200GB of files Deleted - How to Recover?
 

I just lost 200GB of data due to deletion by a hacker. Are there any possibility of recovering the files? I found out it is using ext3.

Please help me.

Thanks!!

First - not to make light of your serious situation - but a cracker deleted your files. A hacker did not.

The first thing you need to do is turn the pc off - stop using it. The recovery process will probably have to happen with knoppix or another live cd. While you leave the computer running, you are overwriting the drive space where the unlinked, "removed" files are.

Have a look at the Coroner's Toolkit: http://www.porcupine.org/forensics/tct.html

The tools you may be able to use are unrm and lazarus. I have not used either but I've read about this toolkit.

Unfortunately, with 200GB of data I have serious doubts that you will be able to recover most of it. :(

Second thing after shutting down is securing the state of the drive(s). Bring the box up again with KNOPPIX, FIRE or PSK, mount the partitions read-only and make a backup to another box or put the HD's in another box to clone them there.

After that you have to consider how much this data is worth because learning forensics tools like TCT, Sleuthkit and Autopsy *will cost you time* + the longer the period between unlinking and fixating the data the less chance you stand. You should read the docs and then practice on another box with trivial data. Do this at least a few times so you learn from mistakes etc, etc. When you're ready to work with your backups (only work on the backups, never the original data in case it all fscks up), make sure you set up your workstation with plenty of spare storage.

Good luck.

I was told that it is impossible to recover deleted files from partitions using the ext3 file system. These tools can help me recover the files?

Yes, a cracker deleted the files, I am trying to find out how how he got in and hopefully get enough information to prosecute him.

In some cases, testdisk can help.