UN-deleting files in Linux

I decided to investigate how easy it was to recover deleted files in Linux and came to the conclusion that using secure file deletion utilities is a must for safely deleting data. When files are removed in linux they are only un-linked but their inodes (addresses in the disk where the file is actually present) is not removed. This concept will be quite handy while recovering deleted files. Now i won't discuss specialized software but rather stick to utilities commonly present in linux distros. In this case it's the "debugfs" utility. Run "debugfs /dev/hda13" and then at the "debugfs" prompt use the command "lsdel"

[root@localhost d00m]# debugfs /dev/hda13

debugfs 1.27ea (14-Mar-2002)fs /dev/hda13 
debugfs:  lsdel
 Inode  Owner  Mode    Size    Blocks   Time deleted
241952      0 100644   1780    1/   1 Mon Jul 26 05:30:49 2004
254756      0 100444  95476   25/  25 Tue Oct 10 20:03:00 2023
254757      0 100444 753790  186/ 186 Tue Oct 10 20:03:00 2023
254758      0 100444 191369   48/  48 Tue Oct 10 20:03:00 2023
254759      0 100444 818458  201/ 201 Tue Oct 10 20:03:00 2023
254760      0 100444 791642  195/ 195 Tue Oct 10 20:03:00 2023
254761      0 100444 1450218  356/ 356 Tue Oct 10 20:03:00 2023
254762      0 100444  55052   15/  15 Tue Oct 10 20:03:00 2023
254763      0 100444  11925    3/   3 Tue Oct 10 20:03:00 2023
254764      0 100444  15576    4/   4 Tue Oct 10 20:03:00 2023
254765      0 100444   8851    3/   3 Tue Oct 10 20:03:00 2023
254766      0 100444  59680   16/  16 Tue Oct 10 20:03:00 2023
254767      0 100444 340167   85/  85 Tue Oct 10 20:03:00 2023
254768      0 100444  99056   26/  26 Tue Oct 10 20:03:00 2023
254769      0 100444  25943    7/   7 Tue Oct 10 20:03:00 2023
254770      0 100444 692848  171/ 171 Tue Oct 10 20:03:00 2023
254771      0 100444  55013   15/  15 Tue Oct 10 20:03:00 2023
254772      0 100444  34777    9/   9 Tue Oct 10 20:03:00 2023
254773      0 100444 907795  223/ 223 Tue Oct 10 20:03:00 2023
254774      0 100444  88167   23/  23 Tue Oct 10 20:03:00 2023

Please remember to replace "/dev/hda13" with your own partition.

The inode and the date of deletion is the important thing to note for recovering files.

Next Press Ctrl+c after deciding which inode you want to check. You will now be back to the debugfs prompt. Use the "cat (Inlcuding brackets)" command to dump the file on the console. Eg:

debugfs: cat <32611>
This is a text file!!
debugfs: 

If u want to save the file then u will need to use the "dump command". Eg:

debugfs: dump <32611> /root/test
debugfs: quit

[root@localhost d00m]#cat test
This is a text file!!
[root@localhost d00m]#

To safely delete files you can use "shred" utilitly common in most linux distros. This utiliy overwrites and then securely deletes files. Also search sourceforge.net for more specalized tools for deleting/recovering files in Linux. If u want to share info on this topic mail me at : h_chhetri@yahoo.com

Comments

Comment viewing options

Select your preferred way to display the comments and click "Save settings" to activate your changes.
Notify Settings

Great Tip... keep it coming!

Remember to turn your "notify settings" on, and any new blogs and responses will be sent to you automatically.

Comment