Hi, I have erase some files using the rm command in console. I have read that there are some ways to recover it, but not the 100% of the data. Is there any software or methot to asure a greater chance. I am using suse 8.2. Thank you DMC ________________________________________ FiberTel, el nombre de la banda ancha http://www.fibertel.com.ar
On Thu, 2003-08-21 at 16:14, Daniel Coll wrote:
Hi, I have erase some files using the rm command in console. I have read that there are some ways to recover it, but not the 100% of the data. Is there any software or methot to asure a greater chance. I am using suse 8.2. Thank you DMC
I don't know of anything offhand, but my company does Computer Forensics (CF) on Win32 machines and the issue comes up there pretty often. I think there are some CF tools that can do Linux FS's, but it very much depends on the filesystem and how much activity your system has had since the rm. I would unmount the drive (or shutdown) as fast as possible. Then use dd to create a duplicate of the filesystem for you to tinker with. Save the original for another try in case you screw up the copy. If it is the root filesystem, then reboot into single user mode (i.e. readonly for root fs.) Then do a dd onto a new blank disk. Then maybe you can use some CF tools to recover part/all of your data. You can find a modified Knoppix boot CD at www.linux-forensics.com/downloads.html That CD has a bunch of CF tools on it. Maybe one of them can help. In particular I would look at (they are on the CD): Sleuth Kit - Command Line Forensic Tools - www.sleuthkit.org autopsy - Part of Sleuth Kit foremost - Command line data carving tool. Config file in /foremost directory. Need external storage to run properly - foremost.sourceforge.net glimpse - Command line data indexing and searching tool. Need external storage to run properly - www.webglimpse.net HTH Greg -- Greg Freemyer
I did a little of this a few years ago (ext2 filesystem) and had a little success. It was in 2001 so i don't remember much of it: 1) debugfs to dump all of the deleted inodes on the filesystem, 2) sift out the ones that go to directories 3) change their size to something big (and set the dtime to 0) and dump each of them to a different disk, 4) then use e2dirana by Tomas Ericsson to try to find the inodes to the deleted files (and subdirectories) in each directory dump. 5) then once you have the inodes you can dump the files, unless the blocks were written over. 6) set up your tape drive I wrote a few scripts back then to help me with it, you can get them at www.public.iastate.edu/~dative/recovery.tar.gz. Memory fails so there might be a few inconsistencies in what you see above. i think this was very close to being my first experience with perl so be gentle. regards. -Ben On Thursday 21 August 2003 03:14 pm, Daniel Coll wrote:
Hi, I have erase some files using the rm command in console. I have read that there are some ways to recover it, but not the 100% of the data. Is there any software or methot to asure a greater chance. I am using suse 8.2. Thank you DMC
________________________________________ FiberTel, el nombre de la banda ancha http://www.fibertel.com.ar
participants (3)
-
Benjamin P Myers -
Daniel Coll -
Greg Freemyer