While nightly backups and SVN are great, sometimes we make a mistake and rm something we need back. This article should also be useful to anyone who needs to do forensic analysis of a filesystem. This technique should also work under freebsd, netbsd, linux, solaris, dos, windows, etc. just the installation part of tools would be different and you might need a -t option to dls.
I did this yesterday on my development box under the /home partition. The first thing is to try to ensure nothing overwrites the deleted inodes.
In this example /home is /dev/wd0e. You can use df to determine your setup.
shutdown now # or, if you are not alone and want to give peope 2 minutes: shutdown +2
Now that we are in single user mode, unmount the disk
umount /homeOk, the inodes are safe. Let’s undelete them. On OpenBSD we have, The Sleuth Kit an evolution of TCT and unrm is now called dls.
sudo su export PKG_PATH="ftp://ftp2.usa.openbsd.org/pub/OpenBSD/4.2/packages/i386" # or, setenv PKG_PATH "ftp://ftp2.usa.openbsd.org/pub/OpenBSD/4.2/packages/i386" pkg_add sleuthkit # Now, we will need tcl for the comeforth script referenced below. Intall if you don't have: pkg_add tcl-8.4.7p5 ln -s /usr/local/bin/tclsh8.4 /usr/bin/tclsh
Now my /var has lots of free space. The following command will find all deleted inodes and place them in a file.
dls /dev/wd0e > /var/tmp/undelete.bin
You can also yous fls on the raw device to report on directory information (file names). To get information on deleted sub directories, you would need to determine which inodes are directories and then use fls on those inodes.
If it is a text or source file you are looking for, you can just use something like less to search undelete.bin now.
Otherwise, if you want to extract files, I recommend comeforth. TCT does not build correctly on OpenBSD anymore. It is possible to get enough of TCT working for lazarus to run, but comeforth is much faster.
First, download and open comeforth. Now make it executable chmod +x ~face/comeforth/comeforth. We should already have tclsh installed above so now we run comeforth which is an interactive script. I am looking for Ruby-On-Rails files under app. So first I create a file of regular expressions that will match the output of the file command for the files I want to retrieve:
echo 'ASCII' > files
echo 'HTML' >> filesFile type regex which I set to < filesHere is a typescript from a session:
Script started on Mon Jan 14 15:13:05 2008 e5:/var/tmp> ~face/comeforth/comeforth comeforth 1.12, Copyright (c) 2003-2004 Danamis Associates (http://danamis.com). This program comes with ABSOLUTELY NO WARRANTY; this is free software, and you are welcome to redistribute it under certain conditions; for details view the GNU Lesser General Public License at http://www.gnu.org. Data file: undelete.bin Data block size: 4096 Recovery directory: recov File type regex ([?] for help): < files - Found 2 regexes to use in 'files'. Block work dir: comeforth-5045.tmp Progress indicator block interval: 24 Start at block: 1 Scanning data for matching blocks... 24, 0.01%, 1411.8 per sec, 2.9 min rem... # Lots of output deleted ... Finished scanning filesystem data in 0:09:26. Inspect and assemble files? ([y]es/[q]uit): q
And thats it. You now have all your deleted files in recov. You can use grep to find the specific files you want. If the arglist is too long, then break it down with find. For example, lets say you where looking for the ruby class UsersController:
find . -print | xargs -L 10000 grep "^class UsersController"You may have to delete some nulls at the end of your files. I tried dls -b but that didn’t seem to help.
I hope this is useful to someone else out there…
References:http://wiki.sleuthkit.org/index.php?title=Help_Documents http://wiki.sleuthkit.org/index.php?title=Tools_Using_TSK http://www.linuxhaxor.net/2007/12/26/undelete-files-in-linux-with-lazarus-and-unrm/
