[vox-tech] File recovery?

ME vox-tech@lists.lugod.org
Mon, 2 Sep 2002 00:20:07 -0700 (PDT) 

On Sun, 1 Sep 2002, Ryan wrote:
> --[PinePGP]--------------------------------------------------[begin]--
> On Sunday 01 September 2002 08:57 pm, ME wrote:
> > On Sun, 1 Sep 2002, Ryan wrote:
> > > On Sunday 01 September 2002 05:22 pm, Ryan wrote:
> > > > Last night my system froze and I had to hard-reset.
> > > > Now a few direcrotys are gone from one of my partitons.
> > > > Any way to recover these?
> > > > The partition hasn't been written to since.
> > >
> > > BTW, the files I want are AVIs (about 20 fansubs) which all start with
> > > the string 'RIFF'
> > >
> > > Perhaps I could tell mplayer to play /dev/hdg1 and give it the offset and
> > > use the option to dump it to the disk (mplayer will figuer out where the
> > > file ends)
> > >
> > > Are things likely to be unfragmented enough for this to work?
> >
> > I saw a tool in use and demoed by Venema and Farmer back in NY which they
> > called "the grave robber's tool kit" though I think it changed names. It
> > allowed you to "walk your disk" and "look at files" including deleted
> > ones, and Farmer said he was going to add features to make it allow you to
> > see images (or what could be reconstructed of an image) for files that
> > were deleted. This tool may help you do what you want to do, but you
> > probably don't want to install it on the same system you wish to
> > inspect. ;-)
> 
> the only google hit for this was an old post on vox-tech :(
> 
> A little more searching shows that it was called "The Coroner's Toolkit"

That was the new name. The name they stated and used at the conference was
ther former, and the new name is the one that it goes by. I still have
papers from the conference. One page for opening, "This is not a pipe",
but they refer to it with the older name. 

> I tried using debugfs, but it's lsdel command showed nothing, leading me to
> belive that fsck did a real number on my stuff.

I would tend to agree with the other user's post about checking lost+found
first.

> > It had other features, but the one mentioned here is probably what you
> > would want it for right now.
> >
> > Also, if the files are not on disk, but were in memory in unflushed
> > buffers, and never written to disk, you are probably not going to find
> > much of anything on disk that was not written to disk in the first place.
> 
> There was a several gigs of stuff. It was on the disk allright.
> 
> I think my best option is to figure out where the files started on the disk
> and use mplayer to dump them elsewhere.
> 
> How would i grep the disk for a string and have it print the offsets?
              ----
I dont think that would be the best solution. An application layer
examination tool would probably be better for the task and be able to try
to estimate the locations of the parts of the file. Another user suggested
a disk/hex editor. Good idea.

However, if you are set on this direction, you could try using grep. :-)

grep --binary-files=text --byte-offset "hello" /dev/hda1 |less
variations to this can further help refine the search for the offset.

It will likely be messy. :-/

-ME

-----BEGIN GEEK CODE BLOCK-----
Version: 3.12
GCS/CM$/IT$/LS$/S/O$ !d--(++) !s !a+++(-----) C++$(++++) U++++$(+$) P+$>+++ 
L+++$(++) E W+++$(+) N+ o K w+$>++>+++ O-@ M+$ V-$>- !PS !PE Y+ PGP++
t@-(++) 5+@ X@ R- tv- b++ DI+++ D+ G--@ e+>++>++++ h(++)>+ r*>? z?
------END GEEK CODE BLOCK------
decode: http://www.ebb.org/ungeek/ about: http://www.geekcode.com/geek.html