From owner-freebsd-questions Thu Feb 14 12:34:24 2002 Delivered-To: freebsd-questions@freebsd.org Received: from web13301.mail.yahoo.com (web13301.mail.yahoo.com [216.136.175.37]) by hub.freebsd.org (Postfix) with SMTP id D3F6D37B405 for ; Thu, 14 Feb 2002 12:34:20 -0800 (PST) Message-ID: <20020214203417.19669.qmail@web13301.mail.yahoo.com> Received: from [193.174.9.99] by web13301.mail.yahoo.com via HTTP; Thu, 14 Feb 2002 21:34:17 CET Date: Thu, 14 Feb 2002 21:34:17 +0100 (CET) From: =?iso-8859-1?q?m=20p?= Subject: Re: undeleting files To: Erik Trulsson , Lord Raiden Cc: freebsd-questions@freebsd.org MIME-Version: 1.0 Content-Type: text/plain; charset=iso-8859-1 Content-Transfer-Encoding: 8bit Sender: owner-freebsd-questions@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.ORG > > Ok, I know that it's supposed to be impossible to undelete files in > > unix or freebsd, but my question is how this is possible? How does > > unix/freebsd delete files in such a way that they are unrecoverable? Just > > my curious side getting the better of me again. > > > > It is not impossible in general, merely difficult. > > There are basically two problems with undeleting files: > The first is that the space that was used by a deleted file is quite > likely to reused when some new file is created thereby making it impossible > to recover the old file. > The second problem is that there are not really any good tools for > undeleting files, meaning that you have to use a disk editor to change > the filesystem by hand. Not recommended for the faint of heart. > > To make it totally impossible to recover old files the system would > have to zero-fill the blocks on the disk that was used by a file when > the file is removed from the system. This is currently not done, > presumably for performance reasons. > > (That still would not make it quite impossible to recover old data. > It is possible to recover data from a disk even if it has been > overwritten several times. Doing so is difficult and requires > special, expensive equipment but it can be done.) > Hi, please take a look at http://www.porcupine.org/forensics/column.html Wietse Venema and Dan Farmer worked out how you can undelete files under *NIX. The two documents about this topic you can found under: http://www.ddj.com/articles/2000/0012/0012h/0012h.htm http://www.ddj.com/articles/2001/0101/0101h/0101h.htm They developed a tool called "lazarus" - but I don't know if it can be used with FreeBSD as production tool (I took the last look at it 4 years ago when I still used SuSe Linux). Hope that helps Marc __________________________________________________________________ Gesendet von Yahoo! Mail - http://mail.yahoo.de Ihre E-Mail noch individueller? - http://domains.yahoo.de To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-questions" in the body of the message