Loading ...
Sorry, an error occurred while loading the content.

deleted file recovery from ext3 filesystem

Expand Messages
  • manjukingdom
    hi, just wondering if there is a way to recover the deleted files & folders on the ext3 filesystem which has Linux Redhat(OS).Accidentally i deleted a
    Message 1 of 8 , Jul 11, 2005
    • 0 Attachment
      hi,
      just wondering if there is a way to recover the deleted files &
      folders on the ext3 filesystem which has Linux Redhat(OS).Accidentally
      i deleted a directory which has a couple of sub directories & using the
      third pary s/w i was able to recover some of the files under the sub
      directory but i have another sub directory under this which i was
      unable to recover.

      will appreciate any response ASAP.

      thanks in advance!!
    • Jeff Bryner
      If you know the inodes, you can use icat from the sleuthkit: icat -f linux-ext3 /dev/hdaX yourinodehere file where X is your partition number... If you
      Message 2 of 8 , Jul 11, 2005
      • 0 Attachment
        If you know the inodes, you can use icat from the sleuthkit:

        icat -f linux-ext3 /dev/hdaX yourinodehere > file

        where X is your partition number...

        If you don't know the inode, then use ils to get the list of deleted
        inodes.

        http://www.sleuthkit.org

        Jeff.

        --- manjukingdom wrote:

        > hi,
        > just wondering if there is a way to recover the deleted files &
        > folders on the ext3 filesystem

        Jeff
        =====
        Until at last I threw down my enemy and smote his ruin upon the mountainside.
        --Gandolf (!)
      • manjukingdom
        hi Jeff, i tried to get the inodes using the debugfs ,but this just works for ext2 not ext3.is there a way i can get the inodes?? waiting to hear from you.
        Message 3 of 8 , Jul 11, 2005
        • 0 Attachment
          hi Jeff,
          i tried to get the inodes using the debugfs ,but this just works
          for ext2 not ext3.is there a way i can get the inodes??

          waiting to hear from you.

          thanks in advance.

          --- In linux_forensics@yahoogroups.com, Jeff Bryner <jeff@j...>
          wrote:
          > If you know the inodes, you can use icat from the sleuthkit:
          >
          > icat -f linux-ext3 /dev/hdaX yourinodehere > file
          >
          > where X is your partition number...
          >
          > If you don't know the inode, then use ils to get the list of
          deleted
          > inodes.
          >
          > http://www.sleuthkit.org
          >
          > Jeff.
          >
          > --- manjukingdom wrote:
          >
          > > hi,
          > > just wondering if there is a way to recover the deleted files
          &
          > > folders on the ext3 filesystem
          >
          > Jeff
          > =====
          > Until at last I threw down my enemy and smote his ruin upon the
          mountainside.
          > --Gandolf (!)
        • Brian Carrier
          You may be able to recover the files using the Ext3 journal (if you can find an older copy of the inode). Debugfs lets you search for them. Otherwise you will
          Message 4 of 8 , Jul 12, 2005
          • 0 Attachment
            You may be able to recover the files using the Ext3 journal (if you can
            find an older copy of the inode). Debugfs lets you search for them.
            Otherwise you will have to use foremost (or similar) to carve the files
            out because Linux deletes all of the Ext3 block pointers when the file
            is deleted.

            brian


            On Jul 11, 2005, at 2:37 PM, manjukingdom wrote:

            > hi,
            > just wondering if there is a way to recover the deleted files &
            > folders on the ext3 filesystem which has Linux Redhat(OS).Accidentally
            > i deleted a directory which has a couple of sub directories & using the
            > third pary s/w i was able to recover some of the files under the sub
            > directory but i have another sub directory under this which i was
            > unable to recover.
            >
            > will appreciate any response ASAP.
            >
            > thanks in advance!!
            >
            >
            >
            >
            >
            >
            >
            >
            > Yahoo! Groups Links
            >
            >
            >
            >
            >
          • manjukingdom
            hi Brian, how to look for an older copy of the inode???can u send me the syntax... thanks for ur response. ... using the
            Message 5 of 8 , Jul 13, 2005
            • 0 Attachment
              hi Brian,
              how to look for an older copy of the inode???can u send me the
              syntax...

              thanks for ur response.

              --- In linux_forensics@yahoogroups.com, Brian Carrier <carrier@c...>
              wrote:
              > You may be able to recover the files using the Ext3 journal (if you can
              > find an older copy of the inode). Debugfs lets you search for them.
              > Otherwise you will have to use foremost (or similar) to carve the files
              > out because Linux deletes all of the Ext3 block pointers when the file
              > is deleted.
              >
              > brian
              >
              >
              > On Jul 11, 2005, at 2:37 PM, manjukingdom wrote:
              >
              > > hi,
              > > just wondering if there is a way to recover the deleted files &
              > > folders on the ext3 filesystem which has Linux Redhat(OS).Accidentally
              > > i deleted a directory which has a couple of sub directories &
              using the
              > > third pary s/w i was able to recover some of the files under the sub
              > > directory but i have another sub directory under this which i was
              > > unable to recover.
              > >
              > > will appreciate any response ASAP.
              > >
              > > thanks in advance!!
              > >
              > >
              > >
              > >
              > >
              > >
              > >
              > >
              > > Yahoo! Groups Links
              > >
              > >
              > >
              > >
              > >
            • Gary Funck
              Since ext2 is simply ext3 with a journal, would things work better if you reverted the file system to ext2?
              Message 6 of 8 , Jul 13, 2005
              • 0 Attachment
                Since ext2 is simply ext3 with a journal, would things work better
                if you reverted the file system to ext2?
                http://www.redhat.com/docs/manuals/linux/RHL-9-Manual/custom-guide/s1-filesy
                stem-ext2-revert.html
                (if this is a forensic-related recovery, then best to be working from a
                copy).

                Note: reverting to ext2 of course loses any residual info. that might've
                been
                in the journal.
              • Brian Carrier
                ... You need to know the inode and you can use debugfs. For example, if the inode were 415,926 then you could use: debugfs: logdump -i This won t
                Message 7 of 8 , Jul 13, 2005
                • 0 Attachment
                  On Jul 13, 2005, at 11:59 AM, manjukingdom wrote:

                  > hi Brian,
                  > how to look for an older copy of the inode???can u send me the
                  > syntax...

                  You need to know the inode and you can use debugfs. For example, if
                  the inode were 415,926 then you could use:

                  debugfs: logdump -i <415926>

                  This won't give you the indirect block pointers though, so you'll have
                  to "guess" on those. This is not an automated process.

                  brian
                • suraj shankar
                  Hi, ... You can automate the retrival using TCT (works for *EXT3* too): http://www.porcupine.org/forensics/tct.html I used TCT a year back to retrieve some
                  Message 8 of 8 , Jul 20, 2005
                  • 0 Attachment
                    Hi,

                    --- Brian Carrier <carrier@...> wrote:

                    > This won't give you the indirect block pointers
                    > though, so you'll have
                    > to "guess" on those. This is not an automated
                    > process.
                    >
                    > brian

                    You can automate the retrival using TCT (works for
                    *EXT3* too):
                    http://www.porcupine.org/forensics/tct.html

                    I used TCT a year back to retrieve some jpgs that I
                    accidentally deleted (curses to Nautilus)! They were
                    retrieved off a ext3 partition.

                    Some jpgs were partly damaged though ... (lesson
                    learnt) Start by taking the machine offline and
                    imaging it.

                    Regards,
                    suraj.

                    __________________________________________________
                    Do You Yahoo!?
                    Tired of spam? Yahoo! Mail has the best spam protection around
                    http://mail.yahoo.com
                  Your message has been successfully submitted and would be delivered to recipients shortly.