[Leaplist] recover deleted file

Richard F. Ostrow Jr. kshots at warfaresdl.com
Wed Mar 7 10:41:13 EST 2007 

1. At this point, NEVER mount the drive with write access, until you are
satisfied that you have recovered all the data you can. Any write to the
disk potentially over-writes data that was "cleared" by the rm you ran.

2. Boot to another OS (perhaps a LiveCD) or another hard drive. When you
mount the drive, make sure you pass the -ro option (read-only).

3. At this point you can poke around without fear of doing further damage.
-- 
Life without passion is death in disguise

On Tue, March 6, 2007 7:53 pm, Randall Perry wrote:
> I was told that a user 'backup' died at 84gig before it finished.
> I said, no problem, let's start again.
> So rm -f mybigbadbackupfile to remove it and I ask him to try it again.
>
> Problem is, it WASN'T the backup file.  It was in fact a live archive
> that was being mounted from a laptop over the network, using OSX based
> 'backup' software.  So the archive file on the remote server was
> actually holding one and only copies of files being worked on.
> (so I said, "if that's the backup, where's the ORIGINAL"...uh, that was
> it).
>
> So as soon as I heard this I killed the rm process in hopes of
> stopping the carnage of rm.
> The file size went from 84gig to 1.6gig.  The user opened the archive
> up remotely and saw some files...but MUCH work was gone.  (oh, and
> there are NO actual backups of the data..just the original file on the
> backup server----and this isn't the first time someone has wiped out
> that backup file).  I immediately unmounted the drive.
>
> Thankfully, this 400gig drive is a single ext2 partition for data only.
> (so there are several methods for recovery--unlike ext3 or reiserfs
> which are more difficult to recover).
>
> I have mc already running on this CentOS derivative and ran the
> undelete utility (within mc).
> I see some inodes that look like they should be part of the file, but
> remember that I killed the rm process so deletion wasn't complete.  I
> see a large 1.6gig chunk that seems to be it.
> That's far from the  84gig that single file is supposed to be.
>
> I am wondering if I should finish off the file with rm and go back to
> inode rebuilding under mc.  Are there file limitations (LFS) under mc
> 4.6.1?
>
> I wish I had another 400gig spare to dd and play with, but that would
> involve shifting some 300 gig drives around to get a 400gig free.  I
> don't want to dd over the network to an LVM with more space because
> that would take FOREVER.
>
> I can't just 'grep the raw device' as these are Adobe Illustrator and
> Photoshop renderings...not some simple text strings.
>
> Anyone familiar with e2undel? debugfs ?
>
>
> Thoughts?
>
>
>
> --
> *:-.,_,.-:*'``'*:-.,_,.-:*'``'*:-.,_,.-:*'``'*:-.,_,.-:*'``'*:-.
>     Randall Perry
>     Hope Crisis Response Network
>   www.hcrn.info
> _______________________________________________
> Leaplist mailing list
> Leaplist at leap-cf.org
> http://lists.leap-cf.org/mailman/listinfo/leaplist
>

More information about the Leaplist mailing list