[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

Re: Undeleting files in ext3 (Newbie-question)

On Feb 18, 2002  22:41 +0100, NovaLand wrote:
> Recently I've encountered a problem, and now I would preciate any help 
> about being able to undelete files.
> My /var filestructured is mounted at /dev/hdc1
> Part of my /etc/mtab looks like this:
> /dev/hdc1 /var ext3 rw 0 0

To start with, you should leave e2fsck checking enabled for your ext3
filesystems.  If there is ever a filesystem error, the in-kernel recovery
code cannot repair it, unlike e2fsck.

If the periodic e2fsck forced checks bother you, change them with tune2fs
(-c and -i options) to something you can live with.  As people have seen
in the past, disks, kernels, memory are not perfect, so you should still
check your filesystems every 6 months or so.

> So, could anyone give me a hint of how things could be done to find 
> deleted inodes?

The way that ext3 deletes them makes it impossible to do this, unlike
ext2.  It is a problem that the ext2 developers are aware of, but it
isn't necessarily easily fixed.

> I know..  backup is everything, but the reason I'd like to do this is 
> that I know that last saturday at 9:35 am, the logs were most likley 
> altered to cover up after a system break-in. The original logs could 
> have been copied before this and therefor finding out deleted inodes 
> could be of a great importance.

Well, if this is the case, then having the old logs will probably not
help you.  I would reinstall the system from scratch, and restore your
data from backup.  If you don't want to do that, at least reinstall your
OS from scratch, replace your binaries, and audit any startup scripts,
server config scripts, etc for new holes.

Cheers, Andreas
Andreas Dilger

[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]