented.
And, neatest of all, most of the pictures we found came up just like this one; no guessing involved (unless your browser's MIME types or associations are set up non-standardly). We have no idea who this picture belonged to. Probably the last guy who used this machine:
The moral of the story? I don't suppose there is one, since this is just a demonstration of easy data recovery, but, if this were a morality play, I suppose the moral would be: Be sure to scrub your disk before you leave it behind. Some goofballs may come around later and find stuff you didn't want them to ;)
Hope you enjoyed the slide-show!
Please note that this blog accepts comments via email only. See our Mission And Policy Statement for further details.