On Saturday 28 October 2006 11:03, Anders Johansson wrote:
ext3 is worse than ext2 in this respect. ext2 just marks a block as unused, but ext3 actively overwrites the pointer. This means undelete in ext2 is just a question of resetting the block to "used", but in ext3 you have to perform some detective work, finding your file data on the disk, and then traversing the linked list of blocks backwards and forwards until you find the beginning and end, and then marking each block as used, and creating a pointer to the start in an inode
Needless to say, this isn't trivial, and relies on finding the file data in the first place. With binary files, this can be difficult
You might be able to get results using The sleuth kit. I've never tried it myself, so I couldn't say much about it, but other undelete tools recommend it
Cheers, to be honest if I can't restore the directory structure the files will be useless as they won't mean anything unless I know where they belong. The machine was a webserver, had 900 websites on it. Matthew