[ale] undelete on ext3 Quasi-success!!

James P. Kinney III jkinney at localnetsolutions.com
Sun Aug 25 15:54:15 EDT 2002 

By the "Drew off line " comment I meant he will a lot of work to do to
manually dump the file blocks to reconstruct the data.

Then I went back and reread the info on the site and saw the command
line (lde is curses based) flags that will dump blocks 2034-33347 in
sequence to a file!  

So, the first step is to dd a copy of the drive partition to a new drive
and work from that. Or, use the -paranoid flag to force no write allowed
and work on the drive partition itself.

As the files were 20KB-100KB it really won't be that bad of a recovery.
There were some tar.gz files that were OK to dump. Plain text file are
fairly easy to work with.

A side note on this:

My personal interest ( apart from wanting to help an ALEer recover from
fumble-finger) is in the disk forensics aspect. If a box gets cracked,
the %$#! usually deletes some files to cover their tracks. I want those
files recovered. Especially the ones that have stuff like where their
data is sent, what are the tools they are using, etc.

On Sun, 2002-08-25 at 15:23, Geoffrey wrote:
> This is too cool.  I don't know how large the text files were, but for 
> the most part, text files are that large.  It could be that each resides 
> in a single block.
> 
> When you say Drew will be offline for a week, do you mean that he's not 
> going to be 'internet connected,' or something else?
> 
> James P. Kinney III wrote:
> > I have some quasi-good news on undeleting/recovering files from ext3
> > file systems.
> > 
> > I grabbed a tool called lde (http://lde.sourceforge.net), used an old
> > disk and mke2fs -j a filesystem onto it. Made a simple text file. (69b
> > long). Then rm and unmount the partition.
> > 
> > I then ran lde, selected "block mode" (b) searched for a string in my
> > old text file and the appended that entire block to a file in /tmp.
> > 
> > The good news is, it works at getting the data back. The bad news is,
> > Drew's gonna be offline for a week as there is no automatic process on
> > this (argh!) and it's going to have to be manual for each block.
> > 
> > I will admit, I made this pretty simple. The file was all there was on
> > the partition. The inodes  are empty so something must be known about
> > the content of the files to find them. Or else a really good disk
> > wizard/genie will need to appear to explain better how to navigate at
> > the really raw block/inode/sector level on a drive.
> > 
> > 
> 
> 
> -- 
> Until later: Geoffrey		esoteric at 3times25.net
> 
> I didn't have to buy my radio from a specific company to listen
> to FM, why doesn't that apply to the Internet (anymore...)?
> 
> 
> ---
> This message has been sent through the ALE general discussion list.
> See http://www.ale.org/mailing-lists.shtml for more info. Problems should be 
> sent to listmaster at ale dot org.
-- 
James P. Kinney III   \Changing the mobile computing world/
President and CEO      \          one Linux user         /
Local Net Solutions,LLC \           at a time.          /
770-493-8244             \.___________________________./

GPG ID: 829C6CA7 James P. Kinney III (M.S. Physics)
<jkinney at localnetsolutions.com>
Fingerprint = 3C9E 6366 54FC A3FE BA4D 0659 6190 ADC3 829C 6CA7 



 This is a digitally signed message part

More information about the Ale mailing list