Recently I've encountered a problem, and now I would preciate any help about being able to undelete files. My /var filestructured is mounted at /dev/hdc1 Part of my /etc/mtab looks like this: /dev/hdc1 /var ext3 rw 0 0 I'm using the e2fsprogs-1.23-2 package currently installed with Redhat 7.2 So, could anyone give me a hint of how things could be done to find deleted inodes? I've tried to use debugfs , but I suspect this only helps if I'm using ext2. Or does they support ext3 too? I know.. backup is everything, but the reason I'd like to do this is that I know that last saturday at 9:35 am, the logs were most likley altered to cover up after a system break-in. The original logs could have been copied before this and therefor finding out deleted inodes could be of a great importance. A backup was obviously not done by these files during this event.. (shame on them!) Thanks, // Stefan!
