3

I have a drive which was using the ext3 filesystem. I am told that about 10Gb of data was deleted off the drive (probably via rm). The drive is currently mounted as read-only to preserve all data. Does anyone know of a method to restore some or all of the data? Also if it helps, the OS was Fedora.

I've also been told that the data is mostly ASCII fortan source code and Matlab files.

Conclusion

I have finally managed to get the data back, and with the simplest means ever! After weeks of trying and failing to bring back much of any data, I brought someone in today to take a look at it and offer suggestions, he simply cd'd to the directory and everything was there! It was never lost in the first place!!! Needless to say I feel really dumb right now, but I learned quite a lot with this whole fiasco.

At any rate, while I was looking through data forensics solutions, I found that the Autopsy, or more specifically the SleuthKit was the most helpful. So I will accept that as the final answer.

I would also like to note for anyone that comes across this later on that the most up-voted (currently) answer by sekenre was also helpful and I learned a lot, but ultimately it did not help with the type (very many, and some being very large) of files I was dealing with.

So thank to all you that provided suggestions and wish you all the best!

Mike
  • 404
  • 3
  • 7

5 Answers5

9

Try this tutorial

Basically you can use the commandline tool ext3grep to search through sections of the filesystem. I have not tried this myself YMMV.

Sekenre
  • 2,913
  • 1
  • 18
  • 17
2

autopsy has served me well for this purpose.

debugfs also might be of assistance

The other approach, which I suspect isn't possible since you're asking, is to restore from your backups ;)

Rog
  • 235
  • 1
  • 8
1

If you have a department on staff that performs computer forensics, I would talk to them for guidance. They may have more specialized tools that could be available to you. We use enCase for much of our work, and have had excellent luck recovering deleted files from all manner of filesystems. Autopsy is also a excellent free tool for doing the same kind of work, though my experience with it is rather lacking.

Scott Pack
  • 14,717
  • 10
  • 51
  • 83
0

There are a number of forensic file recovery tools available. One of them is Foremost.

Dennis Williamson
  • 60,515
  • 14
  • 113
  • 148
0

Since that question was referred to recently, I'll put another suggestion here: make a plain dd copy of the filesystem (can even be done with the box online, just need space) and find out some plaintext that was definitely in the deleted files (with source code that should be perfectly possible). then strings and grep the filesystem image ... primitive but worked for me at times :)

rackandboneman
  • 2,487
  • 10
  • 8