John Fiore on 25 Oct 2005 23:27:59 -0000


[Date Prev] [Date Next] [Thread Prev] [Thread Next] [Date Index] [Thread Index]

Re: [PLUG] Recovery 2.5GB of deleted files


You might want to check out sleuthkit and autopsy
(http://www.sleuthkit.org/).  They work for most major
filesystems, but I'm not sure how RAID thrown into the
mix will affect things.

As others have mentioned, the ideal situation would be
if you could image the drive with dd, and then perform
a recovery on the image, but 400 Gigs is a big drive
and it isn't cheap.  I would think that the tools
would work just fine on the drive itself, rather than
a drive image, but you'd increase your chances of a
successful recovery if you can at the very least run
the OS from a different disk, so that you minimize any
changes to the disk you're trying to recover.

I'm no expert on data recovery, but the more I think
of it, the more optimistic I am that if you must do it
this way, you should be ok working from the original
drive (again, making sure that you're not actually
mounting the thing and running the OS from it).  Aside
from the obvious fact that working from an image is
preferable to working from the original in case
something goes wrong, I believe one of the major
reasons the forensics people prefer to work from an
image, even when working read-only, is that they don't
want to modify file access times, which are important
when trying to piece together what might have happened
after an attack, which isn't your concern.  Maybe
others on the list could shed more light on this.  I'm
not an expert.

(On the other hand, none of us would know or think any
less of you if you should happen to go to Best Buy or
Staples, buy a large disk, and then return it in a few
days.)

Good luck.

--- Eugene Smiley <eug+plug@esmiley.net> wrote:

> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
> 
> So, I'm having an "OMG, NO!" Moment. Last night I
> had a 2.5 GB of
> files on my debian testing samba server accidentally
> get deleted. I
> didn't have backups because I was working on
> cp/mv'ing things to a
> directory layout I was happy with first before
> putting them to a data
> DVD for backup.
> 
> Currently the machine is powered down so that
> nothing can be written
> to disk over the affected areas. The files are on a
> 400GB 3ware RAID5
> ext3 partition. Before giving up last night, I tried
> 'recover', but
> the filters I tried didn't recover anything. Is
> there anything about
> ext over Raid that would prevent data recovery?
> 
> Right now, it's taking everything not to curl in a
> ball on the floor
> and suck my thumb while crying, "Oh my God... Oh my
> God... Oh my
> God..." But instead thought I'd see if anyone had
> any ideas that
> might help.
> 
> 
> 
> 
> -----BEGIN PGP SIGNATURE-----
> Version: PGP 8.0.3
> 
>
iQA/AwUBQ14+L+kD7QKn7f0vEQKqnwCfdkqPcLoA/mmUWk3FgzSldwWDHOYAoMDn
> L1CK5tS6AbrabO7/Hy5ixP5U
> =VXcK
> -----END PGP SIGNATURE-----
>
___________________________________________________________________________
> Philadelphia Linux Users Group         --       
> http://www.phillylinux.org
> Announcements -
>
http://lists.phillylinux.org/mailman/listinfo/plug-announce
> General Discussion  --  
> http://lists.phillylinux.org/mailman/listinfo/plug
> 

___________________________________________________________________________
Philadelphia Linux Users Group         --        http://www.phillylinux.org
Announcements - http://lists.phillylinux.org/mailman/listinfo/plug-announce
General Discussion  --   http://lists.phillylinux.org/mailman/listinfo/plug