From owner-freebsd-current@FreeBSD.ORG Thu Nov 13 15:15:09 2003 Return-Path: Delivered-To: freebsd-current@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 4BF6D16A4CE; Thu, 13 Nov 2003 15:15:09 -0800 (PST) Received: from digger1.defence.gov.au (digger1.defence.gov.au [203.5.217.4]) by mx1.FreeBSD.org (Postfix) with ESMTP id 4D6A543FDD; Thu, 13 Nov 2003 15:15:05 -0800 (PST) (envelope-from Matthew.Thyer@dsto.defence.gov.au) Received: from ednmsw503.dsto.defence.gov.au (ednmsw503.dsto.defence.gov.au [131.185.2.150]) by digger1.defence.gov.au with ESMTP id hADNF066005245; Fri, 14 Nov 2003 09:45:00 +1030 (CST) Received: from muttley.dsto.defence.gov.au (unverified) by ednmsw503.dsto.defence.gov.au ; Fri, 14 Nov 2003 09:44:56 +1030 Received: from ednex501.dsto.defence.gov.au (ednex501.dsto.defence.gov.au [131.185.2.81])hADN9Io28953; Fri, 14 Nov 2003 09:39:19 +1030 (CST) Received: by ednex501.dsto.defence.gov.au with Internet Mail Service (5.5.2653.19) id ; Fri, 14 Nov 2003 09:39:05 +1030 Message-ID: <5F13229E7BA2D611BD0300306E010DB08C9795@ednex503.dsto.defence.gov.au> From: "Thyer, Matthew" To: "'Robert Watson'" Date: Fri, 14 Nov 2003 09:39:29 +1030 MIME-Version: 1.0 X-Mailer: Internet Mail Service (5.5.2653.19) Content-Type: text/plain; charset="iso-8859-1" cc: "'current@freebsd.org'" Subject: RE: undelete for FreeBSD current? X-BeenThere: freebsd-current@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Discussions about the use of FreeBSD-current List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 13 Nov 2003 23:15:09 -0000 Thanks Robert, The "strings" method worked very well in this instance. -----Original Message----- From: Robert Watson [mailto:rwatson@freebsd.org] Sent: Thursday, 13 November 2003 1:59 PM To: Barney Wolff Cc: Thyer, Matthew; 'current@freebsd.org' Subject: Re: undelete for FreeBSD current? On Wed, 12 Nov 2003, Barney Wolff wrote: > On Thu, Nov 13, 2003 at 11:30:51AM +1030, Thyer, Matthew wrote: > > I've done a bad thing and need to recover a single file in /usr/local/etc/rc.d/ after a rm -rf of /usr/local > > > > I've kept the file system relatively quiet since then. > > TCT may help. http://www.porcupine.org/forensics/tct.html but I don't > think it's been tested with current/ufs2. Also, don't expect to build > it on the system and then find a deleted file. > > But if you have a clue of what you're looking for, just grepping > /dev/da or /dev/ad might work. (grep -a -A100 -B100) Assuming that the file system had a fair amount of free space, and therefore wasn't fragmented, I've always found the "strings" command quite helpful in recovering text files after loss or deletion. It can also be nicely applied to /dev/mem if you accidentally close that pesky editor window without save... Robert N M Watson FreeBSD Core Team, TrustedBSD Projects robert@fledge.watson.org Network Associates Laboratories