After a extensive search about a tool or method to undelete/recover files deleted from a partition whit the ext3 FS, i want to make some comments about the use of this FS. What are the benefits of use the ext3 FS in a system (server, desktop, etc.) if i cant recover files deleted by an intruder if i want need to make forensics; or if i want to recover important files deleted (business, personal use, a very important project, etc.) ?? Before i began using the ext3 FS, i read about the benefits of use it, but the online documentation about the ext3 FS dont say nothing about that its not possible undelete files. I was happy using the ext3 FS in my system before 1 week ago when i delete some files and dirs, where i have programs and docs of my work; and now i cant use them and cant recreate or rebuild. I read about umount my partition ( for what, ext3 FS clear the inodes), use lde, debufs, e2recover, etc ( this work only with ext2 FS), and some people saying that there is nothing to do. I use autopsy and task but dont work. Exist companies or people that can use ext3 FS in their linux systems and can survive if a file is deleted (if they dont have backups) or if they lost a very important project, or personal files. Or they use ext2 FS, preventing that they cant recover files?? This only thing make me think in change the security policy for my systems to use only ext2 FS until its posible to undelete or recover files. I hope you can understand what im traiying to say. -- LCC J. Manuel Lopez V. Network and System Administration FC/UABC
On Apr 24, 2003 21:31 -0700, mlopez wrote:> What are the benefits of use the ext3 FS in a system (server, desktop, > etc.) if i cant recover files deleted by an intruder if i want need to > make forensics; or if i want to recover important files deleted > (business, personal use, a very important project, etc.) ??People generally make backups of important files. Well, acutally, people who have previously deleted (or lost through corruption or hardware failure) files start making backups. Undelete will not help you if your hard drive dies, or you have a fire or whatever.> I read about umount my partition ( for what, ext3 FS clear the inodes), > use lde, debufs, e2recover, etc ( this work only with ext2 FS), and some > people saying that there is nothing to do. I use autopsy and task but > dont work.I agree that this is something that has been discussed several times in the past on this mailing list. There are some possible solutions to this problem that could be implemented for ext3 - specifically by pre-calculating the actual number of blocks needed to truncate the file, and then only update the bitmaps and inode when doing the truncate. That will only be possible when deleting smaller files (depending on journal size), so it won't be a real undelete facility but at least give us most of what we had for ext2 (and will also make truncate go faster I believe). You can also get library wrappers that implement a _real_ undelete facility in user space by replacing the unlink call with a rename to a trashcan.> This only thing make me think in change the security policy for my > systems to use only ext2 FS until its posible to undelete or recover > files.Or, start making backups of your files, and be more careful when you are deleting files. Again, "undelete" will only help you in the case where you accidentally removed a file, and nothing was overwriting it. Backups will help you more often. Cheers, Andreas -- Andreas Dilger http://sourceforge.net/projects/ext2resize/ http://www-mddsp.enel.ucalgary.ca/People/adilger/
Hi, mlopez <mlopez@uabc.mx> writes:> I was happy using the ext3 FS in my system before 1 week ago when i > delete some files and dirs, where i have programs and docs of my work; > and now i cant use them and cant recreate or rebuild.I suggest that you either look for or write a "delete" or "myrm" command, which moves files into, /tmp/deleted, ~/.deleted/ or similar - then clean these areas after some time. You might also consider using LVM Snapshots to achive what you are looking for. -- There are only 10 different kinds of people in the world, those who understand binary, and those who don't.