Mon Oct 6 21:01:32 UTC 2008

Data recovery from ext3 filesystems

--

A nice article from SecurityFocus, discussing a good approach to using data carving tools to recover deleted files from a Linux ext3 filesystem, using e2fsprogs, sleuthkit and foremost.

http://www.securityfocus.com/infocus/1902

The ext3 FAQ tells us there there is no guaranteed method to recover deleted files from the filesystem; but Abe Getchell's article describes some useful techniques that will help you to search for the remains of your data.

A couple of points aren't made very clearly, however – if your ext3 filesystem is busy, your data will probably be overwritten before you have time to go looking for it. Abe's example is of a file lost from the sole partition of a machine (i.e. the default schema on Ubuntu, and probably other distributions), and if there is a log of logging going on you will have to act quickly. Shutting down to single-user mode would help; physically mounting the drive on another system (or booting from a LiveCD to do the recovery) would help even more. Given that you might not have the tools you need pre-installed, don't install them before looking for the deleted data!

The other point is that you'll be scanning through a very wide chunk of disk to look for the deleted file, and you will probably be finding lots of other files that had previously been deleted. Not too had if this is your own personal machine you're recovering from, but if this is a client machine, be very careful that you understand what type of access is appropriate, even to deleted files. Abe's suggestion of using a good library of checksums (such as those provided by Tripwire) is an excellent way of checking for a matched file without explicitly reading its contents.