low level search for deleted data
Theodore Ts'o
tytso at mit.edu
Mon Sep 27 16:08:15 UTC 2004
On Sun, Sep 26, 2004 at 11:37:58PM +0200, andy13 at gmx.net wrote:
> Hi everyone,
>
> I lost my complete home directory and am facing the problem of retrieving
> some of the deleted data.
> I have search the web for this matter, but the only information I found is,
> that it's not possible for a program to do this and that I have to puzzle
> the files together by scanning the disk (or disk image) with tools like
> sleuthkit (www.sleuthkit.org) or lde (lde.sourceforge.net). That's ok, since
> the only files I like to recover are text files (c and java sourcecode). But
> even though I read the ext2-undelete-minihowto (which doesn't apply to ext3,
> I know) I honestly don't know how to start. The partition is 11GB and the
> data could be anywhere. Can anyone please describe a sensible approach to
> this task. I'm really helpless :(
If you have some specific text that you know was in a file that you're
trying recover, the followin gocmmand may be of use:
grep -ab <regexp> /dev/hda1 | awk -F: '{printf("%d\n", ($1 + 4095) / 4096)}'
Replace <regexp> with the regular expression or string that you are
trying to find, and if the filesystem is using a 1k blocksize, replace
4095/4096 with 1023/1024. This will given you block numbers which you
can then feed into lde.
Good luck!!
- Ted
More information about the Ext3-users
mailing list