[Leaplist] Can a deleted file be recovered on one's personal computer?

Jim Hartley xjimh at cfl.rr.com
Sat Jan 2 18:27:30 EST 2010 

The problem with trying to do an "undelete" in Linux is that the bits 
and pieces are likely scattered all over the disk, and once the file is 
deleted, there is no easily discernible relationship between those bits 
and pieces. On the old FAT file system, each chunk of the file had an 
indicator of what sector to go to for the next chunk of the file, which 
is what made DOS unerase fairly simple. The Linux file systems (all the 
ones I am familiar with) use "inodes," some are like a file header and 
others are the file data. They are taken from a pool of available inodes 
when the file is created or enlarged, and put back in the pool when the 
file is deleted (rm'd). If you "mv" a file (to Trash or anywhere else) 
the first pointer (in a directory) to that file is wiped, and a pointer 
to that first inode is placed somewhere else, the file itself is not 
changed. "Cut" is essentially "mv to clipboard", but the clipboard is 
very volatile and the next "cut" or "copy" will "rm" whatever is there now.

As far as GUI programs, they can be written however the developer wants 
to do it ... one program may by default move things to Trash, another 
program may just "rm" them. As an example look at the Nautilis file 
browser ... by default the right-click menu has "Move to Trash." But in 
the program's preferences, I can add a "Delete" to that menu, which 
bypasses Trash and rm's the file. If you are using a program, you had 
best understand how it works and what it is going to do!

As far as extreme file recovery goes, I guess you would have to take ALL 
the unused inodes (I can see where unmounting might be required to keep 
from overwriting some as you worked) and then examine each one to see if 
it's what you want, and put things together like a jigsaw puzzle. I 
believe binary files (like JPGs) would be HORRIBLE to reconstruct that 
way. Even a readable file ... well suppose you had erased the Monday 
version of, say, a C program, and then accidentally erased the Wednesday 
version, even if nothing was overwritten it would be difficult to figure 
out which piece belonged to which. **I** don't want to do it!

Jim Hartley

Jason Boxman wrote:
> On Saturday 02 January 2010 10:53:40 am Hank Lambert wrote:
>> <!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
>> <html>
>> <head>
>>   <meta content="text/html;charset=ISO-8859-1" http-equiv="Content-Type">
>> </head>
>> <body bgcolor="#ffffff" text="#000000">
>> A deleted file is still on the hard drive until it is overwritten. When
>> you deleted the file, you are not actually removing it from your drive,
>> you are removing the pointers to it. If the file has not been
>> overwritten, it can be recovered unless it is in the root directory.
>> Root directory files cannot be recovered in this manner because you
>> need to unmount the directory that contains the file you deleted, and
>> the root directory is always mounted.<br>
>> <br>
>> 1) Unmount the directory that held the file.<br>
>> 2) From the CLI, run debugfs against the directory, such as "debug
>> /home/william/Desktop" (without the quotes) if the file was on your
>> desktop.<br>
>> 3) From the CLI, run lsdel. This creates a list of all files that have
>> been deleted.<br>
>> 4) Once you find the file, type dump <i>filename </i>where filename
>> is the name of the file. This will put the file in the directory you
>> are working from.<br>
> 
> Interesting.  That's probably been the most requested feature for ext2/3 
> forever.
> 
> You can also use a tool called foremost to attempt to recover the raw data if 
> it can no longer be recovered as part of the filesystem proper.
> 
> Description: Forensics application to recover data
>  This is a console program to recover files based on their headers and footers
>  for forensics purposes.
>  .
>  Foremost can work on disk image files, such as those generated by dd,
>  Safeback, Encase, etc, or directly on a drive. The headers and footers are
>  specified by a configuration file, so you can pick and choose which headers
>  you want to look for.
> Homepage: http://foremost.sourceforge.net/
> 
> One of the last ways you'd try to recover if you needed some of the data 
> back...
> 

-- 
Teen Angel - a ghost story - http://teenangel.netfirms.com

-- 
This message has been scanned for viruses and
dangerous content by MailScanner, and is
believed to be clean.

More information about the Leaplist mailing list