Advertisement
Advanced thin client solution for Linux, based on Open Source. Mix Windows and Linux, with hardware accelerated OpenGL!
Weekly Edition
Return to the Kernel page
| |||||||||||
Recovering deleted files from ext3
Carlo Wood seems to have mistakenly deleted his home directory and instead of reaching for his backups, he dug into the ext3 filesystem structure. The result is an in-depth look at ext3 including how to undelete files. The end result is an ext3grep tool that looks like it might be rather useful. "However, this is utter nonsense. All information is still there, also the block pointers. It is just slightly less likely that those are still there (than on ext2), since they have to be recovered from the journal. On top of that, the meta data is less coherently related to the real data so that heuristic algorithms are needed to find things back." (seen at Val Henson's weblog)
(Log in to post comments)
Recovering deleted files from ext3 Posted Mar 14, 2008 18:26 UTC (Fri) by vmole (subscriber, #111) [Link] It appears that Carlo's page has been LWNed...
Recovering deleted files from ext3 Posted Mar 15, 2008 14:07 UTC (Sat) by jquirk (guest, #51079) [Link] Nice to see someone actually looking at the disk structures and seeing what is really going on. When I was helping out with LDE I too just accepted the statement you can't recover files from and ext3 system. The true brilliance of this is to use the journal entries to fill in the missing pieces from the inodes.
Recovering deleted files from ext3 Posted Mar 16, 2008 4:27 UTC (Sun) by elgordo123 (guest, #51081) [Link] Well it's nice to see that Linux is now officially no more secure than windows.
Recovering deleted files from ext3 Posted Mar 16, 2008 12:39 UTC (Sun) by dlang (subscriber, #313) [Link] please explain. if you were ever under the impression that any linux filesystem completely overwrote the file with zeros (let alone did a secure delete by overwriting the file multiple times with different patterns), you are sadly mistaken. it's still significantly harder to recover files from ext2 than it is from windows file systems, but that's not a security measure, and it never was.
Recovering deleted files from ext3 Posted Mar 16, 2008 13:00 UTC (Sun) by nix (subscriber, #2304) [Link] Also, if you can read the journal directly you have access to the block device and thus have lost the game regarding security of data on that device anyway.
Recovering deleted files from ext3 Posted Mar 18, 2008 23:45 UTC (Tue) by jquirk (guest, #51079) [Link] Ext2 is not really that hard to recover files from provided you stop and unmount the disk as soon as you realize you have a problem. Its all there have a look at my stuff I contributed to LDE you can see all deleted entries on ext2 volume, ext2 just unlinks the directory entry for a linked list, marks the inode as deleted and frees the blocks in the bit map. It is as you stated ext2 zeros nothing of value. Most forensics tools know this so if you are security concerned standard files system are not for you. Ever wonder why if purchase you ex military computers they have no hard drives.
Recovering deleted files from ext3 Posted Mar 20, 2008 3:13 UTC (Thu) by quotemstr (subscriber, #45331) [Link] Try
Recovering deleted files from ext3 Posted Mar 20, 2008 4:51 UTC (Thu) by gdt (subscriber, #6284) [Link] Why would shred work on a journaling filesystem like ext3? A point noted in shred's man page.
Recovering deleted files from ext3 Posted Mar 20, 2008 10:21 UTC (Thu) by Cato (subscriber, #7643) [Link] Actually shred works fine on ext3 in default configurations, i.e. as long as you are only doing 'writeback' of data, meaning that filesystem metadata is journalled but file contents metadata is not. See http://en.wikipedia.org/wiki/Ext3 and in particular http://wiki.linuxquestions.org/wiki/Talk:Shred
|
|||||||||||