[PLUG] Ext2/3 Undelete
Steve Bonds
1s7k8uhcd001 at sneakemail.com
Tue Mar 29 01:12:02 UTC 2005
On Mon, 28 Mar 2005 15:13:55 -0800, Steve Bonds wrote:
> 1) "dd" the raw filesystem to another host and use "debugfs" to change
> the inode number of some random file on the same filesystem to point
> to the blocks holding the data I want, then mount the modified
> filesystem and copy this "file" somewhere safe.
Thanks for the tip on The Sleuth Kit. I have a copy of Helix, but
their documentation is incredibly poor.
I ended up recovering the file via debugfs, but I noticed some strange
behavior. On the image file I created with "dd", the deleted inode
referenced a chain of filesystem block containing nothing but zeroes.
However, on the running system the same inode referenced a chain of
filesystem blocks containing the actual log file data. (I.e. the
contents of the file produced by the debugfs command "dump
<inode-number> /tmp/local_file" were different when run on the image
vs. the live system.)
I don't understand why a "dd" wouldn't capture the whole thing unless
it were stuck in the filesystem write cache. This log file is months
old, so I can't imagine it being kept in cache that long.
Any ideas on why the captured image wouldn't reflect what was obtained
from the running system?
-- Steve
More information about the PLUG
mailing list