Re: Comments about ext3 FS

On Apr 24, 2003  21:31 -0700, mlopez wrote:
> What are the benefits of use the ext3 FS in a system (server, desktop,
> etc.) if i cant recover files deleted by an intruder if i want need to
> make forensics; or if i want to recover important files  deleted
> (business, personal use, a very important project, etc.) ??

People generally make backups of important files.  Well, acutally,
people who have previously deleted (or lost through corruption or
hardware failure) files start making backups.  Undelete will not
help you if your hard drive dies, or you have a fire or whatever.

> I read about umount my partition ( for what, ext3 FS clear the inodes),
> use lde, debufs, e2recover, etc ( this work only with ext2 FS), and some
> people saying that there is nothing to do. I use autopsy and task but
> dont work.

I agree that this is something that has been discussed several times
in the past on this mailing list.  There are some possible solutions
to this problem that could be implemented for ext3 - specifically by
pre-calculating the actual number of blocks needed to truncate the file,
and then only update the bitmaps and inode when doing the truncate.
That will only be possible when deleting smaller files (depending on
journal size), so it won't be a real undelete facility but at least
give us most of what we had for ext2 (and will also make truncate go
faster I believe).

You can also get library wrappers that implement a _real_ undelete
facility in user space by replacing the unlink call with a rename
to a trashcan.

> This only thing make me think in change the security policy for my
> systems to use only ext2 FS until its posible to undelete or recover
> files.

Or, start making backups of your files, and be more careful when you
are deleting files.  Again, "undelete" will only help you in the case
where you accidentally removed a file, and nothing was overwriting it.
Backups will help you more often.

Cheers, Andreas
Andreas Dilger

