Urgent!! need to restore deleted files (EXT3)
![](https://seccdn.libravatar.org/avatar/7b4d33ff23a0d9237c1c8457f9fbbb95.jpg?s=120&d=mm&r=g)
Hi I've an old server with a single SCSI disk which a disgruntled techie has rm -Rf * from the root of the drive. The backup has been trashed too. Is there any way to restore not only the files but the directory tree? Googling I read that doing this on the ext3 FS is impossible yet I've seen various Windows based pieces of software that claim to be able to restore no idea why they run on Windows and not Linux though?! What's the chances of a resoration and is there something that I can run under Linux that will do it? Cheers Matthew
![](https://seccdn.libravatar.org/avatar/72ee3b9e0735cf98a1e936a90fc087ed.jpg?s=120&d=mm&r=g)
On Saturday 28 October 2006 11:36, Matthew Stringer wrote:
Hi
I've an old server with a single SCSI disk which a disgruntled techie has rm -Rf * from the root of the drive.
The backup has been trashed too.
Is there any way to restore not only the files but the directory tree?
Googling I read that doing this on the ext3 FS is impossible yet I've seen various Windows based pieces of software that claim to be able to restore no idea why they run on Windows and not Linux though?!
What's the chances of a resoration and is there something that I can run under Linux that will do it?
ext3 is worse than ext2 in this respect. ext2 just marks a block as unused, but ext3 actively overwrites the pointer. This means undelete in ext2 is just a question of resetting the block to "used", but in ext3 you have to perform some detective work, finding your file data on the disk, and then traversing the linked list of blocks backwards and forwards until you find the beginning and end, and then marking each block as used, and creating a pointer to the start in an inode Needless to say, this isn't trivial, and relies on finding the file data in the first place. With binary files, this can be difficult You might be able to get results using The sleuth kit. I've never tried it myself, so I couldn't say much about it, but other undelete tools recommend it http://www.sleuthkit.org/sleuthkit/
![](https://seccdn.libravatar.org/avatar/7b4d33ff23a0d9237c1c8457f9fbbb95.jpg?s=120&d=mm&r=g)
On Saturday 28 October 2006 11:03, Anders Johansson wrote:
ext3 is worse than ext2 in this respect. ext2 just marks a block as unused, but ext3 actively overwrites the pointer. This means undelete in ext2 is just a question of resetting the block to "used", but in ext3 you have to perform some detective work, finding your file data on the disk, and then traversing the linked list of blocks backwards and forwards until you find the beginning and end, and then marking each block as used, and creating a pointer to the start in an inode
Needless to say, this isn't trivial, and relies on finding the file data in the first place. With binary files, this can be difficult
You might be able to get results using The sleuth kit. I've never tried it myself, so I couldn't say much about it, but other undelete tools recommend it
Cheers, to be honest if I can't restore the directory structure the files will be useless as they won't mean anything unless I know where they belong. The machine was a webserver, had 900 websites on it. Matthew
![](https://seccdn.libravatar.org/avatar/72ee3b9e0735cf98a1e936a90fc087ed.jpg?s=120&d=mm&r=g)
On Saturday 28 October 2006 12:09, Matthew Stringer wrote:
Cheers, to be honest if I can't restore the directory structure the files will be useless as they won't mean anything unless I know where they belong.
The machine was a webserver, had 900 websites on it.
If this 'disgruntled techie' also destroyed your backups, I guess you can sue the crap out of him. In future, you should keep them locked up in a vault somewhere, preferably multiple copies in several locations (also good in case fire or something destroys one of them). A ruined backup is as bad as no backup at all Good luck
![](https://seccdn.libravatar.org/avatar/99bbf0e2807d0c1a81e021665cc9e09f.jpg?s=120&d=mm&r=g)
On Saturday 28 October 2006 12:09, Matthew Stringer wrote:
Cheers, to be honest if I can't restore the directory structure the files will be useless as they won't mean anything unless I know where they belong.
AFAIK, if the guy did an rm -fr on your root dir then your filesystem is outright hosed. The only reasonable chance of a recovery would be to send it to data recovery specialists. This will cost an arm and two legs, however, and still might not work. You chances from recovering from an 'fdisk' screw up are higher - i've actually fully recovered partitions after accidentally deleting them. The reason that undelete under Windows is so easy is because of the way a delete works: the block which holds the data is simply marked as freed, but the data isn't nuked. On old DOS systems, a delete simply removed the FIRST LETTER of the filename, and this effectively removed the file from view. An undelete required that you specify a first letter for the file (it needn't be the original first letter, but the file needed *some* first letter). On journaled filesystems, like rieser and ext3, and undelete becomes technically much more difficult to do, for reasons beyond my full comprehension.
The machine was a webserver, had 900 websites on it.
If there were no backups, then the organization he worked for is just as guilty as he is for the lost data. To second Anders' note about suing the guy: i would honestly contact the police and see if you can pursue that as a cyber crime. i wouldn't be surprised if the intentional destruction of a company's electronic assets can be presecuted as a felony crime (perhaps even "terrorism", considering the "flexible" definition of that word). AFAIK, cyber-crime automatically falls into the realm of the FBI, and not local authorities (an employee stole some proprietary info from my mom's company computers when he left, and she was directed to the FBI... who in turn refused to even look at the evidence (videos) which she brought them). The guy needs to have his balls removed unless, of course, the 900 sites he deleted were kiddy porn or some such, in which case he did the right thing ;). -- ----- stephan@s11n.net http://s11n.net "...pleasure is a grace and is not obedient to the commands of the will." -- Alan W. Watts
![](https://seccdn.libravatar.org/avatar/72ee3b9e0735cf98a1e936a90fc087ed.jpg?s=120&d=mm&r=g)
On Saturday 28 October 2006 22:48, stephan beal wrote:
AFAIK, cyber-crime automatically falls into the realm of the FBI
Matthew's URL is .co.uk, and he used "cheers" instead of "thanks". Unless the poodle's really gone over the top, I don't think the FBI has jurisdiction here :) I do think the UK has similar options for law suits against outright sabotage though
![](https://seccdn.libravatar.org/avatar/7b4d33ff23a0d9237c1c8457f9fbbb95.jpg?s=120&d=mm&r=g)
On Saturday 28 October 2006 21:48, stephan beal wrote:
On Saturday 28 October 2006 12:09, Matthew Stringer wrote:
If there were no backups, then the organization he worked for is just as guilty as he is for the lost data.
To second Anders' note about suing the guy: i would honestly contact the police and see if you can pursue that as a cyber crime. i wouldn't be surprised if the intentional destruction of a company's electronic assets can be presecuted as a felony crime (perhaps even "terrorism", considering the "flexible" definition of that word). AFAIK, cyber-crime automatically falls into the realm of the FBI, and not local authorities (an employee stole some proprietary info from my mom's company computers when he left, and she was directed to the FBI... who in turn refused to even look at the evidence (videos) which she brought them).
The guy needs to have his balls removed unless, of course, the 900 sites he deleted were kiddy porn or some such, in which case he did the right thing ;).
the guy had been laid off, decided to trash the machine and the backup to get back at his employer.
![](https://seccdn.libravatar.org/avatar/95e02e5476fffaf3e0afe4b139206d32.jpg?s=120&d=mm&r=g)
On Saturday 28 October 2006 16:58, Matthew Stringer wrote:
The guy needs to have his balls removed unless, of course, the 900 sites he deleted were kiddy porn or some such, in which case he did the right thing ;).
the guy had been laid off, decided to trash the machine and the backup to get back at his employer.
I hope someone takes serious action to see that he is never employed in the IT environment again.... (or anywhere else in my opinion)
![](https://seccdn.libravatar.org/avatar/ded3c1cf46ea720a1f3f65df348eff3a.jpg?s=120&d=mm&r=g)
On Saturday 28 October 2006 12:58, Matthew Stringer wrote:
the guy had been laid off, decided to trash the machine and the backup to get back at his employer.
Never let a laid off (or worse, fired) employee touch a computer. Pay him the severance pay, and escort him out of the building. Then shutdown all ssh daemons untill you have time to change all passwords, AND REMOVE all ssh authorized_keys files he might have had access to. (lots of people forget that last bit and think that changing the password is sufficient...) -- _____________________________________ John Andersen
![](https://seccdn.libravatar.org/avatar/77cb4da5f72bc176182dcc33f03a18f3.jpg?s=120&d=mm&r=g)
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 The Saturday 2006-10-28 at 10:36 +0100, Matthew Stringer wrote:
Googling I read that doing this on the ext3 FS is impossible yet I've seen various Windows based pieces of software that claim to be able to restore no idea why they run on Windows and not Linux though?!
Midnight commander (mc) can undelete files on ext2 file systems. It doesn't mention ext3, though. - -- Cheers, Carlos E. R. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.2 (GNU/Linux) Comment: Made with pgp4pine 1.76 iD8DBQFFQzeZtTMYHG2NR9URAsO8AJ4ualOe/boVVxZnHoIKiLCI2Wb5QQCfQ2SW ZmknnHvuQWnQbJqDF4+Exz8= =l0on -----END PGP SIGNATURE-----
![](https://seccdn.libravatar.org/avatar/7b4d33ff23a0d9237c1c8457f9fbbb95.jpg?s=120&d=mm&r=g)
Can't find anything Linux wise that'll attempt a recovery. Going to try a Windows App. Odd that to recover a Linux machine I need to use M$ which can't read linux partitions! We live in an odd world! Matthew
![](https://seccdn.libravatar.org/avatar/ba86f283d614d2cd9b6116140eaddded.jpg?s=120&d=mm&r=g)
Matthew Stringer wrote:
Can't find anything Linux wise that'll attempt a recovery.
Going to try a Windows App.
Odd that to recover a Linux machine I need to use M$ which can't read linux partitions!
We live in an odd world!
I've, on several occasions, used OS/2 or Linux tools to rescue a Windows system. One example was when a friends notebood hard drive crashed. I used a Linux rescue CD to copy her data to a pen drive.
![](https://seccdn.libravatar.org/avatar/ded3c1cf46ea720a1f3f65df348eff3a.jpg?s=120&d=mm&r=g)
On Saturday 28 October 2006 10:56, Matthew Stringer wrote:
Can't find anything Linux wise that'll attempt a recovery.
Going to try a Windows App.
Odd that to recover a Linux machine I need to use M$ which can't read linux partitions!
We live in an odd world!
Matthew
This will lead to tears. MS knows nothing about structures of ext2/ext3. -- _____________________________________ John Andersen
![](https://seccdn.libravatar.org/avatar/7b4d33ff23a0d9237c1c8457f9fbbb95.jpg?s=120&d=mm&r=g)
On Saturday 28 October 2006 21:29, John Andersen wrote:
On Saturday 28 October 2006 10:56, Matthew Stringer wrote:
Can't find anything Linux wise that'll attempt a recovery.
Going to try a Windows App.
Odd that to recover a Linux machine I need to use M$ which can't read linux partitions!
We live in an odd world!
Matthew
This will lead to tears. MS knows nothing about structures of ext2/ext3.
LOL don't I know it. Although you can install drivers for all Linux FS'es on Windows I've seen today which supports read and write access I've discovered today, it's easier to set up than getting Linux to write to an NTFS drive. Matthew
![](https://seccdn.libravatar.org/avatar/d90575edf95bf692363b68c52b5eb0ed.jpg?s=120&d=mm&r=g)
At 07:56 PM 10/28/2006 +0100, Matthew Stringer wrote:
Content-Disposition: inline
Can't find anything Linux wise that'll attempt a recovery.
Going to try a Windows App.
Odd that to recover a Linux machine I need to use M$ which can't read linux partitions!
We live in an odd world!
Matthew
If you succeed, a small faq on how you did it would undoubtedly be appreciated by all. Even if it does use a Windows routine. (Please specify the s/w, and the price.) --doug
![](https://seccdn.libravatar.org/avatar/d055a2899adeaeb6967fdde6994b0079.jpg?s=120&d=mm&r=g)
Matthew Stringer a écrit :
Hi
I've an old server with a single SCSI disk which a disgruntled techie has rm -Rf * from the root of the drive.
The backup has been trashed too.
Is there any way to restore not only the files but the directory tree?
Googling I read that doing this on the ext3 FS is impossible yet I've seen various Windows based pieces of software that claim to be able to restore no idea why they run on Windows and not Linux though?!
What's the chances of a resoration and is there something that I can run under Linux that will do it?
Cheers
Matthew
Hello, Have a look there : http://www.stellarinfo.com/disk-recovery.htm#linux it could work for you. Michel.
![](https://seccdn.libravatar.org/avatar/2d5f267c8003a8f4801d4f816bc82329.jpg?s=120&d=mm&r=g)
On Sunday 29 October 2006 10:49, Catimimi wrote:
Matthew Stringer a écrit :
Hi
I've an old server with a single SCSI disk which a disgruntled techie has rm -Rf * from the root of the drive.
The backup has been trashed too.
Is there any way to restore not only the files but the directory tree?
Googling I read that doing this on the ext3 FS is impossible yet I've seen various Windows based pieces of software that claim to be able to restore no idea why they run on Windows and not Linux though?!
What's the chances of a resoration and is there something that I can run under Linux that will do it?
Cheers
Matthew
Hello,
Have a look there :
http://www.stellarinfo.com/disk-recovery.htm#linux
it could work for you.
Michel.
Hello, I have some good experiance from IBAS (http://www.ibas.com). Expensive but wery competent. Anders
participants (10)
-
Anders Damm
-
Anders Johansson
-
Bruce Marshall
-
Carlos E. R.
-
Catimimi
-
Doug McGarrett
-
James Knott
-
John Andersen
-
Matthew Stringer
-
stephan beal