[PLUG] Ext2/3 Undelete

Steve Bonds 1s7k8uhcd001 at sneakemail.com
Tue Mar 29 01:12:02 UTC 2005


On Mon, 28 Mar 2005 15:13:55 -0800, Steve Bonds wrote:

> 1) "dd" the raw filesystem to another host and use "debugfs" to change
> the inode number of some random file on the same filesystem to point
> to the blocks holding the data I want, then mount the modified
> filesystem and copy this "file" somewhere safe.

Thanks for the tip on The Sleuth Kit.  I have a copy of Helix, but
their documentation is incredibly poor.

I ended up recovering the file via debugfs, but I noticed some strange
behavior.  On the image file I created with "dd", the deleted inode
referenced a chain of filesystem block containing nothing but zeroes. 
However, on the running system the same inode referenced a chain of
filesystem blocks containing the actual log file data.  (I.e. the
contents of the file produced by the debugfs command "dump
<inode-number> /tmp/local_file" were different when run on the image
vs. the live system.)

I don't understand why a "dd" wouldn't capture the whole thing unless
it were stuck in the filesystem write cache.  This log file is months
old, so I can't imagine it being kept in cache that long.

Any ideas on why the captured image wouldn't reflect what was obtained
from the running system?

  -- Steve



More information about the PLUG mailing list