Deleted Files

Brian Densmore DensmoreB at ctbsonline.com
Tue Jun 8 14:03:42 CDT 2004 

You have two choices.
1) pay some data recovery firm $$$ to recover it.
2) download software for analyzing a hacked system and 
"manually" search through the dump.
Alternate form of 2 is to dd the disk onto another disk and 
do the same type of analysis. In fact I would recommend dd'ing to
a disk and then burning that to a CD. Then you have an image of the disk.

Some things to consider:
One build a list of the undeleted inodes and locate them on disk.
Filter them out. Whatever parts of the disk left with data on them
are potentially the lost data.

hindsight pointers:
had you set up your PC as ext3 or reiserfs, you would at least be able to
determine wht the inodes were if you had pulled the plug on the pc rather
than do an orderly shutdown.

caveats:
Some versions of Linux have utilities installed that allow you to
specify what to do with deleted files and in some cases the data is immediately
overwritten with zeros or random data. I can actually use a "shred"
command in my file manager to totally scramble deleted data locations.

This is the type of project that would normally fascinate me. I'd be glad to
offer any assistance to you, but it needs to be limited since as a new
father I really need my two hours of sleep at night.

Brian

> -----Original Message-----
> From: Jim Herrmann [mailto:kclug at ItDepends.com]
> Sent: Monday, June 07, 2004 10:16 PM
> To: kclug at kclug.org
> Subject: Deleted Files
> 
> 
> I found this in the e2undel readme, and my heart sank.  Is 
> there anybody 
> out there who can help me undelete?  My wife has said she'll pay 
> someone.  What is lost is all her mail files.  I have a very very old 
> backup, from a long time ago.  That just won't do.  I REALLY need to 
> find the data on the disk.  I have pulled the disk from the 
> machine so 
> that nothing further happens to it whilst I research what I can do. 
> 
> Thanks for any help.  Here's the bit from e2undel:
> 
> 
> What happens if you delete a file?
> -----------------------------------
> 
> If you delete a file stored on an ext2 file system, its data is not 
> instantly lost. What happens is:
> 
> - ext2 marks the file's data blocks as avalaible in its block bitmap
> 
> - ext2 marks the file's inode as available in its inode bitmap
> 
> - ext2 sets the deletion time in the file's inode
> 
> - ext2 invalidates the file's name in the directory entry
> 
> So, the file's data is not actually deleted (but it might be 
> overwritten 
> in the future); and the crucial information in the inode 
> (owner, access 
> rights, size, data blocks occupied by the file and some more) is not 
> touched. If you know the inode number, you can recover the 
> file by using 
> Ted Ts'o's debugfs tool.
> 
> What is lost however is the association between the file name and the 
> inode: You can't restore the former file name from the inode 
> information. To recover the data of a deleted file, you must 
> completely 
> rely on the information in the inode like file size, owner, deletion 
> time, etc.
> 
> ext3 behaves different from ext2 in one regard: When a file 
> is deleted, 
> the information in the inode is also removed. Tools like 
> e2undel (or Ted 
> T'so's debugfs) that rely on this information when undeleting files 
> don't work anymore.
> 
> 
> It's this last paragraph that kills me!  I may be screwed!  Help!
> 
>

More information about the Kclug mailing list