Weekly Edition
Return to the Kernel pageSponsored link
Serve your customers, not your servers, with VERIO Linux VPS. Full-access test-drive here.
| Weekly edition | Kernel | Security | Distributions | Search |
| Archives | Calendar | Subscribe | Write for LWN | LWN.net FAQ |
Recovering deleted files from ext3
(Log in to post comments)
Recovering deleted files from ext3
Posted Mar 14, 2008 18:26 UTC (Fri) by vmole (subscriber, #111) [Link]
It appears that Carlo's page has been LWNed...
Recovering deleted files from ext3
Posted Mar 15, 2008 14:07 UTC (Sat) by jquirk (guest, #51079) [Link]
Nice to see someone actually looking at the disk structures and seeing what is really going on. When I was helping out with LDE I too just accepted the statement you can't recover files from and ext3 system. The true brilliance of this is to use the journal entries to fill in the missing pieces from the inodes.
Recovering deleted files from ext3
Posted Mar 16, 2008 4:27 UTC (Sun) by elgordo123 (guest, #51081) [Link]
Well it's nice to see that Linux is now officially no more secure than windows.
Recovering deleted files from ext3
Posted Mar 16, 2008 12:39 UTC (Sun) by dlang (subscriber, #313) [Link]
please explain. if you were ever under the impression that any linux filesystem completely overwrote the file with zeros (let alone did a secure delete by overwriting the file multiple times with different patterns), you are sadly mistaken. it's still significantly harder to recover files from ext2 than it is from windows file systems, but that's not a security measure, and it never was.
Recovering deleted files from ext3
Posted Mar 16, 2008 13:00 UTC (Sun) by nix (subscriber, #2304) [Link]
Also, if you can read the journal directly you have access to the block device and thus have lost the game regarding security of data on that device anyway.
Recovering deleted files from ext3
Posted Mar 18, 2008 23:45 UTC (Tue) by jquirk (guest, #51079) [Link]
Ext2 is not really that hard to recover files from provided you stop and unmount the disk as soon as you realize you have a problem. Its all there have a look at my stuff I contributed to LDE you can see all deleted entries on ext2 volume, ext2 just unlinks the directory entry for a linked list, marks the inode as deleted and frees the blocks in the bit map. It is as you stated ext2 zeros nothing of value. Most forensics tools know this so if you are security concerned standard files system are not for you. Ever wonder why if purchase you ex military computers they have no hard drives.
Recovering deleted files from ext3
Posted Mar 20, 2008 3:13 UTC (Thu) by quotemstr (subscriber, #45331) [Link]
Try
$ man shred :-)
$ alias shred='shred -u -n1'
Recovering deleted files from ext3
Posted Mar 20, 2008 4:51 UTC (Thu) by gdt (subscriber, #6284) [Link]
Why would shred work on a journaling filesystem like ext3? A point noted in shred's man page.
Recovering deleted files from ext3
Posted Mar 20, 2008 10:21 UTC (Thu) by Cato (subscriber, #7643) [Link]
Actually shred works fine on ext3 in default configurations, i.e. as long as you are only doing 'writeback' of data, meaning that filesystem metadata is journalled but file contents metadata is not. See http://en.wikipedia.org/wiki/Ext3 and in particular http://wiki.linuxquestions.org/wiki/Talk:Shred