On 6/3/05, Ed wrote: > I just made a rather stupid commandline ordering error and managed to delete > a whole load of data (mostly word files/some pics fwiw) with rsync –delete. > I know, I'm an idiot (and a big one at that). To make matters worse this > was off an ext3 partition, which from what I can find out seems pretty much > undeleteable – at least if deleted in the normal way by rm.
They key to this lies in the "pretty much", more below. ;-) > So the question is, does rsync delete files in a way which will allow me to > recover them, or am I, as I suspect, royally screwed :( Rsync deletes files in the same way as "rm", so you are pretty screwed unless you want to spend some time learning a bit about filesystem forensics. The last time I recovered a file I'd nuked off an ext3 filesystem, I ran across The Sleuth Kit: http://www.sleuthkit.org/ It made the undelete process fairly painless. The Sleuth Kit requires a separate system with lots of disk space since it needs to hold the entire contents of the filesystem off which you deleted your files plus associated analysis, logs, etc. The first thing you need to do is "dd" a copy of your raw filesystem onto some other linux host with lots of disk space. The sooner you do this, the less chance there is of those disk blocks getting reallocated. For example, from the system that will be used as the dumping ground: ssh hosed-host "dd if=/dev/hda3 obs=1500" | dd of=/home/sleuth/hosed-host-hda3.img ibs=1500 This does a "dd" to stdout of your hda3 partition (substitute the real device name) and sends it over the ssh connection to your receiving host which presumably has a lot of free space in /home/sleuth. The "obs" and "ibs" parameters are there to ensure that we can fill up a 1500 byte ethernet packet on each read. It works fine without them, just a bit slower. There are other ways to do this, one method using "netcat" is described on The Sleuth Kit's website: http://www.sleuthkit.org/informer/sleuthkit-informer-11.html#dd Once you have the image saved off you can spend some time learning how to run The Sleuth Kit. It goes to great pains to keep your "dd" image unmodified, however as a fail-safe I always keep these owned by root, mode 444, and run The Sleuth Kit as a non-root user. The Autopsy Forensic Browser is a webserver-based front end to The Sleuth Kit and is a good way to get started. RPMs can be found at: http://dag.wieers.com/packages/sleuthkit/ http://dag.wieers.com/packages/autopsy/ Good luck! This will be a valuable Learning Experience. ;-) -- Steve
-- To unsubscribe or change options: https://lists.samba.org/mailman/listinfo/rsync Before posting, read: http://www.catb.org/~esr/faqs/smart-questions.html