[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

Undeleting files in ext3 (Newbie-question)

Recently I've encountered a problem, and now I would preciate any help about being able to undelete files.

My /var filestructured is mounted at /dev/hdc1
Part of my /etc/mtab looks like this:
/dev/hdc1 /var ext3 rw 0 0

I'm using the e2fsprogs-1.23-2 package currently installed with Redhat 7.2

So, could anyone give me a hint of how things could be done to find deleted inodes?

I've tried to use debugfs , but I suspect this only helps if I'm using ext2. Or does they support ext3 too?

I know.. backup is everything, but the reason I'd like to do this is that I know that last saturday at 9:35 am, the logs were most likley altered to cover up after a system break-in. The original logs could have been copied before this and therefor finding out deleted inodes could be of a great importance.

A backup was obviously not done by these files during this event.. (shame on them!)


// Stefan!

[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]