Gentoo Forums
Gentoo Forums
Gentoo Forums
Quick Search: in
Recovering files with "The Sleuth Kit"
View unanswered posts
View posts from last 24 hours

 
Reply to topic    Gentoo Forums Forum Index Documentation, Tips & Tricks
View previous topic :: View next topic  
Author Message
der bastler
Apprentice
Apprentice


Joined: 13 Apr 2003
Posts: 257

PostPosted: Mon Aug 01, 2005 7:14 pm    Post subject: Recovering files with "The Sleuth Kit" Reply with quote

I don't like mondays!

This afternoon I wanted to back-up the files of my diploma thesis before walking home. So I plugged in my usb stick and erased the old "diplom" directory on it to get rid of old files. Fine, but while doing this I must have accidentally switched planes in gentoo, anyway afterwards the "diplom" directory on my hard drive was gone, too! Instead of copying my work to the usb stick, both disappeared. D'Oh! 8O

First action: unmount usb stick.

Great, only one DVD+RW backup at home, two weeks old! What to do? Since I do my work on my notebook and since it was the first Gentoo installation its HDD only consists of one big ReiserFS partition (*). So I could not unmount /home/ and use reiserfsck for recovery. :cry:

So I returned home and used my desktop to do a recherche on FAT file recovery -- I came across The Sleuth Kit.
Remember the usb stick? To me it seemed easier to recover its files than trying to use reiserfsck with my notebook HDD. At least I would only be thrown back to last week...

My recovery procedure:

Step #1:
Become root, plug in usb stick, but don't mount it. Copy all of its blocks to a file:
Code:
dd if=/dev/sda1 of=/tmp/my-usb-image


Step #2:
If not yet done: install the software.
Code:
emerge sleuthkit


step #3:
Exit root mode, create a project directory in your home, in my case /home/frank/projekte/defiant-recovery. Change into your project directory, copy the usb image to it and take a look at the contents of your usb image file with fls:
Code:
copy /tmp/my-usb-image ./
fls -f fat -d -p -r my-usb-image

This will print a list of deleted (-d) files with full path (-p) while traversing recursively (-r) through the structure. Here are the first three lines of my usb image file structure:
Code:
d/d * 4:        diplom
d/d * 518:      diplom/c_prog
r/r * 647:      diplom/c_prog/pointer_test.c

First field denotes the file type, third field is the node number and last field is the actual file name.

step #4:
With these informations one would use icat to extract every found node to the appropriate file. Since we use Linux we can do this automatically. First print the fls output to a file:
Code:
fls -f fat -d -p -r my-usb-image > filelist.txt

Second edit this file list and delete all the gibberish lines (there might be remnants of old data).

step #5:
After this little list file clean up, create the following script in your recovery project directory:
Code:
#!/bin/bash
# reconstruct.sh -- reconstruct lost but not overwritten FAT data

cat $1 |
while read line; do
   filetype=`echo "$line" | awk {'print $1'}`
   filenode=`echo "$line" | awk {'print $3'}`
   filenode=${filenode%:}
   filename=`echo "$line" | awk {'print $4'}`
   
   echo "$filename"
   
   if [ $filetype == "d/d" ]; then
      mkdir $filename
   else
      icat -f fat -r -s my-usb-image "$filenode" > "$filename"
   fi
done

Call it with said file list as parameter:
Code:
./reconstruct.sh edited-filelist.txt


Et voilà, most of the deleted data is back. This script parses the lines of the list. If it encounteres a directory, it creates it, otherwise it extracts the contents of the node to the given file.

--

Apart from this makeshift recovery -- Are there any solutions to recover the deleted directory /home/frank/diplom on my ReiserFS partition? That would be very, very nice!


(*) My newer systems have partitions for /home/ and /usr/ and...
_________________
Tempus fugit.
@frank@troet.cafe
Back to top
View user's profile Send private message
der bastler
Apprentice
Apprentice


Joined: 13 Apr 2003
Posts: 257

PostPosted: Mon Aug 01, 2005 9:36 pm    Post subject: Reply with quote

I'm back in last week... and tomorrow I have to do it again: revise source, port from english to german comments, create command module, correct coord transformation, ... *sigh* Groundhog day anyone?


A last question: There is no way undeleting files in a given directory in a ReiserFS partition? Something like "There was a directory "bla" with subdirectories, please check your trees if you can find it?"

No, reiserfsck is no option because a) unmounting the partition needs a boot disk/cd and b) I don't have enough space to do a complete 40GB copy of the partition.
_________________
Tempus fugit.
@frank@troet.cafe
Back to top
View user's profile Send private message
Gentree
Watchman
Watchman


Joined: 01 Jul 2003
Posts: 5350
Location: France, Old Europe

PostPosted: Sun Nov 27, 2005 10:36 am    Post subject: Reply with quote

der bastler wrote:
I'm back in last week... and tomorrow I have to do it again: revise source, port from english to german comments, create command module, correct coord transformation, ... *sigh* Groundhog day anyone?


A last question: There is no way undeleting files in a given directory in a ReiserFS partition? Something like "There was a directory "bla" with subdirectories, please check your trees if you can find it?"

No, reiserfsck is no option because a) unmounting the partition needs a boot disk/cd and b) I don't have enough space to do a complete 40GB copy of the partition.


Firstly thanks for the info on sleuthkit. Looks like just what I need to repair a friends vfat.

For the rest , I dont know of a way to recover deleted files on reiserfs but if you think reiserfsck will help then get yourself a boot CD like the linux rescueCD or Knoppix or so, that hardly seems to be a problem.

You have probably also realised that huge partitions are not so good. Once you have recovered what you can I suggest splitting / into several smaller partitions. I like to keep mine under 8G unless there is a very good reason.

This makes swapping , backing-up, changing fs, etc. all a lot more practicable.

Sorry I cant help more on the deleted files.

8)
_________________
Linux, because I'd rather own a free OS than steal one that's not worth paying for.
Gentoo because I'm a masochist
AthlonXP-M on A7N8X. Portage ~x86
Back to top
View user's profile Send private message
bfkeats
Apprentice
Apprentice


Joined: 20 Feb 2004
Posts: 268

PostPosted: Sat Feb 04, 2006 1:26 am    Post subject: Reply with quote

Small improvement to the script. This will handle spaces in the paths.

Code:

#!/bin/bash
# reconstruct.sh -- reconstruct lost but not overwritten FAT data

cat $1 |
while read line; do
   filetype=`echo "$line" | awk {'print $1'}`
   filenode=`echo "$line" | awk {'print $3'}`
   filenode=${filenode%:}
   filename=`echo "$line" | cut -f 2`

   echo "$filename"

   if [ $filetype == "d/d" ]; then
      mkdir -p "$filename"
   else
      icat -f fat -r -s fatImage "$filenode" > "$filename"
   fi
done
Back to top
View user's profile Send private message
wally.hall
n00b
n00b


Joined: 26 Sep 2005
Posts: 55
Location: England

PostPosted: Mon Jul 07, 2008 10:11 am    Post subject: Same problem, similar solution Reply with quote

I had a similar problem, so I wrote a script using ffind, icat and ils to "reconstruct" the directory structure plus file contents. For 10GB of data on a seriously damaged drive, it took a little over 10 hours solid working, but it did the job.

http://matt.matzi.org.uk/2008/07/03/reconstructing-heavily-damaged-hard-drives/
_________________
I like Gentoo why?
Because it works how I want it to work.
Back to top
View user's profile Send private message
jexxie
Tux's lil' helper
Tux's lil' helper


Joined: 12 Oct 2007
Posts: 82
Location: Vancouver, BC

PostPosted: Tue Jul 29, 2008 4:07 am    Post subject: Reply with quote

If you're going to script in bash, script in bash. This should work, I didn't test it.

Code:
#!/bin/bash
# reconstruct.sh -- reconstruct lost but not overwritten FAT data

if [[ $# -gt 1 ]]; then
   echo "supply the path to the filesytem image please."
   echo "ex: $0 /path/to/filesystem.img";
   exit 1;
fi

while read line < $1; do
   filetype=$(echo "$line" | awk {'print $1'})
   filenode=$(echo "$line" | awk {'print $3'})
   filenode=${filenode%:}
   filename=$(echo "$line" | cut -f 2)

   echo "$filename"

   if [[ $filetype == "d/d" ]]; then
      mkdir -p "$filename"
   else
      icat -f fat -r -s fatImage "$filenode" > "$filename"
   fi
done

_________________
Rambling sysadmin
My personal site and blog: Phil Dufault
Back to top
View user's profile Send private message
Master_Of_Disaster
l33t
l33t


Joined: 28 Feb 2003
Posts: 610
Location: 15.05072° East, 48.13747° North (aka Mauer), Austria

PostPosted: Thu Oct 23, 2008 6:58 pm    Post subject: Reply with quote

you could also try foremost, but you'll lose the filenames. Plus it works only on certain filetypes.
_________________
post tenebras lux, post fenestras tux
Registered Linux User Nr. 312509
Adopt an unanswered post today!
Back to top
View user's profile Send private message
Display posts from previous:   
Reply to topic    Gentoo Forums Forum Index Documentation, Tips & Tricks All times are GMT
Page 1 of 1

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum