Date: Wed, 3 Oct 2001 22:30:38 +0200 From: Martijn Lina <martijn@medialab.lostboys.nl> To: Thomas Beauchamp <robotomas2001@yahoo.co.uk> Cc: freebsd-security@freebsd.org Subject: Re: recovery from 'rm -rf /' Message-ID: <20011003223038.G28329@medialab.lostboys.nl> In-Reply-To: <20011002235859.74079.qmail@web20909.mail.yahoo.com> References: <20011002235859.74079.qmail@web20909.mail.yahoo.com>
next in thread | previous in thread | raw e-mail | index | archive | help
--+PbGPm1eXpwOoWkI Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable Once upon a 03-10-2001, Thomas Beauchamp hit keys in the following order: > =20 > Anybody with experience/knowledge of recovering > erased > files with stupid 'rm -r / *' command?=20 first of all, be sure that absolutely nothing is writing to the disk anymor= e. the inodes that have been freed last, will be the first to be used again. that's why my initial reaction of restoring the backup caused me a lot of problems, because the backup appeared to be incomplete. > I understand that the couple 'unrm' 'lazarus' can > help > in this. those tools can probably be of help, i guess, but it looks to me that it's = only useful for analysing it for some hackers activity clearing up logs etc. i've been able to succesfully restore few m$word documents from the output of um= rm, but only those that luckly had been stored in an unfragmented way on the di= sk. in case of fragmentation, i guess it would be necessary to know which inodes would be the next in the chain. i haven't figured out how though. if your filesystem is still not rewritten, i think 'ils' could be of use. it can list all inodes of removed files. it's also part of The Coroners Toolki= t, like unrm and lazarus. i don't know how much empty space you have to work w= ith, but lazarus isn't very well written and crashes after processing 2GB of dat= a: out of memory. the docs from tct are pretty helpful. not too much to read, so take a look = at that and decides which tools would be most helpful for your situation. i've only played with unrm and lazarus. unrm takes all unallocated inodes from t= he rm-ed partition and puts it in one big file. lazarus uses that file to spli= t it up in blocks and recognizing if it's text, binary, compressed, gif/jpg, mai= l, etc. if you have to look for binary data, like me, i don't know if this out= put could be of any use, unless the original file was small enough to fit in one block. and of course, a hexeditor could always help. i liked ports/editors/hexedit= the best, for it's speedy search on my 3GB unrm-file. goodluck martijn --+PbGPm1eXpwOoWkI Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.6 (GNU/Linux) iD8DBQE7u3Vuw/5eikYCPQYRAsTcAJ4gqpv88/BoDskKXV8lu6/hk7fQ0wCgg/rC wu1NAbpIHqcb0yqcvg5qm3g= =mHwz -----END PGP SIGNATURE----- --+PbGPm1eXpwOoWkI-- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20011003223038.G28329>