Hello,

Sometime lastweek my Linux Mint 64-bit installation became rootkitted and somebody felt it very kindly to wipe out a 1.5 TB drive that had priceless data on it. I know you're not suppose to put all your eggs in one basket but lets face it, I'm broke. Assuming the data wasn't over written by some dd if=/dev/zero of=(file), there has to be a way to recover some of the files off an ext3 partition.

Any suggestions would be much appreciated.

First I would mount the partition read only to another system so you can minimize the block over writes and then use something like foremost to scan the partition for identifiable files.

You find some of the tools you need in sleuthkit which is in the ubuntu repos.

http://www.sleuthkit.org/
http://foremost.sourceforge.net/ (is in the sleuthkit)

Thanks for the information frndrfoe.

I recently made the same mistake: rm -rf my_dir/
where my_dir contained many large files (movies, etc). I hit CTRL-C but unfortunately many had already been deleted. The drive was an external drive (Seagate Freeagent).

Would these tools work on large files on an external drive?
Any special suggestions for this case?

I doubt that the fact that it's an external drive could make any difference.

It does not matter how the drive is connected so it should work fine. Foremost looks for file headers and footers in the data blocks, allocated or not, and tries to extract the files based on the headers/footers that match what you have in foremost.conf. It has several pre-configured file types that you can comment/uncomment for your needs. If you don't see a pre cooked configuration for your file type you can do a little leg work and create on by looking at some known good files in a hex editor or by just searching the interwebs.

Always try to get a dd image of the drive in question if you can so if you discover a better method later you can revisit it.

Thanks for the suggestions guys. I hope you recover what you lost.

What hurts most is all the source code I've written from scratch, from examples, proof of concepts and code from jobs in PHP/VB6/C#.NET/JavaScript/Tcl/Java/Perl, C plugins for The Palace Visual Chat Linux server... just gone...

Somebody has absolutely no honor.

grep -a -A500 '#!/bin/bash' /dev/[your_partition] > file.txt

Could be used to grep from the raw disk to get 500 lins after finding the grep argument '#!/bin/bash'

You should know that ext3 does not just mark file space as unused - something ext2 and NTFS does, it actually overwrites any of your deleted data with zeroes.

Read this;
http://batleth.sapienti-sat.org/proj.../ext3-faq.html


EDIT: I would like to point out that ddrescue is an awesome tool for handling harddrive crashes and the like, could be worth looking into.

0 members found this post helpful.

It does not actually zero the sectors that contain the data itself, just the inode pointers.

1 members found this post helpful.

Darn! My bad, my bad.