LinuxQuestions.org
Register a domain and help support LQ
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Security
User Name
Password
Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.

Notices

Reply
 
Search this Thread
Old 07-29-2005, 09:26 PM   #1
abefroman
Senior Member
 
Registered: Feb 2004
Location: Chicago
Distribution: CentOS
Posts: 1,257

Rep: Reputation: 53
How can I view delete files?


How can I view delete files? If that space has not been overwritten yet.
 
Old 07-29-2005, 09:43 PM   #2
sundialsvcs
Guru
 
Registered: Feb 2004
Location: SE Tennessee, USA
Distribution: Gentoo, LFS
Posts: 5,377

Rep: Reputation: 1108Reputation: 1108Reputation: 1108Reputation: 1108Reputation: 1108Reputation: 1108Reputation: 1108Reputation: 1108Reputation: 1108
As far as I am aware, no Unix filesystem provides "undelete" capability. Sorry.
 
Old 07-29-2005, 09:45 PM   #3
abefroman
Senior Member
 
Registered: Feb 2004
Location: Chicago
Distribution: CentOS
Posts: 1,257

Original Poster
Rep: Reputation: 53
How does the FBI do it then?

Surely the data is still on the drive immediately after the file was deleted.

Is there an open source software package that lets me view files (data on the drive) not listed with the ls command?
 
Old 07-29-2005, 09:59 PM   #4
Capt_Caveman
Senior Member
 
Registered: Mar 2003
Distribution: Fedora
Posts: 3,658

Rep: Reputation: 57
Checkout the forensics section in security references thread. There are a number of links on "undeletion" including a number of tools used in forensic file recovery. Ease of recovery depends alot on your type of filesystem and some of the tools are less than user-friendly, so your mileage may vary.
 
Old 07-29-2005, 10:11 PM   #5
ahh
Member
 
Registered: May 2004
Location: UK
Distribution: Gentoo
Posts: 293

Rep: Reputation: 31
Google is your friend

http://www.google.co.uk/search?hl=en...e+Search&meta=
 
Old 07-30-2005, 09:32 AM   #6
aqoliveira
Member
 
Registered: Dec 2001
Location: Portugal
Distribution: /Red Hat/Fedora/Solaris
Posts: 620

Rep: Reputation: 30
Howzit

The easiest way to explain this is in the following manner. Imagine a filing cabinet and in each draw u have a indexer so that you are able to find the location of the file. When u delet a file it removes the indexer therefore the file still remains on disk. When you copy a new file onto the system because that area is no longer marked by the indexer the file may be copied to the same area and if that happens then the file is lost for good. If the file gets copied to another area then the original data still remains in that area which then with special tools you are able to recover that data from the disk.

Hope this helps

Cheers
Tony
 
Old 07-30-2005, 10:37 AM   #7
abefroman
Senior Member
 
Registered: Feb 2004
Location: Chicago
Distribution: CentOS
Posts: 1,257

Original Poster
Rep: Reputation: 53
Which one has the best interface to view a windows harddrive?

Has anyone used:
http://www.sleuthkit.org/autopsy/download.php
 
Old 07-30-2005, 05:11 PM   #8
Capt_Caveman
Senior Member
 
Registered: Mar 2003
Distribution: Fedora
Posts: 3,658

Rep: Reputation: 57
Depends on what you prefer, but Autopsy has a GUI interface and has support for NFTS and FAT partitions. TCT would go under "not particularly user-friendly". Here's also a brief review of it (Autopsy):

http://www.informit.com/guides/conte...eqNum=107&rl=1
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
unable to view .vsd files (Visio Files) mr_manny Linux - General 5 11-30-2006 07:03 PM
How to delete files that won't delete? di11rod Linux - Security 7 10-19-2005 09:14 PM
How can konqueror view html files in .gz & .bz2 files directly? ailinzhe Linux - Software 5 05-24-2004 08:36 AM
Can't view or delete installed programs in mandrake Ulrik_Uppkastar Linux - Software 1 11-30-2003 01:08 PM
How to delete the destination files while the source files deleted in cp -u ? myunicom Linux - General 4 09-26-2003 01:13 PM


All times are GMT -5. The time now is 11:19 PM.

Main Menu
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
identi.ca: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration