Urgent!!! Recovery of data

kayasaman · 10-31-2008, 07:29 PM

Hi,

I managed to accidently wipe some important folders containing about 24GB of data using the rm tool from the terminal with the wildcard flag * set which prompted the unwanted erase.

Does anyone know how to get it back?

I haven't touched the disk since it's a secondary drive currently.

If anyone knows anything I would be SOOOOOO greatfull

Thanks

**OS is Debian Etch

Quakeboy02 · 10-31-2008, 08:00 PM

More than likely, it's gone for good. If it's on an ext2 system this may help: http://www.stud.tu-ilmenau.de/~mojo/undelete.html. It's on an ext3 system, I've read that you're out of luck. Someone recommended photorec which is part of the testdisk package. You should also do a search here on LQ on the phrase "recover deleted data".

kayasaman · 10-31-2008, 08:09 PM

It's ext3 filesystem but since it's a drive which doesn't get written to just read from maybe there might be a way to recover it?

Each file size is about 350MB and I've unmounted the drive already.

I don't know if there's software that can get it back or if somehow using the CLI I can recover it?

kayasaman · 10-31-2008, 08:30 PM

I've just searched high and wide on everything and lots for ext2 and text plus document files but mine are video files! .avi format.

I have found this page which hopefully will help me but I have to try out a little.

kayasaman · 10-31-2008, 08:55 PM

The site I found was here: http://www.xs4all.nl/~carlo17/howto/undelete_ext3.html

which is a program called ext3 grep.

However I have no idea what it's talking about when it says $IMAGE, plus it seems like again this software is for text files??

Uh I have a headache now

I didn't even use the rm -rf command just rm on it's own

aaaah oh well 60 videos lost to the abyss which is my hard drive!

richwmn · 10-31-2008, 09:12 PM

There is an undelete function in the latest versions of midnight commander which may help you. It works on an unmounted partition. Google midnight commander undelete and you should get some information on it.

Rich

kayasaman · 10-31-2008, 09:14 PM

hmm just thought I might be able to use the software on my system however it won't compile as it needs another component which is not available through apt and I'm sure they will complain that Debian's lib files and other files are too old

uh

It was gona be a nice evening tonight just me and the computer but now has turned into a disaster, oh well maybe after some sleep I might become lucky or if anyone has any other suggestions it would be great!

kayasaman · 10-31-2008, 09:15 PM

Quote:

There is an undelete function in the latest versions of midnight commander which may help you. It works on an unmounted partition. Google midnight commander undelete and you should get some information on it.

Rich

Oh thanks Rich was just typing I think when you posted!

I will apt-get m-c now and take a look quickly before turning in for the night.

kayasaman · 10-31-2008, 09:32 PM

Google'd for mc but unfortunately everything came up with the fact that it won't work for ext3 and not for the size of data I'm talking about either

I found somewhere that said you can do it through the /proc directory: http://glandium.org/blog/?p=87

But still I haven't had any luck mainly as I'm not sure what to read in the /proc directory.

Ok time for me to turn in now, maybe I'll get lucky tomorow?

kayasaman · 11-01-2008, 10:09 AM

Ok well after a lot of searching and reading I discovered The Sleuth Toolkit and Autopsy, also Magicrescue.

http://www.student.dtu.dk/~s042078/magicrescue/

http://www.sleuthkit.org/sleuthkit/

Magicrescue seems to be for corrupted patitions and The Sleuth Kit more for forensic analysis, one of these tools is going to work somehow for me but at the moment I'm not understanding their manual pages!!

They keep talking about using an image of the drive but don't tell you how to create one or where to put it to use it?

Looks like more reading needed!

H_TeXMeX_H · 11-01-2008, 10:40 AM

In worst case scenario you can still recover files with intact headers using foremost.

Next time you should try to use a wrapper to prevent deleting of very important stuff, for example I use this:

Code:

#!/bin/sh

# this script takes only 2 arugments total
if test "$#" != 2
then
  # fail
  echo 'ERROR: This script requires exactly 2 arguments'
  exit 1
fi

# don't delete things 2 levels from the root directory
if find / -type d -maxdepth 2 | grep "$2" 1> /dev/null
then
  # fail
  echo "ERROR: Bad idea, will not remove $2"
  exit 1
fi

rm "$1" "$2"

# success
exit 0

kayasaman · 11-01-2008, 10:48 AM

Thanks H_TeXMeX_H, I will have a look at the manual and howtos for foremost.

Since I just need to recover these files and nothing major I need fast quick and simple, but obviously if it takes time then it will take as long as it needs!!

kayasaman · 11-01-2008, 11:17 AM

Ok done the reading, currently two major questions come to mind:

1. What is the image.dd file that everyone talks about and how do I create one?

2. Can I recover the file names used aswell, is this the function of foremost?

I've run magicrescue and it's cycling currently but the names are not there, well actually I don't see the proper files there either yet as it claims that there isn't sound on any file??

Thanks

H_TeXMeX_H · 11-01-2008, 11:28 AM

You use 'dd' to create image.dd, say you have a partition called /dev/hdb1, to make at image you run this from a different partition:

Code:

dd if=/dev/hdb1 of=image.dd

This will make byte for byte copy of the partition to a file called image.dd (it will be large). Then you can scan that image using foremost or other tools.

No tool that I know of can recover file names, sorry.

Oh, and be careful using dd it stands for data destroyer.

kayasaman · 11-01-2008, 11:57 AM

Thanks for the tip!

I have no idea if this will work as magicrescue has only found 4MB videos so far and not the 350MB ones that I need, mind you it is a 250GB drive with only one partition spanning the drive so I guess be patient and hope for the best.

If not I will try The Sleuth Tookkit and see if that works, although I don't have anywhere to put the image file if as you say the image is of the partition as that would mean 250GB - oh boy... hmm an external drive might do the trick here.

Well using the command you gave:

Quote:

dd if=/dev/hdb1 of=image.dd

This will make byte for byte copy of the partition to a file called image.dd (it will be large). Then you can scan that image using foremost or other tools.

Would that mean that the information in the drive will be lost but instead transferred to the image?

So say where output of=image.dd will be in a directory, eg. /usr/image or /mnt/external_drive/image