Hi, I guess this link might help u http://www.sans.org/reading_room/whitepapers/forensics/2011.php
Regards, Bhanu On 3/25/08, bhanu nani <[EMAIL PROTECTED]> wrote: > Hi Katiyar, > > The right place to look for it would be the fsdevel list. See the old > mails, you may get one. > http://marc.theaimsgroup.com/?l=linux-fsdevel > > Sorry, I am not much into debugfs. > > Regards, > Bhanu > > > On 3/25/08, Manish Katiyar <[EMAIL PROTECTED]> wrote: > > Apologies for spamming this list as this is not really a kernel > > question, but I could not find any appropriate list. Probably someone > > on this list with experience with e2fsprogs might help me. I was > > playing with the undelete option of debugfs. While trying to delete > > some file in ext3 and restore it this is what I did > > > > # dd if=/dev/zero of=testfs bs=4096 count=2000 > > # mkfs.ext3 testfs > > # sudo mount -t ext3 testfs mount -o loop > > #cd mount > > # echo manish > test > > # ls -alirt > > total 20 > > 11 drwx------ 2 root root 12288 2008-03-26 00:12 lost+found > > 3491025 drwxr-xr-x 3 mkatiyar mkatiyar 4096 2008-03-26 00:12 .. > > 14 -rw-r--r-- 1 mkatiyar mkatiyar 7 2008-03-26 00:13 test > > 2 drwxr-xr-x 5 mkatiyar mkatiyar 1024 2008-03-26 00:13 . > > # rm test > > # sudo umount mount > > # debugfs -w testfs > > debugfs 1.40.8 (13-Mar-2008) > > debugfs: lsdel > > Inode Owner Mode Size Blocks Time deleted > > 0 deleted inodes found. > > (END) > > debugfs: logdump > > Journal starts at block 0, transaction 8 > > > > Why is it still showing 0 deleted inodes ???? Should the deletion be > > shown in the journal ?? > > > > Any pointers to appropriate list will be helpful. Thanks > > > > -- > > Thanks & Regards, > > ******************************************** > > Manish Katiyar ( http://mkatiyar.googlepages.com ) > > 3rd Floor, Fair Winds Block > > EGL Software Park > > Off Intermediate Ring Road > > Bangalore 560071, India > > *********************************************** > > > > -- > > To unsubscribe from this list: send an email with > > "unsubscribe kernelnewbies" to [EMAIL PROTECTED] > > Please read the FAQ at http://kernelnewbies.org/FAQ > > > > > -- To unsubscribe from this list: send an email with "unsubscribe kernelnewbies" to [EMAIL PROTECTED] Please read the FAQ at http://kernelnewbies.org/FAQ
