[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

Re: Data loss

On Wed, Feb 12, 2003 at 03:25:54PM +0100, Francesco Pirozzi wrote:
> I understand... But, one last thing: do you think that the first block
> of each overwritten file is somewhere intact - so that I can search
> the disk for format headers - or do I have to rebuild the puzzle
> from the second block (or deeper)?

Was the filesystem mounted as ext2 or ext3 when you truncated all of
the files to zero?  If it was ext2, something that you might be able
to do is to write a program which looks for indirect blocks.  They
have a very distinctive signature --- essentially, a series of 4 byte
integers, that fall within the range of valid block numbers for the
filesystem.  That will give you information for files that are larger
than 12 blocks (i.e., either 12k or 48k depending on whether you using
1k or 4k blocksizes).  And if the filesystem was mostly unfragmented,
then you can try looking 12 blocks before the identified indirect
block to find the beginning of the file, and then use the indirect
block to find the rest of the file.  (And again, if the filesystem is
mostly unfragmented, then the if there is more than one indirect
block, it should be immediately after the data blocks allocated for
the first indirect block.)

If the filesystem was mounted as ext3, then unfortunately the indirect
blocks will have been zero'ed out as part of the truncation process.
But you can still search for the blocks which are all zero's, since
they have a possibility of being a zero'ed out indirect block.  So if
the files were mostly unfragmented, you can try looking 12k before the
indirect block, and see if you're at the beginning of a file.

The limitation of this technique is that it won't help you recover
smaller files.  But it might help you recover something that's

							- Ted

P.S.  I should close with an obligatory plug for regular backups...

[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]