On Mon, Feb 18, 2002 at 10:41:27PM +0100, NovaLand wrote: > Recently I've encountered a problem, and now I would preciate any help > about being able to undelete files. > > My /var filestructured is mounted at /dev/hdc1 > Part of my /etc/mtab looks like this: > /dev/hdc1 /var ext3 rw 0 0 > > I'm using the e2fsprogs-1.23-2 package currently installed with Redhat 7.2 > > So, could anyone give me a hint of how things could be done to find > deleted inodes? > > I've tried to use debugfs , but I suspect this only helps if I'm using > ext2. Or does they support ext3 too? Yes, it will look exactly like ext2 when it is unmounted. Just to repeat: don't run debugfs on an unmounted file system! > > I know.. backup is everything, but the reason I'd like to do this is > that I know that last saturday at 9:35 am, the logs were most likley > altered to cover up after a system break-in. The original logs could > have been copied before this and therefor finding out deleted inodes > could be of a great importance. > > A backup was obviously not done by these files during this event.. > (shame on them!) They could've overwritten the files first too, and then debugfs would not be able to help... Does ext2 try to use the same blocks after a truncate call? even if it didn't, the inode would list the *new* blocks and not the old ones. Assuming: o truncate o overwrite o delete if they tried: o overwrite (no truncate) o delete you're fscked unless you know how to read overwritten areas on a hard drive... Mike
