Date: Wed, 3 Oct 2001 22:30:38 +0200 From: Martijn Lina <martijn@medialab.lostboys.nl> To: Thomas Beauchamp <robotomas2001@yahoo.co.uk> Cc: freebsd-security@freebsd.org Subject: Re: recovery from 'rm -rf /' Message-ID: <20011003223038.G28329@medialab.lostboys.nl> In-Reply-To: <20011002235859.74079.qmail@web20909.mail.yahoo.com> References: <20011002235859.74079.qmail@web20909.mail.yahoo.com>
next in thread | previous in thread | raw e-mail | index | archive | help
[-- Attachment #1 --] Once upon a 03-10-2001, Thomas Beauchamp hit keys in the following order: > > Anybody with experience/knowledge of recovering > erased > files with stupid 'rm -r / *' command? first of all, be sure that absolutely nothing is writing to the disk anymore. the inodes that have been freed last, will be the first to be used again. that's why my initial reaction of restoring the backup caused me a lot of problems, because the backup appeared to be incomplete. > I understand that the couple 'unrm' 'lazarus' can > help > in this. those tools can probably be of help, i guess, but it looks to me that it's only useful for analysing it for some hackers activity clearing up logs etc. i've been able to succesfully restore few m$word documents from the output of umrm, but only those that luckly had been stored in an unfragmented way on the disk. in case of fragmentation, i guess it would be necessary to know which inodes would be the next in the chain. i haven't figured out how though. if your filesystem is still not rewritten, i think 'ils' could be of use. it can list all inodes of removed files. it's also part of The Coroners Toolkit, like unrm and lazarus. i don't know how much empty space you have to work with, but lazarus isn't very well written and crashes after processing 2GB of data: out of memory. the docs from tct are pretty helpful. not too much to read, so take a look at that and decides which tools would be most helpful for your situation. i've only played with unrm and lazarus. unrm takes all unallocated inodes from the rm-ed partition and puts it in one big file. lazarus uses that file to split it up in blocks and recognizing if it's text, binary, compressed, gif/jpg, mail, etc. if you have to look for binary data, like me, i don't know if this output could be of any use, unless the original file was small enough to fit in one block. and of course, a hexeditor could always help. i liked ports/editors/hexedit the best, for it's speedy search on my 3GB unrm-file. goodluck martijn [-- Attachment #2 --] -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.6 (GNU/Linux) iD8DBQE7u3Vuw/5eikYCPQYRAsTcAJ4gqpv88/BoDskKXV8lu6/hk7fQ0wCgg/rC wu1NAbpIHqcb0yqcvg5qm3g= =mHwz -----END PGP SIGNATURE-----
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20011003223038.G28329>