I did a `rm -rf directory` in an ext3 accidentally, where some very important files were in this directory. Of course I'm working now on an image copy of the disk.
I've found this very nice how to http//
Unfortunatily it's not possible to change the directory to a deleted folder (cd <deleted-folder>) in debugfs. Now I tried to recover the directory first, hoping after recovery I can see the deleted files.
For testing purposes I setup a test environment
(creates an ext3 fs image with a deleted folder with files in it)
#--- creating a test environment ---
#!/bin/bash
dd if=/dev/zero of=test.img count=2k bs=4096 status=noxfer
yes | mkfs.ext3 test.img
mkdir mnt; mount test.img mnt
mkdir mnt/directory
yes | dd of=mnt/directory/myfile count=1k bs=4096 status=noxfer
rm -r mnt/directory
umount mnt
OK, let's try to reactivate directory/myfile…#--- examine what we have ---
> export PAGER=more
> debugfs -w test.img
debugfs ls -d
2 (12) . 2 (12) .. 11 (1000) lost+found <12> (980) directory
debugfs mi <12>
--> Changing only "deletion time" to 0 and "link count" to 2
debugfs link <12> /directory
debugfs ls
2 (12) . 2 (12) .. 11 (20) lost+found 12 (980) directory
--> looks wonderful! but
debugfs cd directory
--> ls -l and ls -d shows nothing! -(
How can I reactivate the directory so I can find the removed files in it?
Thanks for any help!
I am no expert on ext3. I am glad you are working on a copy.
Undelete as a process is very dubious as it is very easy to start writing over files that have not yet been recovered. My advice is to work on recovering the deleted files and initally saving them on a different device. Only when 110% sure that all files have been recovered, write anything back to the inital drive.
Sometimes and easy recovery method is just data carving, this works on most file systems (except for Reiser) but file names and directory structure is lost.
ie Recover, not not attempt repair.
I did a `dd if=/dev/sdb1 of=file.img` and copied compressed the result. Now I'm sure, I can do anything with file.img, because I have two copies of it (the real HDD and the compressed copy). Thanks for your that advice!
Data carving is not as nice as repairing because I have an image file in the removed directory with a whole ext3 LAMP installation. If I'm able to recover this single file, I would have all files in one step.
Did you try viewing the image in FTK Imager, or any other forensic tool? If the deleted folder and/or the deleted files have metadata entries, they should find them. If they don't have metadata entries, then your only option is to manually carve them out.
Thanks a lot for your answer, twjolson!
> Did you try viewing the image in FTK Imager, or any other forensic tool?
I tried to use some linux tools like Sleuthkit, foremost, debugfs, e2undelete, etc. But they only found the files in my ext3 image. I hope to find the whole ext3 image itself, so I can undelete this file and with it all the content…
I was surfing on the DataAccess website. Nice tool (except that it's working on Windows while it needs a lot of hardware, maybe because of Windows?). But they don't write anything about costs and prices…? I'm like a student.
I tried to get find the file by using autopsy. An expert told me it's as good as FTK.
Now I'm trying to write the ext3 inodes manually. I will tell you later, if it worked. -]
Thanks for your help!