| Walt Mankowski on 6 Dec 2007 23:02:11 -0000 |
|
On Thu, Dec 06, 2007 at 05:49:33PM -0500, brent saner wrote: > Walt Mankowski wrote: >> The inode doesn't get deleted until all all its links are remove *and* >> all its open filehandles are closed. > (SNIP) > > > one question i'm not seeing being addressed here, and needs to be: > what about unrm? > > http://freshmeat.net/projects/unrm/ > (man page: > http://staff.washington.edu/dittrich/talks/blackhat/tct/man/man1/unrm.1.html > ) > > and these methods: > http://www.faqs.org/docs/Linux-mini/Ext2fs-Undeletion.html#toc4 The reason it hasn't been addressed is that we've been talking about hidden files, not undeleting files. When you delete a file, the operating system just marks the data as being deleted. It doesn't need go through and do anything else to the underlying data. So if can find it on the raw device file you can still get at the data. Of course, since the OS thinks that space is available, the next file to come along might overwrite all or part of it, so it's not a very effective way to hide data. Walt Attachment:
signature.asc ___________________________________________________________________________ Philadelphia Linux Users Group -- http://www.phillylinux.org Announcements - http://lists.phillylinux.org/mailman/listinfo/plug-announce General Discussion -- http://lists.phillylinux.org/mailman/listinfo/plug
|
|