From owner-freebsd-security Wed Oct 3 13:30:51 2001 Delivered-To: freebsd-security@freebsd.org Received: from medialab.lostboys.nl (medialab.lostboys.nl [194.109.72.254]) by hub.freebsd.org (Postfix) with ESMTP id B435A37B401 for ; Wed, 3 Oct 2001 13:30:45 -0700 (PDT) Received: from buur.medialab.lostboys.nl (root@buur.medialab.lostboys.nl [194.109.110.8]) by medialab.lostboys.nl (8.9.3/8.9.3) with ESMTP id WAA21138; Wed, 3 Oct 2001 22:36:39 +0200 (CEST) Received: from darkroom.medialab.lostboys.nl (ip-037.medialab.lostboys.nl [194.109.110.37]) by buur.medialab.lostboys.nl (8.9.3/8.9.3/Debian 8.9.3-21) with ESMTP id WAA04790; Wed, 3 Oct 2001 22:31:50 +0200 Received: by darkroom.medialab.lostboys.nl (Postfix, from userid 1000) id EDF7715F7; Wed, 3 Oct 2001 22:30:38 +0200 (CEST) Date: Wed, 3 Oct 2001 22:30:38 +0200 From: Martijn Lina To: Thomas Beauchamp Cc: freebsd-security@freebsd.org Subject: Re: recovery from 'rm -rf /' Message-ID: <20011003223038.G28329@medialab.lostboys.nl> Mail-Followup-To: Thomas Beauchamp , freebsd-security@freebsd.org References: <20011002235859.74079.qmail@web20909.mail.yahoo.com> Mime-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha1; protocol="application/pgp-signature"; boundary="+PbGPm1eXpwOoWkI" Content-Disposition: inline In-Reply-To: <20011002235859.74079.qmail@web20909.mail.yahoo.com> User-Agent: Mutt/1.3.22.1i Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org --+PbGPm1eXpwOoWkI Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable Once upon a 03-10-2001, Thomas Beauchamp hit keys in the following order: > =20 > Anybody with experience/knowledge of recovering > erased > files with stupid 'rm -r / *' command?=20 first of all, be sure that absolutely nothing is writing to the disk anymor= e. the inodes that have been freed last, will be the first to be used again. that's why my initial reaction of restoring the backup caused me a lot of problems, because the backup appeared to be incomplete. > I understand that the couple 'unrm' 'lazarus' can > help > in this. those tools can probably be of help, i guess, but it looks to me that it's = only useful for analysing it for some hackers activity clearing up logs etc. i've been able to succesfully restore few m$word documents from the output of um= rm, but only those that luckly had been stored in an unfragmented way on the di= sk. in case of fragmentation, i guess it would be necessary to know which inodes would be the next in the chain. i haven't figured out how though. if your filesystem is still not rewritten, i think 'ils' could be of use. it can list all inodes of removed files. it's also part of The Coroners Toolki= t, like unrm and lazarus. i don't know how much empty space you have to work w= ith, but lazarus isn't very well written and crashes after processing 2GB of dat= a: out of memory. the docs from tct are pretty helpful. not too much to read, so take a look = at that and decides which tools would be most helpful for your situation. i've only played with unrm and lazarus. unrm takes all unallocated inodes from t= he rm-ed partition and puts it in one big file. lazarus uses that file to spli= t it up in blocks and recognizing if it's text, binary, compressed, gif/jpg, mai= l, etc. if you have to look for binary data, like me, i don't know if this out= put could be of any use, unless the original file was small enough to fit in one block. and of course, a hexeditor could always help. i liked ports/editors/hexedit= the best, for it's speedy search on my 3GB unrm-file. goodluck martijn --+PbGPm1eXpwOoWkI Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.6 (GNU/Linux) iD8DBQE7u3Vuw/5eikYCPQYRAsTcAJ4gqpv88/BoDskKXV8lu6/hk7fQ0wCgg/rC wu1NAbpIHqcb0yqcvg5qm3g= =mHwz -----END PGP SIGNATURE----- --+PbGPm1eXpwOoWkI-- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message