Re: Re: ext3 undelete/recovery
The Sleuth Kit has tools that can do what you are looking for.
Visit their site at http://www.sleuthkit.org
Look at http://www.sleuthkit.org/sleuthkit/docs/ref_fs.html for some
help on file recovery.
Also,
depriest@oubliette:~$ apt-cache search sleuthkit
sleuthkit - Tools for forensics analysis
-Jason
On Thu, 17 Feb 2005 18:45:05 +0100, Andreas Rippl <REMOVED> wrote:
> On Thu, Feb 17, 2005 at 01:28:45PM +0100, Bernhard Burgermeister wrote:
> > Hello,
> >
> > >When you rm a file, ext3 take extra steps that prevents those tools from
> > >finding
> > >deleted data. There is still a way to undelete, grep the
> > >filesystem/partition :
> > >grep /dev/hda1 for example, but that s a no go for most people.
> >
> > I have that problem to recover some deleted files from a ext3 partition.
> > The partition ist almost full (only 2 from 80GB free) so the area where the
> > deleted
> > files can be is quite small.
> >
> > Is there a tool to grep/copy only this unallocated area of the disc? This
> > would speed up the recovery very much as we have many similar text-files on
> > that partition.
> >
> > Regards,
> > Bernhard B.
> >
> Hi Bernhard,
>
> I seem to have missed the beginning of this thread, and perhaps you have
> some knowledge that don't, but having had the same problem (ext3 and
> deleted files), I am under the impression that ext3 zeros the inodes on
> unused blocks, thus making it impossible to recover files mistakingly
> deleted. And even the grepping through a dd'ed image of the partition
> will find only chunks of the files as you have to recon with a degree of
> fragmentation. The connection between the blocks that once constituted a
> file is gone. Not to get down your hopes or anything :(, and I would
> like to see you prove me wrong. With regard to that, I think it's a
> sensible approach to try and copy only the unallocated area.
>
> Good luck
>
> --
> Andreas Rippl -- I prefer encrypted mail
>
>
>
Reply to: