Thanks so much for your help, Ray.
I have tried the instructions at: http://recover.sourceforge.net/unix/ (one of the first things I did try) ...and I got a whole lot of garbage spit back to my screen; so much so, I had to quit.
I am attempting to do something along these lines:
grep -a -B10000 -A0 "wowerpresumes" /dev/hdfb
...and since I'm not sure what to put for B and A, I may be doing something wrong here. I don't recall how large the directory was 'before' things were deleted.
What you're doing is using the grep command to find some relatively unique string of data in your file, and then printing the data before, and after, that string.
-A and -B signiy the number of lines after (-A) and before (-B) tthe matched string to print...
The 'string' is actually a grep pattern, to look for, not a fixed string (unless you use fgrep instead of grep).
so, as an example -- if you'r trying to find a deleted /etc/passwd , you might look for the entry for root, with:
grep -A200 -B2 'root:[^:]*:0:0:' /dev/hda3
(presuming that the /etc/ driectory is on /dev/hda3)
note that I'm presuming that you understand grep regular
expressions... It looks for 'root:' followed by any
number of characterss other than colons ('[^:]*) followed
by :0:0: which are the userid and groupid of the root user.Since, for most incarnations of the /etc/passwd file the root entry is the first, I'm only printing 2 lines before (just in case), and 200 lines after (presuming I'm expecting the file to be less than 200 lines long.
if you're lucky, you'll only find one copy of the file on your partition.
The upshot is that the ext3 filesystem does a pretty thorough job of deleting any residual metadate when it removes your files. (Unlike dos, which just zeroes the first byte of the name).
Zherefore you're left hunting thru the raw disk, hoping that the file you're looking for hasn't been fragmented into 2 or more pieces (if it has, then you're going to have to do more searching for the second and subsequent pieces).
you basically want to look for a string/pattern that will (hopefully) uniquely identify your file.. You want something that is guaranteed to be in the file, and something unlikely to be found in any other random file.
I guess, if somebody wanted to be really fancy, it might be possible to create a bitmap of allocated blocks on the disk, and only search in the unallocated space for your string
I'll leave that as an exercise for the reader :-).
-- Stephen Samuel +1(604)876-0426 [EMAIL PROTECTED] http://www.bcgreen.com/~samuel/ Powerful committed communication. Transformation touching the jewel within each person and bringing it to light. - To unsubscribe from this list: send the line "unsubscribe linux-newbie" in the body of a message to [EMAIL PROTECTED] More majordomo info at http://vger.kernel.org/majordomo-info.html Please read the FAQ at http://www.linux-learn.org/faqs
