标题: 文件删除后的恢复实验

创建: 2020-10-30 14:45
更新:
链接: https://scz.617.cn/windows/202010301445.txt

文件删除后有可能想恢复它们，比如手欠地误删了什么，这是正经需求，显然还有很
多不正经的需求，但对我们这种人来说，本质是一样的。

小钻风推荐的R-Studio、TK推荐的WinHex都是很好的工具。假设你刚删除了一个文件
或一个目录，此时立即断网，比如关闭WIFI、拔掉网线、禁用网卡等等，然后不要再
乱动了，不要关机，不要休眠，不要关闭Office什么的，现在是啥样就啥样，尽最大
可能不动，记得接上外接电源，防止掉电。假设U盘上有可以直接执行的R-Studio、
WinHex，插入U盘，执行它们，此时完全恢复的可能性极高。我曾在三天内两次给女
魔头恢复误删的几十G的目录。

今年6月看到微软推出自己的文件恢复工具"Windows File Recovery"，之前我用Win7，
没机会试它，最近升级Win10，决定试试。我一般未谋胜先谋败，总是尽早做最坏打
算。

从这里安装:

Windows File Recovery
https://www.microsoft.com/zh-cn/store/
https://www.microsoft.com/zh-cn/store/productId/9N26S50LN705
https://www.microsoft.com/store/r/9N26S50LN705
https://www.microsoft.com/zh-cn/p/windows-file-recovery/9n26s50ln705

官方文档:

Recover lost files on Windows 10
https://support.microsoft.com/en-us/help/4538642/windows-10-restore-lost-files
https://support.microsoft.com/en-us/windows/recover-lost-files-on-windows-10-61f5b28a-f5b8-3cc2-0f8e-a63cb4e1d4c4

这篇官方文档对用法介绍得很详尽，甚至简要介绍了恢复原理，不管三七二十一先完
整看一遍再继续。

接下来做点实验。S盘有如下文件、目录:

$ tree /F /A S:\

+---movie
|       interview.mp4
|
\---work
        some
        TrueCrypt.dat

$ sha256sum movie/*
43451f0abe56dcd7f879fa3c7d29c631145f555c6527b89c928f7ec2af53a7e8  movie/interview.mp4

$ sha256sum work/*
40aff2e9d2d8922e47afd4648e6967497158785fbd1da870e7110266bf944880  work/some
69c353ce49254062bf11470c788c7d78f4aa828bfdc0f7ebbd3533b716881667  work/TrueCrypt.dat

$ ls -l movie work
movie:
-rwxrwxrwx 1 scz scz 16717351 Jul  8  2017 interview.mp4

work:
-rwxrwxrwx 1 scz scz        256 Oct 30 12:48 some
-rwxrwxrwx 1 scz scz 1196605969 Apr  5  2017 TrueCrypt.dat

取了文件SHA256和大小，以便将来与恢复结果对比。

依次删除一个文件、一个目录:

$ del S:\movie\interview.mp4
$ rd /s /q S:\work

模拟最常见的两种情形，误删单个文件、误删单个目录，然后尝试恢复它们。

刻意在diskmgmt.msc中手工分配盘符，S盘是源盘，是被删除文件所在盘，T盘是将来
用来保存恢复结果的目标盘，计划将恢复结果保存在"T:\Recovery\"中。

$ winfr S: T:\Recovery /n \movie\interview.mp4

Windows File Recovery
Copyright (c) Microsoft Corporation. All rights reserved
Version:            0.0.11761.0
----------------------------------------------------------

Source drive:       S:
Destination folder: T:\Recovery\Recovery_20201030_131603
Filter:             MOVIE\INTERVIEW.MP4
Extension filter:    *

Sector count:       0x0000000035f04fff
Cluster size:       0x00001000
Sector size:        0x00000200
Overwrite:          Prompt
Mode:               Default


Continue? (y/n)
Pass 1: Scanning and processing disk
Scanning disk:  100%

Pass 2: Recovering files
Files recovered: 1, total files: 1, current filename: T:\Recovery\Recovery_20201030_131603\movie\interview.mp4
Progress: 100%

View recovered files? (y/n)

interview.mp4被成功恢复，文件大小、SHA256都匹配。另有一个日志文件:

T:\Recovery\Recovery_20201030_131603\RecoveryLog.txt

其中记录了恢复摘要信息。

本以为一切都这么简单，谁曾想还是出了幺蛾子。

$ winfr S: T:\Recovery /n \work\

这条命令恢复了一大堆历史上删除过的文件，包括无数的视频，很多视频还能正常播
放。但是，独独没有some、TrueCrypt.dat，活见鬼。

$ winfr S: T:\Recovery /n \work\some
$ winfr S: T:\Recovery /n \work\TrueCrypt.dat

这两条命令啥也没有恢复。

这种情况下没心情尝试Segment、Signature模式，这两种模式更是要扫描整个S盘，
即使有机会恢复some、TrueCrypt.dat，也没功夫跟它耗。

祭出WinHex，最简套路就是F9打开源盘，等待扫描结束，人工检视还能识别出来的文
件、目录，重点看文件名、时间戳、文件大小这几点。假设找到目标项，右键菜单里
有一项是恢复操作，很容易识别。

F9打开S盘，成堆的历史上删除过的文件。movie目录赫然在列，轻松恢复
interview.mp4。找不到work目录，很好理解，目录本身被删除了嘛。但是，在这个
路径下找到了some、TrueCrypt.dat:

\$Extend\$Deleted\0003000000000029325753FA\

成功恢复some、TrueCrypt.dat，SHA256匹配。

法证版WinHex(就是xwforensics)应该有高阶玩法，如果不是专门做取证工作的，谁
会花精力学习其用法。

R-Studio用户界面更友好，恢复时更得心应手，在U盘上准备个绿色版非常有必要。

尽量把数据放在机械硬盘上，如果都是SSD盘，那就备份为王。

假设想清空源盘，避免被R-Studio、WinHex、winfr这类工具恢复原来的数据，可以
用sysinternals的sdelete。

https://docs.microsoft.com/en-us/sysinternals/downloads/sdelete

$ sdelete

SDelete v2.02 - Secure file delete
Copyright (C) 1999-2018 Mark Russinovich
Sysinternals - www.sysinternals.com

usage: sdelete [-p passes] [-r] [-s] [-q] <file or directory> [...]
       sdelete [-p passes] [-z|-c [percent free]] <drive letter [...]>
       sdelete [-p passes] [-z|-c] <physical disk number>
   -c         Clean free space. Specify an option amount of space
              to leave free for use by a running system.
   -p         Specifies number of overwrite passes (default is 1)
   -r         Remove Read-Only attribute
   -s         Recurse subdirectories
   -z         Zero free space (good for virtual disk optimization)
   -nobanner  Do not display the startup banner and copyright message.

Disks must not have any volumes in order to be cleaned.

$ sdelete -p 1 -z S:

最后有句忠告，不要轻易找人修硬盘！

--------------------------------------------------------------------------

后面跟前文无关，仅为备忘。

$ where winfr
C:\Users\scz\AppData\Local\Microsoft\WindowsApps\WinFR.exe

$ winfr /?

Windows File Recovery
Copyright (c) Microsoft Corporation. All rights reserved
Version:            0.0.11761.0
----------------------------------------------------------

USAGE: winfr source-drive: destination-folder [/switches]

/r           - Segment mode (NTFS only, recovery using file record segments)
/n <filter>  - Filter search (default or segment mode, wildcards allowed, trailing \ for folder)

/x           - Signature mode (recovery using file headers)
/y:<type(s)> - Recover specific extension groups (signature mode only, comma separated)
/#           - Displays signature mode extension groups and file types

/?           - Help text
/!           - Display advanced features

Example usage - winfr C: D:\RecoveryDestination /n Users\<username>\Downloads\
                winfr C: D:\RecoveryDestination /x /y:PDF,JPEG
                winfr C: D:\RecoveryDestination /r /n *.pdf /n *.jpg

Visit https://aka.ms/winfrhelp for user guide
For support, please email winfr@microsoft.com

$ winfr /!

Windows File Recovery
Copyright (c) Microsoft Corporation. All rights reserved
Version:            0.0.11761.0
----------------------------------------------------------

USAGE: winfr source-drive: destination-folder [/switches]
/p:<folder>    - Specify recovery log destination (default: destination folder)
/a             - Accepts all user prompts

/u             - Recover non-deleted files (default/segment mode only)
/k             - Recover system files (default/segment mode only)
/o:<a|n|b>     - Overwrite (a)lways, (n)ever or keep (b)oth always (default/segment mode only)
/g             - Recover files without primary data stream (default: false, default/segment mode only)
/e             - Disable extension exclusion list (default/segment mode only)
/e:<extension> - Disable specific extension(s) (default extension list no longer applies) (default/segment mode only)

/s:<sectors>   - Number of sectors in volume (segment/signature mode only)
/b:<bytes>     - Number of bytes in cluster (segment/signature mode only)
/f:<sector>    - First sector to scan (segment/signature mode only)

$ winfr /#

Windows File Recovery
Copyright (c) Microsoft Corporation. All rights reserved
Version:            0.0.11761.0
----------------------------------------------------------

        Extension group    -   Extensions
    -----------------------------------------
        ASF                -   WMA, WMV, ASF
        JPEG               -   JPG, JPEG, JPE, JIF, JFIF, JFI
        MP3                -   MP3
        MPEG               -   MPEG, MP4, MPG, M4A, M4V, M4A, M4B, M4R, MOV, 3GP, QT
        PDF                -   PDF
        PNG                -   PNG
        ZIP                -   ZIP, DOCX, XLSX, PPTX, ODT, ODS, ODP, ODG, ODI, ODF, ODC, ODM, OTT, OTG, OTP, OTS, OTC,
                               OTI, OTF, OTH