Re: howto restored rm-ed files/directory
On Nov 25, 2007 4:45 AM, [EMAIL PROTECTED] wrote: Insan Praja SW wrote: Hi Misc, I got an important directory in my 4.1 bsd and it's deleted using rm -rf :(. Anyone had experience restoring them? I really.. (I mean Really) need help on this one.. Thanks, Kind Regards, Insan depends how much trouble you want to go to and in what format your files were. there are companies who will charge 800-2000$ for recovery... for a DYI-er: stop using the box/filesystem use dd or something like that to get a bit-for-bit copy of the filesystem. the underlying data is probably still there, maybe not so accessible - something like this: dd if=/dev/rsd0f of=/var/tmp/dd_rsd0f bs=64k use strings(1) and then grep or less on this to see what readable stuff you can get out of it. txt files will emerge quite usable, but not necessarily in order. if you need complete unadulterated data then there are a few other things you could try, but basically you'll need to get down dirty with disk blocks. NB suggest using vsconfig to mount a copy of your dd file as a volume again, and then fsdb to see what you can recover. a+ scorch ports/sysutils/sleuthkit makes things a bit easer... although you still need to understand things about filesystems to use it efficiently.
Re: howto restored rm-ed files/directory
Insan Praja SW [EMAIL PROTECTED] writes: Hi Misc, I got an important directory in my 4.1 bsd and it's deleted using rm -rf :(. Anyone had experience restoring them? I really.. (I mean Really) need help on this one.. Forget it. We zero block before they are marked as free in the filesystem, so by the time you've finished writing this mail, your blocks were zeroed. You can pay a few bazillions to Ibas and they might attempt to save your data, but it's more likely they'll just laugh at you. And it's probably cheaper to recreate the data from scratch anyway. //art Thanks, Kind Regards, Insan -- Using Opera's revolutionary e-mail client: http://www.opera.com/mail/
Re: howto restored rm-ed files/directory
Artur Grabowski [EMAIL PROTECTED] writes: Insan Praja SW [EMAIL PROTECTED] writes: Hi Misc, I got an important directory in my 4.1 bsd and it's deleted using rm -rf :(. Anyone had experience restoring them? I really.. (I mean Really) need help on this one.. Forget it. We zero block before they are marked as free in the filesystem, so by the time you've finished writing this mail, your blocks were zeroed. I was wrong here. I thought we did, but we don't. So your files might still be there. //art You can pay a few bazillions to Ibas and they might attempt to save your data, but it's more likely they'll just laugh at you. And it's probably cheaper to recreate the data from scratch anyway. //art Thanks, Kind Regards, Insan -- Using Opera's revolutionary e-mail client: http://www.opera.com/mail/
Re: howto restored rm-ed files/directory
On Wed, 28 Nov 2007 00:50:48 +0700, Jeff Quast [EMAIL PROTECTED] wrote: On Sun, Nov 25, 2007 at 03:25:27AM +0700, Insan Praja SW wrote: Hi Misc, I got an important directory in my 4.1 bsd and it's deleted using rm -rf :(. Anyone had experience restoring them? I really.. (I mean Really) need help on this one.. Thanks, Kind Regards, Insan i've recovered rm'd C code using hexedit open the disk block device, and used the built-in search, select, copy, and paste into new file features to recover it. You have to know some keywords of what you are looking for, like a function name, etc. good idea to leave that partition unmounted/read-only until the data is recovered Well.. I got icat from sleuthkit.. right now I'm lookin' for hdd to back them up.. I will update this soon.. Thanks, Insan -- Using Opera's revolutionary e-mail client: http://www.opera.com/mail/
Re: howto restored rm-ed files/directory
On Sun, 25 Nov 2007 06:17:52 +0700, Randal L. Schwartz [EMAIL PROTECTED] wrote: it's called having a backup. once the inode is gone, the data is scattered, and the blocks likely reused quickly. no chance for undelete on unix. Yep.. totally agree.. -- Using Opera's revolutionary e-mail client: http://www.opera.com/mail/
Re: howto restored rm-ed files/directory
* Insan Praja SW [EMAIL PROTECTED] [2007-11-25 06:34:21]: On Sun, 25 Nov 2007 06:17:52 +0700, Randal L. Schwartz [EMAIL PROTECTED] wrote: it's called having a backup. once the inode is gone, the data is scattered, and the blocks likely reused quickly. no chance for undelete on unix. Yep.. totally agree.. Jesus saves, but Buddha makes incremental backups. -- Travers Buda
Re: howto restored rm-ed files/directory
Insan Praja SW wrote: Hi Misc, I got an important directory in my 4.1 bsd and it's deleted using rm -rf :(. Anyone had experience restoring them? I really.. (I mean Really) need help on this one.. Thanks, Kind Regards, Insan depends how much trouble you want to go to and in what format your files were. there are companies who will charge 800-2000$ for recovery... for a DYI-er: stop using the box/filesystem use dd or something like that to get a bit-for-bit copy of the filesystem. the underlying data is probably still there, maybe not so accessible - something like this: dd if=/dev/rsd0f of=/var/tmp/dd_rsd0f bs=64k use strings(1) and then grep or less on this to see what readable stuff you can get out of it. txt files will emerge quite usable, but not necessarily in order. if you need complete unadulterated data then there are a few other things you could try, but basically you'll need to get down dirty with disk blocks. NB suggest using vsconfig to mount a copy of your dd file as a volume again, and then fsdb to see what you can recover. a+ scorch
