From owner-freebsd-questions@FreeBSD.ORG Thu Mar 17 19:01:49 2005 Return-Path: Delivered-To: freebsd-questions@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id C980F16A513 for ; Thu, 17 Mar 2005 19:01:49 +0000 (GMT) Received: from sccrmhc11.comcast.net (sccrmhc14.comcast.net [204.127.202.59]) by mx1.FreeBSD.org (Postfix) with ESMTP id 30C8743D3F for ; Thu, 17 Mar 2005 19:01:49 +0000 (GMT) (envelope-from tbonius@comcast.net) Received: from ostros (c-24-18-102-54.client.comcast.net[24.18.102.54]) by comcast.net (sccrmhc14) with SMTP id <20050317190148014004j9pae>; Thu, 17 Mar 2005 19:01:48 +0000 Message-ID: <004201c52b23$c8f7f430$4300a8c0@home.lan> From: "Thomas Foster" To: "Yanek Korff" , References: <4239CB49.40707@mail.com> Date: Thu, 17 Mar 2005 11:01:35 -0800 MIME-Version: 1.0 Content-Type: text/plain; format=flowed; charset="iso-8859-1"; reply-type=response Content-Transfer-Encoding: 7bit X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 6.00.2900.2180 X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2900.2180 Subject: Re: Data Recovery X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 17 Mar 2005 19:01:49 -0000 I hope that you have remounted this filesystem read-only .. or else you might not be able to recover anything. That might be one of the problems you are running into. Sleuthkit allows you to search inodes and fragment ranges of a device for particular file and directory names.. then images that inode or fragment range into a single image file elsewhere on the system. Foremost will then open that image file and extract files based on their header and footer information, but.. if you do not include footer information you might get truncated file recovery. Also.. as stated before.. if there have been multiple writes to the file system.. you probably wont get the file back at all. Hope this helps.. T ----- Original Message ----- From: "Yanek Korff" To: Sent: Thursday, March 17, 2005 10:24 AM Subject: Data Recovery > > Are there any ways to recover files from rm -rf dirname after a few days, > assuming there have been few if any writes to the filesystem since? > > I've been playing with tools like foremost and jpegrescue a bit... and > running tests on other filesystems, but it doesn't appear that I'm getting > full images back from the disk. Looking at an octal dump of a disk image > (dd if=/dev/blah of=/some/file), I can find the file header... and about > 20k of the file, generally... and then there's garbage. Presumably the > file's been broken into blocks and there's inode table data to consider... > > The tests I"m running are trying to find jpeg files that HAVEN'T been > deleted from the filesystem. My real scenario of course differs. > > Pointers/rtfm welcome. > > -Yanek. > _______________________________________________ > freebsd-questions@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-questions > To unsubscribe, send any mail to > "freebsd-questions-unsubscribe@freebsd.org" >