RE: undelete for FreeBSD current?
Thanks Robert, The strings method worked very well in this instance. -Original Message- From: Robert Watson [mailto:[EMAIL PROTECTED] Sent: Thursday, 13 November 2003 1:59 PM To: Barney Wolff Cc: Thyer, Matthew; '[EMAIL PROTECTED]' Subject: Re: undelete for FreeBSD current? On Wed, 12 Nov 2003, Barney Wolff wrote: On Thu, Nov 13, 2003 at 11:30:51AM +1030, Thyer, Matthew wrote: I've done a bad thing and need to recover a single file in /usr/local/etc/rc.d/ after a rm -rf of /usr/local I've kept the file system relatively quiet since then. TCT may help. http://www.porcupine.org/forensics/tct.html but I don't think it's been tested with current/ufs2. Also, don't expect to build it on the system and then find a deleted file. But if you have a clue of what you're looking for, just grepping /dev/dan or /dev/adn might work. (grep -a -A100 -B100) Assuming that the file system had a fair amount of free space, and therefore wasn't fragmented, I've always found the strings command quite helpful in recovering text files after loss or deletion. It can also be nicely applied to /dev/mem if you accidentally close that pesky editor window without save... Robert N M Watson FreeBSD Core Team, TrustedBSD Projects [EMAIL PROTECTED] Network Associates Laboratories ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-current To unsubscribe, send any mail to [EMAIL PROTECTED]
undelete for FreeBSD current?
I've done a bad thing and need to recover a single file in /usr/local/etc/rc.d/ after a rm -rf of /usr/local I've kept the file system relatively quiet since then. Is there a port that can achieve this? Otherwise pointers to web sites or mail archives regarding the use of fsdb to achieve this would be helpful. Please no replies about backups. Matthew Thyer Phone: +61 8 8259 7249 Science Corporate Information Systems Fax:+61 8 8259 5537 Defence Science and Technology Organisation, Edinburgh PO Box 1500 EDINBURGH South Australia 5111 IMPORTANT: This email remains the property of the Australian Defence Organisation and is subject to the jurisdiction of section 70 of the CRIMES ACT 1914. If you have received this email in error, you are requested to contact the sender and delete the email. ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-current To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: undelete for FreeBSD current?
On Thu, Nov 13, 2003 at 11:30:51AM +1030, Thyer, Matthew wrote: I've done a bad thing and need to recover a single file in /usr/local/etc/rc.d/ after a rm -rf of /usr/local I've kept the file system relatively quiet since then. TCT may help. http://www.porcupine.org/forensics/tct.html but I don't think it's been tested with current/ufs2. Also, don't expect to build it on the system and then find a deleted file. But if you have a clue of what you're looking for, just grepping /dev/dan or /dev/adn might work. (grep -a -A100 -B100) -- Barney Wolff http://www.databus.com/bwresume.pdf I'm available by contract or FT, in the NYC metro area or via the 'Net. ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-current To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: undelete for FreeBSD current?
On Wed, 12 Nov 2003, Barney Wolff wrote: On Thu, Nov 13, 2003 at 11:30:51AM +1030, Thyer, Matthew wrote: I've done a bad thing and need to recover a single file in /usr/local/etc/rc.d/ after a rm -rf of /usr/local I've kept the file system relatively quiet since then. TCT may help. http://www.porcupine.org/forensics/tct.html but I don't think it's been tested with current/ufs2. Also, don't expect to build it on the system and then find a deleted file. But if you have a clue of what you're looking for, just grepping /dev/dan or /dev/adn might work. (grep -a -A100 -B100) Assuming that the file system had a fair amount of free space, and therefore wasn't fragmented, I've always found the strings command quite helpful in recovering text files after loss or deletion. It can also be nicely applied to /dev/mem if you accidentally close that pesky editor window without save... Robert N M Watson FreeBSD Core Team, TrustedBSD Projects [EMAIL PROTECTED] Network Associates Laboratories ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-current To unsubscribe, send any mail to [EMAIL PROTECTED]
