Linux - GeneralThis Linux forum is for general Linux questions and discussion.
If it is Linux Related and doesn't seem to fit in any other forum then this is the place.
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
Sometime lastweek my Linux Mint 64-bit installation became rootkitted and somebody felt it very kindly to wipe out a 1.5 TB drive that had priceless data on it. I know you're not suppose to put all your eggs in one basket but lets face it, I'm broke. Assuming the data wasn't over written by some dd if=/dev/zero of=(file), there has to be a way to recover some of the files off an ext3 partition.
First I would mount the partition read only to another system so you can minimize the block over writes and then use something like foremost to scan the partition for identifiable files.
You find some of the tools you need in sleuthkit which is in the ubuntu repos.
I recently made the same mistake: rm -rf my_dir/
where my_dir contained many large files (movies, etc). I hit CTRL-C but unfortunately many had already been deleted. The drive was an external drive (Seagate Freeagent).
Would these tools work on large files on an external drive?
Any special suggestions for this case?
It does not matter how the drive is connected so it should work fine. Foremost looks for file headers and footers in the data blocks, allocated or not, and tries to extract the files based on the headers/footers that match what you have in foremost.conf. It has several pre-configured file types that you can comment/uncomment for your needs. If you don't see a pre cooked configuration for your file type you can do a little leg work and create on by looking at some known good files in a hex editor or by just searching the interwebs.
Always try to get a dd image of the drive in question if you can so if you discover a better method later you can revisit it.
Thanks for the suggestions guys. I hope you recover what you lost.
What hurts most is all the source code I've written from scratch, from examples, proof of concepts and code from jobs in PHP/VB6/C#.NET/JavaScript/Tcl/Java/Perl, C plugins for The Palace Visual Chat Linux server... just gone...
You should know that ext3 does not just mark file space as unused - something ext2 and NTFS does, it actually overwrites any of your deleted data with zeroes.
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.