Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

  • Congratulations strongm on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!

Find a deleted file?

Status
Not open for further replies.

Laura2

IS-IT--Management
Aug 13, 2002
99
US
Our legacy system is unix based. A user made a huge error yesterday and our legacy system does not track who made what changes. Our only hope was to find the file that was generated by the change the user made. The problem is that the user has deleted this file to cover the evidence. Is there any way to retreive it?

I know it's a long shot but thought I'd try.

Thanks,

Laura.
 
Not really. It's probably gone, especially if you've been writing things to the disk much since it happened.

If you want any hope of recovering it, cease all activities that write to the disk partition where the file was created, then run "strings /dev/HDx# | grep TEXT" where HDx# is the hard drive partition in question and TEXT is some known text that should be in the file that got deleted. If that finds the file, you can probably salvage some of it.

Also, check at or to see if there are any utilities that will do the same type thing for you.

If that fails, and you're willing to pay a lot to recover the data, there are people who can examine a disk drive and find data that a computer can no longer see. Try to track them down.

Finally, you might want to double-check whether or not that's the only way to figure out what's going on. Look at system logs and such.

Good luck.
 
no laura
unix suppose, you know what you are doing.
a remove is a remove.
welcome in club.

don't forget, RTFMP :) guggach
 
I think chipperMDW's is probably the correct approach, but it's a long shot. Given that it's a 'legacy' system, I imagine there's not too much activity, so the deleted file might still be there.

As for tracking down the culprit, if your users have any sort of command history (ksh .sh_history for example), you could try searching for clues amongst the rm commands therein. Another long shot (particularly if your users are savvy to it), but worth a look.

I take it you don't have a backup :-(
 
not unless a backup was taken betwwen the change and the delete...Sorry.
 
Probably not the case, but if your Legacy unix is not that old, see if it has versioning active for that particular directory/file.

Some Unix versions have this facility, but most of the times is not even enabled.

Long shot though.



Regards

Frederico Fonseca
SysSoft Integrated Ltd
 
You could try to use the midnight commander to examine lost files. It's difficult to find out how it works, and should perpaps be tested on a Testmachine.

If you first have to install mc, this activity might override the bits, as well as every activity as logging or temporary files.

Perhaps you can first remount the partition in read-only mode to keep some chances...

seeking a job as java-programmer in Berlin:
 
Status
Not open for further replies.

Part and Inventory Search

Sponsor

Back
Top