how to restore deleted files?

hi all. i have a little problem. i have deleted some files from my /var/www/html directory yesterday and i don't have a backup. so is there is a way to restore this this files again? i know under windows there are some programs who can do that but i don't know for linux.

thanks in advance

This may seem obvious but did you check your trash?

If and only if you have not rebooted, copy /dev/kcore somewhere and then try to find something in this file.
You may get a good percentage of your files depending on what you did meanwhile.

Also this, I think it works with the disk and not the ram:
http://freshmeat.net/projects/unrm/

i tried this link and the program is working just fine. anyway the problem is that this program is only works with ext2 but my partitions are ext3. also under /dev i have just this files:

full log null ptmx pts/ random reboot tty urandom zero



is there a possibility kcore to be on some other location?

thanks

Quote:

Originally Posted by nx5000 If and only if you have not rebooted, copy /dev/kcore somewhere and then try to find something in this file. You may get a good percentage of your files depending on what you did meanwhile. Also this, I think it works with the disk and not the ram: http://freshmeat.net/projects/unrm/

What is your distribution?

It is CentOs 4

Quote:

Originally Posted by nx5000 What is your distribution?

Quote:

Originally Posted by ice99 my partitions are ext3.

It's really hard or impossible to recover files directly on ext3, since it zeroes out the inodes after you delete them. You may have to do things like grep through the drive to recover your stuff.

Quote:

Originally Posted by ice99 It is CentOs 4

Mmmh I won't be of any help, the only centos I have is in a virtual machine and I don't have this machine now.
Maybe centos doesn't use a file for this, maybe ask somewhere else or if you're lucky somebody will pop in..

Also spooon is right, you can dump the disk with dd ( TO ANOTHER DISK )
I don't know the physical structure of ext3.

In any case, do not reboot and try to not touch this disk.

You have to grep through the partition... look for the content of the file.

http://www.linuxquestions.org/questi...d.php?t=428962
http://www.linuxquestions.org/questi...grep+partition

Basically the pattern is:

grep -a --color -A3 -B1 sometext /dev/hdxy

use debugfs command; check the deleted files with lsdel command, u can use rdump command to restore the files! ofcourse it may not restore all the files.


ramesh

Grepping can do if you're mainly concerned with text. You could try a header/footer based approach (think file: magic) using "foremost". RPMForge and Dries repositories have rpm's for it. Running it as "foremost -a -d -v -T -t all -i /dev/hdb1 -o /tmp/foremost" (where hdb1 is the remounted-read-only partition and /tmp/foremost the output dir) recovered 11 out of 24 files after deleting the dirs. Lsdel and debugfs can only be used on ext2fs.

Quote:

Originally Posted by nx5000 If and only if you have not rebooted, copy /dev/kcore somewhere and then try to find something in this file. You may get a good percentage of your files depending on what you did meanwhile.

hi, i'm trying this just for educational purposes (i don't really need to recover anything)... i assume you mean /proc/kcore, right?? well, i did a:

Code:

cat /proc/kcore > /tmp/kcore

and i ended-up with a file 543MB in size...

how would i go about searching this file for deleted files??

Code:

bash-3.1$ ls -l /tmp/kcore 
-rw-r--r--  1 root root 568926208 2006-04-12 20:30 /tmp/kcore
bash-3.1$ file /tmp/kcore 
/tmp/kcore: ELF 32-bit LSB core file Intel 80386, version 1 (SYSV), SVR4-style, SVR4-style, from 'vmlinux', bad note name size 0xe0800000

Its the contents of your memory (swap / ram )
Well, from here you could play with strings.

strings /tmp/kcore

do you have vi?