> You ever have that moment when you've just formatted a drive or
> partition and realized 'wait, there was something on there I
> wanted'?
>
> Anyone? Looking for ideas on something that could potentially
> recover an overwrote filesystem. I got as far as installing the
> OS and stopped ASAP upon realization. Not the end of the world
> but it'd be nice to recover the documents.
The first method of recovering an overwritten file system that I
can think of is "recover from backup". On that hectoring note,
I move on to actual useful information...
First define "overwrote" please. If you've actually written new data
into the file system, then you obviously can't recover anything from
the blocks that have been re-used. You may be able to recover some
data from the blocks that have not been re-used-- it's similar to what
digital forensic analysts do when recovering "deleted" evidence from a
hard drive.
You'll want to use dd to make an image of the drive right away before
more damage to the file system can be done. Ideally, hook the drive
up to another system and dd the drive (or just the affected partition
if you like) without mounting it. Remember that the dd image will be
as large as the entire physical drive (or partition). Once you've
gotten all of the information off with dd, you may as well re-use the
drive. It's not like we'll need it as evidence in court or anything.
Then you'll need some specialized Open Source tools to grovel around
in the dd image-- like the Sleuth Kit tools and Lazarus from the
Coronor's Toolkit. Since this is an ext3 file system we're talking
about, it's likely that the inodes have been zeroed out (I know that
ext3 does this when you delete a file, but I'm not sure if it happens
when the file system is newfs-ed, but it's likely I'm afraid). This
means you're going to be counting on the fact that data blocks in
files tend to be allocated contiguously-- you get to manually
reassemble your files block-by-block! This is why Lazarus can be a
help, because it heuristically tries to find complete files in the
image and presents them to you via a web browser for easier viewing.
This is a painful process, but if this sounds like something you want
to do, I can provide further technical advice. If others are
interested, we could possibly turn this into a group project for one
of the Thursday meetings (depending on the sensitivity of the data
we'd be recovering).
Cheers!
--
Hal Pomeranz, Founder/CEO Deer Run Associates [EMAIL PROTECTED]
Network Connectivity and Security, Systems Management, Training
_______________________________________________
EUGLUG mailing list
[email protected]
http://www.euglug.org/mailman/listinfo/euglug
