URGENT file recovery on RH Linux

Greg Rundlett greg at freephile.com
Sat Sep 27 00:56:23 EDT 2003


I was researching how to recover files on ext3 fs, and have found a lot
of old (circa 2000) information and utilities for recovering files from
ext2.  One such tool is called e2undel
(http://e2undel.sourceforge.net/usage.html) and in their usage document
they state:
 >
 > Why this does not work with ext3
 >
 > In general, ext2 and ext3 are compatible file systems: You can mount 
an ext3 fs as ext2 and even use the ext2 low level utilities like 
debugfs. However, ext3 behaves in a different manner in one crucial 
point: If a file is deleted, its inode data are removed, too. 
Especially, the list of data blocks is lost; so it is not possible to 
recover any deleted file.
 >

I thought that one of the major benefits of ext3 was that it was a
journaling file system, which meant to me that it offers more advanced
data-recovery mechanisms.  I am finding out now that this means
corrupted data recovery, not deleted file recovery.  My new
understanding is confirmed by a quick look at a presentation on ext3 by
it's creator Dr. Tweedie
(http://olstrans.sourceforge.net/release/OLS2000-ext3/OLS2000-ext3.html).
   In other words, ext3 is good at speedy system reboot after crashing
with complete data integrity.  It has nothing to do with deleted file
recovery such as the very useful "Gateway Go-Back" feature on my wife's
Windows 98 PC.

I need to recover directories since there are hundreds of files per
directory and manually trying to recover each file just is not feasible.
Is there anyone on the list who has recently recovered directories of
data on ext3?

I found many tools (outdated) until I finally found one that says it
works with ext3, AND it has a graphical interface (pretty important in
identifying large structures and recovering same).

That tool is called 'Sleuth Kit' (http://www.sleuthkit.org/index.php)
while the browser-based GUI is called Autopsy.  It looks very promising.

fyi, in case you have ext2, here are the other tools I found:

The Coroner's Toolkit by Dan Farmer and Wietse Venema
http://www.fish.com/tct/ last tested on RH6.1, includes a tool called
Lazarus

Recover http://recover.sourceforge.net/ talks about ext2

tldp mini howto on recovering files in ext2
http://www.tldp.org/HOWTO/Ext2fs-Undeletion.html

tldp mini howto on recovering directory structures (again in ext2)
http://tldp.org/HOWTO/Ext2fs-Undeletion-Dir-Struct/index.html

Anyone interested in security and digital forensics should note that
http://www.linuxsecurity.com/feature_stories/data-hiding-forensics.html
proved to be a good source of intelligent information on this subject.

There is also a commercial product at this site:
http://www.stellarinfo.com/download.htm for $90.  But, I will try Sleuth
Kit first.

Greg







More information about the gnhlug-discuss mailing list