On Wed, Feb 25, 2009 at 10:13 AM, Hal Pomeranz <[email protected]> wrote:
> > In a punch drunk state I rm -rf'd a directory that I didn't intend to. > > I wasn't unable to immediately unmount the filesystem but was able to > > make a complete image of it to a backup device. The fs is ext3 and > > google led me to debugfs and I was able to see the deleted directory > > and associated inode. It has yet to be deleted as undel inode# said it > > was still allocated. My question is. How do I relink the inode to > > userland so I can grab the directory and back it up properly :) > > The short answer is you can't do this, and it wouldn't help even if > you could because ext3 generally zeroes the contents of the inode > before placing it on the free list. This means you lose all the block > pointer information that would allow you to reconstruct the file. I > would recommend trying to use a tool like foremost > (foremost.sourceforce.net) to recover the individual files in the > directory you deleted. > > -- > Hal Pomeranz, Founder/CEO Deer Run Associates [email protected] > Network Connectivity and Security, Systems Management, Training > _______________________________________________ > PLUG mailing list > [email protected] > http://lists.pdxlinux.org/mailman/listinfo/plug > Hal, Thanks. I have foremost installed. My problem is that I'm not certain of all the file types in the directory. If I recall correctly they were mostly perl scripts. I had read somewhere that I could just tell foremost to grab ASCII files which would include said perl scripts. I have rebooted the machine with said filesystem unmounted now. I also have the disk image I created which is just under 100GB since I dd'd the partition. Would it be advisable to use foremost on the disk image or the actual filesystem while unmounted in order to collect the data? Thanks, Drew _______________________________________________ PLUG mailing list [email protected] http://lists.pdxlinux.org/mailman/listinfo/plug
