Recover Deleted Files

[Kirsle]

I've read in several places that when you use dd to image a hard drive, it makes a byte-exact image which will even include the data from files that were recently deleted, but not yet overwritten by newer files.

I found something online about how to undelete files from ext2 file systems, and that for non-ext2 file systems you can run this command on the unmounted drive to try to recover some data from a deleted file:

grep -a -B[size before] -A[size after] 'text' /dev/[your_partition]

However, that assumes that you know something about the deleted file. Is there a way (preferrably filesystem-independent) for reading through a hard drive's data (or the data of a dd image) and come up with a list of all the files that were deleted?

On Windows there were some undelete programs that would scan the hard drive and, in most cases, be able to find the file names of the deleted files and give you an estimate of how likely it is that the file can be recovered. How would you do this on Linux?

-------------
Cuvou.com | My personal homepage
Project Fearless | My web blog

 

[jstreich]

There is a special version of Linux used for forensic and system recovery called Helix. It should have tools for doing this sort of thing. ext3 has journaling and you may be able to recover the data from teh journal, but ext3 will require special programs.

Keep in mind installing software, creating files or even updates to the the log files can create problems trying to recover data from a drive.

Have a look at:

http://www.penguin-soft.com/penguin/man/8/e2undel.html

https://sourceforge.net/projects/giis

[plug=shameless]

http://game-master.us/phpx-3.4.0/

[/plug]

 

[geirendre]

I would recomend Photorec for recovering "deleted" files.
It was made to recover pictures, but it reportedly works
just as well on other types of files.
Here's some more info:

http://www.linux.com/articles/56588?tid=119&tid=13

HTH