LinuxQuestions.org - recovering deleted file without intact inode

- Linux - Newbie (https://www.linuxquestions.org/questions/linux-newbie-8/)

- - recovering deleted file without intact inode (https://www.linuxquestions.org/questions/linux-newbie-8/recovering-deleted-file-without-intact-inode-4175445038/)

recovering deleted file without intact inode

I am trying to recover some sqlite files that were deleted due to operator error. (Doh!) The files were on an ext2 partition of an sd card which has been imaged. Of five files deleted, four were recovered using debugfs -> lsdel then -> dump. The fifth file does not show up in the debugfs->lsdel list.

Other attempts have been made with foremost and photorec. Photorec has come the closest, recovering a portion of the file. Unfortunately lots of data is missing from the file.

From photorec I know the location (logical sector number ?) of the start of the file. The file is around 15 blocks long so I am assuming that it is spread out on the drive.

My questions:

1. Are there tools that piece together a file given the logical sector number of the beginning of the file?
2. I am guessing that since the inode of this fifth file does not show up in debugfs->lsdel that this particular inode was used for a new file after the deletion took place. But if this is not the case is there a way to search for inodes given the file's location?

Any answers or other suggestions are much appreciated. I have searched forums etc and am stuck.

Quote:

Originally Posted by apink (Post 4867261)

Other attempts have been made with foremost and photorec. Photorec has come the closest, recovering a portion of the file. Unfortunately lots of data is missing from the file.

Photorec, scalpel and foremost can only carve based on known file headers and footers. And AFAIK Sqlite files don't have a specific footer that terminates the database file.

Quote:

Originally Posted by apink (Post 4867261)

Are there tools that piece together a file given the logical sector number of the beginning of the file?

An inode lists blocks in use by a file. But apart from those some hold addresses for other blocks: the secondary and tertiary indirect blocks. Once a files inode information gets reset the list of direct blocks is gone as well as any pointers to other blocks: so it's not a case of "walking a tree" across a file system. (On a side note this also means that anyone offering to have had "good results" with any product like St*ll*r Ph**n*x Linux Data Recovery most of the time de-cloaks as just an ordinary spammer trying to take advantage of victims of data loss. Those accounts get the care and attention they deserve.)

Quote:

Originally Posted by apink (Post 4867261)

I am guessing that since the inode of this fifth file does not show up in debugfs->lsdel that this particular inode was used for a new file after the deletion took place.

A file gets listed in exactly one inode only so if the inum doesn't show up in 'lsdel' then its not used. Depending on the size of the SD, existing files and files recovered you could try zeroing out known files and hope the majority of the rest is the SQLite db contents you're looking for but if the db contains only plain text you might as well just grep the device for strings first...

Quote:

Originally Posted by unSpawn (Post 4867316)

Depending on the size of the SD, existing files and files recovered you could try zeroing out known files and hope the majority of the rest is the SQLite db contents you're looking for but if the db contains only plain text you might as well just grep the device for strings first...

Thanks. I will start there. The sd contains lots of databases that look the same so zeroing out might be helpful.