On 26/10/2024 20:26, Hans wrote:
On 26/10/2024 18:37, Max Nikulin wrote:
however I can not figure out what approach
extundelete or other tools may use to noticeably improve success rate
since important data is overwritten.
As far as I know, it does not use journal. It is looking at the data it reads
(form the imagefile) and then finds headers and footers (similar to scalpel)
apt show extundelete
[...]
Description: utility to recover deleted files from ext3/ext4 partition
extundelete uses the information stored in the partition's journal to
attempt
to recover a file that has been deleted.
So it sounds like FS journal is the primary source for recovery and thus
my expectation that it can not restore files written long time ago and
that are not accessed recently. (Updating access time causes creating a
journal record for inode with a copy of block list.)
Last time I had to revover 2 TB music files for a friend, and photorec
gave me all files back.
Of course, a few MB size files with reach metadata (audio, image, zip)
is an optimal case for photorec and foremost. For 1 hour long .mp3 files
fragmentation causes recovery of only some parts of files (at least in
the case of FAT32).
Ah no, these were not only a few audio files. These were about 90.000 audio
files
Sorry, I was unclear. I mean fair probability to recover files in the
range of 1-5 MB each, but large files (50-200 MB or more) may be
troublesome. The tool limitation is contiguous span of blocks. A disk
dedicated to music collection is a much easier case than e.g. mix of
files having wide range of types and sizes in home directories.
Also foremost is another tool of my favourites, as it is easy to use.
I am curious what are cases when it may perform noticeably better than
photorec.
Oh, you will have noticed, that I not mentioned some of the commercial tools
like FTK or ENCASE. I am not using these, I do not like those (for some
personal reasons) and the free tools are fully satisfying my needs.
My question was specific to foremost vs. photorec. Your words make me
thinking that I have missed some feature of foremost.
