I decided to investigate how easy it was to recover deleted files in Linux and came to the conclusion that using secure file deletion utilities is a must for safely deleting data. When files are removed in linux they are only un-linked but their inodes (addresses in the disk where the file is actually present) is not removed. This concept will be quite handy while recovering deleted files. Now i won't discuss specialized software but rather stick to utilities commonly present in linux distros. In this case it's the "debugfs" utility. Run "debugfs /dev/hda13" and then at the "debugfs" prompt use the command "lsdel"
[root@localhost d00m]# debugfs /dev/hda13 debugfs 1.27ea (14-Mar-2002)fs /dev/hda13 debugfs: lsdel Inode Owner Mode Size Blocks Time deleted 241952 0 100644 1780 1/ 1 Mon Jul 26 05:30:49 2004 254756 0 100444 95476 25/ 25 Tue Oct 10 20:03:00 2023 254757 0 100444 753790 186/ 186 Tue Oct 10 20:03:00 2023 254758 0 100444 191369 48/ 48 Tue Oct 10 20:03:00 2023 254759 0 100444 818458 201/ 201 Tue Oct 10 20:03:00 2023 254760 0 100444 791642 195/ 195 Tue Oct 10 20:03:00 2023 254761 0 100444 1450218 356/ 356 Tue Oct 10 20:03:00 2023 254762 0 100444 55052 15/ 15 Tue Oct 10 20:03:00 2023 254763 0 100444 11925 3/ 3 Tue Oct 10 20:03:00 2023 254764 0 100444 15576 4/ 4 Tue Oct 10 20:03:00 2023 254765 0 100444 8851 3/ 3 Tue Oct 10 20:03:00 2023 254766 0 100444 59680 16/ 16 Tue Oct 10 20:03:00 2023 254767 0 100444 340167 85/ 85 Tue Oct 10 20:03:00 2023 254768 0 100444 99056 26/ 26 Tue Oct 10 20:03:00 2023 254769 0 100444 25943 7/ 7 Tue Oct 10 20:03:00 2023 254770 0 100444 692848 171/ 171 Tue Oct 10 20:03:00 2023 254771 0 100444 55013 15/ 15 Tue Oct 10 20:03:00 2023 254772 0 100444 34777 9/ 9 Tue Oct 10 20:03:00 2023 254773 0 100444 907795 223/ 223 Tue Oct 10 20:03:00 2023 254774 0 100444 88167 23/ 23 Tue Oct 10 20:03:00 2023
Please remember to replace "/dev/hda13" with your own partition.
The inode and the date of deletion is the important thing to note for recovering files.
Next Press Ctrl+c after deciding which inode you want to check. You will now be back to the debugfs prompt. Use the "cat
debugfs: cat <32611> This is a text file!! debugfs:
If u want to save the file then u will need to use the "dump
debugfs: dump <32611> /root/test debugfs: quit [root@localhost d00m]#cat test This is a text file!! [root@localhost d00m]#
To safely delete files you can use "shred" utilitly common in most linux distros. This utiliy overwrites and then securely deletes files. Also search sourceforge.net for more specalized tools for deleting/recovering files in Linux. If u want to share info on this topic mail me at : h_chhetri@yahoo.com
- himanshu's blog
- Login or register to post comments
Comments
Great Tip... keep it coming!
Remember to turn your "notify settings" on, and any new blogs and responses will be sent to you automatically.