Is this true about undelete

sundialsvcs · 11-30-2017, 10:12 AM

Quote:

Originally Posted by AwesomeMachine

In Linux "undelete" doesn't work the same way it does in Windows. Linux file systems are designed with inodes which point to a file. But sometimes the file is so small it will fit in the inode itself. In Linux, delete with the "rm" command clears the inode, so the only way to undelete the file is to search the entire drive for it.

In Windows, NTFS, fat32, etc. use file streams. The MFT (master file table) entry (OR FAT ENTRY) remains intact, and still points to the stream containing the file. Undeleting it simply entails unmarking it as deleted.

You must not only unmark the directory entry (if it still exists), but also correctly identify the set of disk-blocks that comprise the file. Any of those blocks could by now have been re-used, and the disk-allocation structures that were once reserved for the file may not exist either.

And even Windows does not work that way anymore. The old "FAT" file-systems offered maybe a ghost-of-a-chance, if there was no other simultaneous disk activity going on, but NTFS uses a much more modern architecture that is designed to be self-maintaining.

Long story short: if you need to "undelete" a file, hope you have a very-current backup!

SimonDevine · 11-30-2017, 12:01 PM

After my Dopey Deletion Antics, I have been looking at Online Backup options. Disks and Data Repositories are massive now so we do need these types of things.

A Google search listed quite a few, and, IMO, I thought IDrive was rather good. They are Linux aware and provide a pile of Perl Scripts for maintenance and the like.

The IDrive pricing for 2TB is ~$100 for a 2 year plan, with upfront payment providing the discount from $140.

They're here ... https://www.idrive.com/

A Google search of Online Backup will reveal a list URL to follow.