[ale] Lessons learned with rm

James P. Kinney III jkinney at localnetsolutions.com
Thu Aug 22 21:58:33 EDT 2002


It _is_ _possible_ to recover lost data. The big question turns into
"how much is it worth to recover it?"  By getting the used blocks list
from the filesystem, one then knows what the system thinks is in use.
What's left is either unused or deleted space. Knowing what type of file
certainly helps! It is possible to do a block-by-block read, determine
file type, find the starting blocks, and piece a file back together.

There are organizations that can do this. FBI, CIA, NSA have certainly
developed techniques for doing just that. They start by disabling the
write circuit on the drive. Then they perform a sector by sector, block
by block copy of the drive to another drive. Then they extract all the
blocks that are not listed as linked to a file. Then they analyze each
block to determine file type, then associate each block to a possible
file, then try and refit the blocks back together. They also have teams
of hundreds of people working from millions of person-years of research
into how to do this. I would put a ballpark cost in the neighborhood of
$2k/recovered block. At 4kB blocks on a 20G drive...

All of a sudden, spending $1k on a GOOD tape drive and religiously using
it seems like a bargain. (Ecrix VXA with 33G/66G V17 tapes) 

On Thu, 2002-08-22 at 18:58, Geoffrey wrote:

> So, if one had an idea of the format of the deleted file, it would be 
> possible to do a raw read on the disk in order to try and locate this 
> information.  But, Drew's situation, as I recall was that he removed a 
> directory or multiple directories.  This truly would be an effort.  But, 
> is there some way to identify space that is not currently used.  That 
> is, no inode associated with it?  You would reduce the search space 
> substantially me thinks.
> 
> So, Drew, if you're still talking to me :), could you share what the 
> file types were?  (text, image, wordprocessor)
> 
> We used to use a tool called fsdb to resolve such issues on SVR[34] 
> machines, but I'd guess that's probably similar to LDE.
> 
> > 
> > On Thu, 2002-08-22 at 16:33, Charles Marcus wrote:
> > 
> > 
> >>This was on an ext2 partition?  Has the question been definitely answered as
> >>to whether or not files can be undeleted from an ext3 partition?
> >>
> >>Thanks
> >>
> >>Charles
> >>
> >>
> >>---
> >>This message has been sent through the ALE general discussion list.
> >>See http://www.ale.org/mailing-lists.shtml for more info. Problems should be 
> >>sent to listmaster at ale dot org.
> > 
> 
> 
> -- 
> Until later: Geoffrey		esoteric at 3times25.net
> 
> I didn't have to buy my radio from a specific company to listen
> to FM, why doesn't that apply to the Internet (anymore...)?
> 
> 
> ---
> This message has been sent through the ALE general discussion list.
> See http://www.ale.org/mailing-lists.shtml for more info. Problems should be 
> sent to listmaster at ale dot org.
-- 
James P. Kinney III   \Changing the mobile computing world/
President and CEO      \          one Linux user         /
Local Net Solutions,LLC \           at a time.          /
770-493-8244             \.___________________________./

GPG ID: 829C6CA7 James P. Kinney III (M.S. Physics)
<jkinney at localnetsolutions.com>
Fingerprint = 3C9E 6366 54FC A3FE BA4D 0659 6190 ADC3 829C 6CA7 



 This is a digitally signed message part




More information about the Ale mailing list