[PLUG] Ext2/3 Undelete

Steve Bonds 1s7k8uhcd001 at sneakemail.com
Mon Mar 28 23:13:55 UTC 2005


Linux Folks:

A combination of unfortunate factors has led to an important file
being deleted from a system that normally needs no backups.  (Isn't
that where ALL the important files are deleted?)  Normally I'd just
regenerate this system from our kickstart image, but the file in
question is a logfile holding debug data for a problem that only
recurs every few months.  If I can avoid waiting for the next
occurrence, I'd like to.

The process writing the log file is still running, so I can grab the
inode number from "lsof" and the OS has not re-used the blocks holding
the data.  I figure I have a few options:

1) "dd" the raw filesystem to another host and use "debugfs" to change
the inode number of some random file on the same filesystem to point
to the blocks holding the data I want, then mount the modified
filesystem and copy this "file" somewhere safe.

2) Use "e2image" to do basically the above since debugfs mentions that
it operates on e2image files, but doesn't mention if the above "dd"-ed
filesystem image will work

3) Use some free Linux file recovery tool.  Google offers few
options-- do any of these work on a "dd"-ed file system image?  (I'm
certainly not going to risk the original!)
  + "r-undelete" frequently mentioned, but not free, despite what their ads say.
  + "r-linux", same company, seems free but is a Windows executable.  How odd.
  + http://www1.lunetix.de/download/ ("undelete")

What would you all suggest?

  -- Steve Bonds



More information about the PLUG mailing list