URGENT file recovery on RH Linux

Greg Rundlett greg at freephile.com
Sat Sep 27 00:43:24 EDT 2003


I was researching how to recover files on ext3 fs, and have found a lot 
of old (circa 2000) information and utilities for recovering files from 
ext2.  One such tool is called e2undel 
(http://e2undel.sourceforge.net/usage.html) and in their usage document 
they state:
> 
> Why this does not work with ext3 
> 
> In general, ext2 and ext3 are compatible file systems: You can mount an ext3 fs as ext2 and even use the ext2 low level utilities like debugfs. However, ext3 behaves in a different manner in one crucial point: If a file is deleted, its inode data are removed, too. Especially, the list of data blocks is lost; so it is not possible to recover any deleted file. 
> 

I thought that one of the major benefits of ext3 was that it was a 
journaling file system, which meant to me that it offers more advanced 
data-recovery mechanisms.  I am finding out now that this means 
corrupted data recovery, not deleted file recovery.  My new 
understanding is confirmed by a quick look at a presentation on ext3 by 
it's creator Dr. Tweedie 
(http://olstrans.sourceforge.net/release/OLS2000-ext3/OLS2000-ext3.html). 
  In other words, ext3 is good at speedy system reboot after crashing 
with complete data integrity.  It has nothing to do with deleted file 
recovery such as the very useful "Gateway Go-Back" feature on my wife's 
Windows 98 PC.

I need to recover directories since there are hundreds of files per 
directory and manually trying to recover each file just is not feasible.
Is there anyone on the list who has recently recovered directories of 
data on ext3?

I found many tools (outdated) until I finally found one that says it 
works with ext3, AND it has a graphical interface (pretty important in 
identifying large structures and recovering same).

That tool is called 'Sleuth Kit' (http://www.sleuthkit.org/index.php) 
while the browser-based GUI is called Autopsy.  It looks very promising.

fyi, in case you have ext2, here are the other tools I found:

The Coroner's Toolkit by Dan Farmer and Wietse Venema 
http://www.fish.com/tct/ last tested on RH6.1, includes a tool called 
Lazarus

Recover http://recover.sourceforge.net/ talks about ext2

tldp mini howto on recovering files in ext2
http://www.tldp.org/HOWTO/Ext2fs-Undeletion.html

tldp mini howto on recovering directory structures (again in ext2)
http://tldp.org/HOWTO/Ext2fs-Undeletion-Dir-Struct/index.html

Anyone interested in security and digital forensics should note that 
http://www.linuxsecurity.com/feature_stories/data-hiding-forensics.html 
proved to be a good source of intelligent information on this subject.

There is also a commercial product at this site: 
http://www.stellarinfo.com/download.htm for $90.  But, I will try Sleuth 
Kit first.

Greg






More information about the gnhlug-discuss mailing list