Search A-Z index Help
University of Cambridge Home Physics Dept Home Mike Roses' Home Page TCM Group Home

Recovering Linux Files

For the first time approximately in 6 years of UNIX use I deleted some files I did not want to: rm *. I wanted to type rm *~ to get rid of some emacs files, and my finger slipped onto the Enter key - sinking feeling in the stomach! Probably the last time I will bother cleaning up emacs temp files.

I was using redhat linux 7.3 without any unrm software running. A quick browse of the web found quite a lot of help. The main thing is not to do anything on the computer that you have just done the nasty rm on that will affect the disk partition that used to have your data in it. My data was in the root partition, so unmounting it was rather difficult (yes there are ways around this, but the data was not so valuable that it was worth messing up the whole computer for). I did a quick dd of the partition to a file:

dd if=/dev/hda2 of=/temp/hda2.img

The first kit I tried was TCT (The Coroner's Toolkit) which worked OK until it had to deal with an 8GB file and refused. I then tried The Sleuth Kit which did the job rather well. 

The order of successful events:

To find the inodes of the files I wanted and the inode of the directory that they were in:
>fls -f linux-ext3 -r ./hda2.img >> ./inodes

Work out which group that range of inodes you want is in:
>fsstat -f linux-ext3 ./hda2.img >> ./groups 

Once you know which group you want then you know the block range of that group and can then extract
that from the BIG dd img file:
>dls -f linux-ext3 ./hda1.img 32768-65535 > ./hda2_smaller.img

Then Sleuthkit stops and you now have a hex file with your data in it somewhere. It can be handy to use a hex viewer to look at it. The best viewer I found was biew which is great except that I could not highlight the text I wanted to paste it into a file, maybe there is a way to do this, but I could not work it out. All the other binary viewers I tried I could highlight text and paste it elswhere, but they all have a vertically split hex/ASCI view so it would have been a horrible job to copy and paster 20 chars at a time: bpe and hexedit are two examples.

Then I managed to get foremost to work which was recommended by the Sleuthkit folk. This program does the job well, but the configuration file you get with it is rather Windows orientated and I wanted to retrieve some perl code that I had written. Here is my hacky entry into the foremost.conf file: 

# Perl

        pl      n       1000000 #!/usr/bin/perl

I then ran foreach against my smaller img file: 

>foremost -v -o ./recovered_files -c ./foremost.conf  ./hda2_smaller.img

Which spat out 23 files with .pl extentions all of the max length I specified (1000000). I stripped out the bits I wanted from each file and made extensive use of diff to find the most recent version of the perl code that I had accidentatlly deleted (I had only deleted 10 files).

The useful Sleuthkit documentation I used. Look at the "Manual UNIX File Recovery" section - good luck.


© 2003 Theory of Condensed Matter Group and BSS
Information provided by mr349 at the domain you should be able to guess.
Privacy policy