RE: undelete for FreeBSD current?
Thanks Robert, The "strings" method worked very well in this instance. -Original Message- From: Robert Watson [mailto:[EMAIL PROTECTED] Sent: Thursday, 13 November 2003 1:59 PM To: Barney Wolff Cc: Thyer, Matthew; '[EMAIL PROTECTED]' Subject: Re: undelete for FreeBSD current? On Wed, 12 Nov 2003, Barney Wolff wrote: > On Thu, Nov 13, 2003 at 11:30:51AM +1030, Thyer, Matthew wrote: > > I've done a bad thing and need to recover a single file in /usr/local/etc/rc.d/ > > after a rm -rf of /usr/local > > > > I've kept the file system relatively quiet since then. > > TCT may help. http://www.porcupine.org/forensics/tct.html but I don't > think it's been tested with current/ufs2. Also, don't expect to build > it on the system and then find a deleted file. > > But if you have a clue of what you're looking for, just grepping > /dev/da or /dev/ad might work. (grep -a -A100 -B100) Assuming that the file system had a fair amount of free space, and therefore wasn't fragmented, I've always found the "strings" command quite helpful in recovering text files after loss or deletion. It can also be nicely applied to /dev/mem if you accidentally close that pesky editor window without save... Robert N M Watson FreeBSD Core Team, TrustedBSD Projects [EMAIL PROTECTED] Network Associates Laboratories ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-current To unsubscribe, send any mail to "[EMAIL PROTECTED]"
Re: undelete for FreeBSD current?
On Wed, 12 Nov 2003, Barney Wolff wrote: > On Thu, Nov 13, 2003 at 11:30:51AM +1030, Thyer, Matthew wrote: > > I've done a bad thing and need to recover a single file in /usr/local/etc/rc.d/ > > after a rm -rf of /usr/local > > > > I've kept the file system relatively quiet since then. > > TCT may help. http://www.porcupine.org/forensics/tct.html but I don't > think it's been tested with current/ufs2. Also, don't expect to build > it on the system and then find a deleted file. > > But if you have a clue of what you're looking for, just grepping > /dev/da or /dev/ad might work. (grep -a -A100 -B100) Assuming that the file system had a fair amount of free space, and therefore wasn't fragmented, I've always found the "strings" command quite helpful in recovering text files after loss or deletion. It can also be nicely applied to /dev/mem if you accidentally close that pesky editor window without save... Robert N M Watson FreeBSD Core Team, TrustedBSD Projects [EMAIL PROTECTED] Network Associates Laboratories ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-current To unsubscribe, send any mail to "[EMAIL PROTECTED]"
Re: undelete for FreeBSD current?
On Thu, Nov 13, 2003 at 11:30:51AM +1030, Thyer, Matthew wrote: > I've done a bad thing and need to recover a single file in /usr/local/etc/rc.d/ > after a rm -rf of /usr/local > > I've kept the file system relatively quiet since then. TCT may help. http://www.porcupine.org/forensics/tct.html but I don't think it's been tested with current/ufs2. Also, don't expect to build it on the system and then find a deleted file. But if you have a clue of what you're looking for, just grepping /dev/da or /dev/ad might work. (grep -a -A100 -B100) -- Barney Wolff http://www.databus.com/bwresume.pdf I'm available by contract or FT, in the NYC metro area or via the 'Net. ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-current To unsubscribe, send any mail to "[EMAIL PROTECTED]"