Hiya all,

Got a quirky one here.
I was asked today, just a little bit ago, if I could find a way to recover some files that were deleted from the central storage server.

Here is the scenario:
The central server is running Linux, and a samba server. All local nodes can access the storage drives via their winbloz machines. They can all write to and delete from... (ya I know, but it isn't my network, and I didn't set it up)
Ok, so, most likely, someone was on a local wintendo machine, and deleted these files that now need to be "undeleted" so to speak.

Is there a way to recover such a loss? I don't have a whole lot of info on exactly what needs to be recovered, but I do know the name of at least one dir that was trashed.
Any ideas? or utilities that can be implemented?

Any help is gr8ly appreciated.
Tnx.
L8rz

Well, it depends on the filesystem in use on the server. However, if it's been running since the deletion... your chances get slimmer and slimmer. Every write could be overwriting the files deleted. And the fuller the drive, the greater the chances of this.

Well, actualy it turns out that it isn't running Linux. It's running Unix. The exact flavor... I'm not quite sure.
Most likely a flavour of Solaris, tho 'm pretty sure it isn't the newer versions. (judging by the older solaris software sitting on the shelf)

However, the main problem is, they don't know the passwords to the server. So basically, when they have a problem and need to shutdown, they simply pull the plug. Litterally.
However, I'm sure I can find a way into the system via an ssh.

But, I'm not really remembering any unix utilities that will allow an admin to recover deleted stuff. At least nothing that is default with a Solaris package.
At any rate, I'm not sure that much can be done from this point.
But I'm still open to suggestions.

Tnx.
L8rz

The same sort of principles apply to Solaris as Linux. Though, if nobody has admin passwords, that spells bad news all over.

so no one has root passwords... and people are deleting stuff... and I doubt you have daily backups then, right?? That's a big no-no... I think you are out of luck.

Ya, well I already knew that not having the root pw was a big problem, and the fact that this situation even exists is a problem. Thanks for re-stating the obvious, and what I've already posted.

However, I can most likely obtain the pw's from the main office IF I can figure out a way to recover the files.
The storage server isn't written to and deleted from on a regular basis.

Again I remind you this isn't my network, nor did I set it up, so please stop with the "this is a big no no for security" issues.
Tnx.

L8rz

You need to relax a little buddy. I was not being a jerk to you. I never said it was your fault or anything like that.

You also never stated whether there were backups being made. I assumed not because of the unorganized mess you had to walk in to.

Again, to the best of my knowledge, I think you'reout of luck. I didn't say you not having root password is a 'big no no for security'..I said that not having daily back-ups is a big no no on their part...

I hope you find something that will help you. I would also suggest writing up a plan of administration for the system.. when it is backed up.. when it is updated.. etc. Present it to the main office and see what they can do so this kind of situation doesn't happen again.

Good Luck

Ya man, relaxing isn't part of this job... unfortunatly.
At any rate, I didn't mean to sound harsh.
I've already tried to get these people to "do the right thing" and all they end up doing is locking out the machines that don't have the problems. It's a real merry-go-round at times. It's a real 2-steps forward 3-steps backwards type scenario. Constantly. But, that's how office pukes usually run the show anyway... I mean they know best right?

Anywho, I've pretty much told them that they are skrewd because they didn't listen to the planning in the first place last year on the other vessels, so they only have themselves to blame.

Tnx for the help guys.
L8rz

http://www.sleuthkit.org/
I don't know if that will do you any good, thought that I would post it.