Author: Bruce Byfield
If you’ve ever had that sick realization that you made a mistake immediately after emptying your Trash or deleting a file with Shift-Del, then Magic Rescue may be the cure you’re looking for. Magic Rescue searches block devices for particular file types, then restores them to a designated directory where you can sort through them.
Although subject to certain limitations, such as how recently a file was deleted and the availability of a definition for the file header of a given format, Magic Rescue is not difficult to use. It even features a man page with a few mini-tutorials. However, it does require organization and planning in order to use effectively.
Setting up
Before you start to use Magic Rescue, you need two things: A directory to hold recovered files, and a recipe for the file type you are trying to recover.
To prevent feedback loops that can trash the system and possibly overwrite the files you are trying to recover, the directory should not be on the block device you are searching. If your system only has one partition, consider mounting a flash drive or external hard drive to hold the directory. If you have multiple partitions, you need to make sure that the directory is on a partition that has as much free space as you need for the recovered files — as the man page notes, some searches, especially for graphic and audio files, result in hundreds of large files, so you need to be ready for them. On my system, 3GB of free space was more than enough, but depending on your work and download habits, you might need more.
A recipe is a small script that recognizes the characteristic pattern of a file format’s header. If you are familiar with different file types — or willing to research them — you can write your own recipe, using information in the man page as a guide. When you have finished writing a recipe, you can use /usr/share/magicrescue/tools/checkrecipe to test it.
Most people, though, will probably either use the recipes installed with Magic Rescue in /usr/share/magicrescue/recipes, or search the Internet for a specific recipe. The latest version comes with recipes for identifying avi, elf, gimp-xcf, gzip, jpeg, mp3, Microsoft Office, perl, png, and zip files, as well as OpenOffice.org files, and files with the GNU General Public License in the header. These recipes are also useful as examples if you need to write your own recipe.
Running Magic Rescue
The man page suggests that you run the command hdparm -d1 -c -u1 /dev/device to enable direct memory access before running Magic Rescue. The command is not strictly necessary, but it can significantly reduce the time that the program takes to run. However, you may prefer to tweak performances by limiting the operation in other ways provided by the command parameters (see below).
To run Magic Rescue, you must specify a minimum of a results directory and a recipe. The basic command is magicrescue -d directory -r recipedevice or, to give an example, magicrescue -d /mnt/external -r /usr/share/magicrescue/recipes/zip /dev/sda1. You can enable searches for multiple formats by specifying a directory that holds all the recipes for those formats.
If you want a running record of results, you can add - M i0 to view each input and output file processed.
You can use the -b blocksize parameter to limit results to files that start at a multiple of the blocksize specified. The man pages suggest a blocksize of 512 for most purposes.
If you are comfortable with hexadecimal numbers, you can also specify a specific position on the partition to search with -O = position, or -O + position to start the search after a position, or -O - position to start before it. The -O parameter is especially useful if you have to use Ctrl-C to interrupt a long search. If you note the current position of the search, you can use O = to continue the search later from the position where it stopped.
Utilities for after the search
To further help you organize your search, Magic Rescue includes two utilities in /usr/share/magicrescue/tools. By using the command dupemap delete,report resultdirectory, you can eliminate all duplicate files in your result directory. If you first use dupemap report -dfile over multiple directories, you can create a database of files, then add -dfile to the command to eliminate files elsewhere on your system.
Alternatively, magicsort resultdirectory uses the file command to move each unique result in the directory to a separate file directory.
Other recovery methods
Magic Rescue’s man page ends with the disclaimer, “Magic Rescue is not meant to be a universal application for file recovery. It will give good results when you are extracting known file types from an unusable file system, but for many other cases there are better tools available.” Among the tools it recommends is gpart when you are searching for intact partitions, The Sleuth Kit for undamaged partitions (despite its limited support for different types of partitions), and Foremost for cases where Magic Rescue lacks a recipe.
Although it’s not mentioned in the man pages, you might also want to investigate GRescue, a GNOME version of Magic Rescue now in the early stages of development.
All these are potentially useful programs, but you may find the man page disclaimer overly modest. While other programs have a larger set of options and utilities, whether you are working with damaged or intact filesystems, once you have the recipe you need, you may find that Magic Rescue suffices for file recovery.
Categories:
- Desktop Software
- Tools & Utilities
